AWS systems-manager documentation change
Summary
Added IAM policy statements with aws:CalledVia condition for ssmmessages:OpenDataChannel action in Fleet Manager remote desktop connection examples
Security assessment
This change adds conditional IAM policy statements that restrict ssmmessages:OpenDataChannel action to only be allowed when called via ssm-guiconnect.amazonaws.com. This improves security by implementing service control policies and least privilege access, but no evidence of addressing a specific security vulnerability.
Diff
diff --git a/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.md b/systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.md index 7be4ca841..8c76b61e8 100644 --- a//systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.md +++ b//systems-manager/latest/userguide/fleet-manager-remote-desktop-connections.md @@ -171,0 +172,15 @@ JSON + { + "Sid": "SSMMessages", + "Effect": "Allow", + "Action": [ + "ssmmessages:OpenDataChannel" + ], + "Resource": [ + "arn:aws:ssm:*:111122223333:session/*" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "ssm-guiconnect.amazonaws.com" + } + } + }, @@ -254,0 +270,15 @@ JSON + { + "Sid": "SSMMessages", + "Effect": "Allow", + "Action": [ + "ssmmessages:OpenDataChannel" + ], + "Resource": [ + "arn:aws:ssm:*:111122223333:session/*" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "ssm-guiconnect.amazonaws.com" + } + } + }, @@ -351,0 +382,15 @@ JSON + { + "Sid": "SSMMessages", + "Effect": "Allow", + "Action": [ + "ssmmessages:OpenDataChannel" + ], + "Resource": [ + "arn:aws:ssm:*:111122223333:session/*" + ], + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "ssm-guiconnect.amazonaws.com" + } + } + },