AWS systems-manager documentation change
Summary
Added clarification about the order of precedence for determining OS user account in Session Manager Run As feature
Security assessment
This change documents the security feature of Run As support by explaining the precedence order: IAM user session tags, assumed IAM role tags, then session preferences. This clarifies security controls for session user impersonation but doesn't indicate a security issue was fixed.
Diff
diff --git a/systems-manager/latest/userguide/session-manager-schema.md b/systems-manager/latest/userguide/session-manager-schema.md index f2394a443..b367e502b 100644 --- a//systems-manager/latest/userguide/session-manager-schema.md +++ b//systems-manager/latest/userguide/session-manager-schema.md @@ -122 +122 @@ runAsDefaultUser -The name of the user account to start sessions with on Linux and macOS managed nodes when the `runAsEnabled` input is set to `true`. The user account you specify for this input must exist on the managed nodes you will be connecting to; otherwise, sessions will fail to start. +The name of the user account to start sessions with on Linux and macOS managed nodes when the `runAsEnabled` input is set to `true`. The user account you specify for this input must exist on the managed nodes you will be connecting to; otherwise, sessions will fail to start. When determining which OS user account to use, Session Manager checks in the following order: the `SSMSessionRunAs` tag on the IAM user's session tags, then the `SSMSessionRunAs` tag on the assumed IAM role, and finally this `runAsDefaultUser` value from session preferences. For more information, see [Turn on Run As support for Linux and macOS managed nodes](./session-preferences-run-as.html).