AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2026-04-10 · Documentation low

File: systems-manager/latest/userguide/session-manager-schema.md

Summary

Added clarification about the order of precedence for determining OS user account in Session Manager Run As feature

Security assessment

This change documents the security feature of Run As support by explaining the precedence order: IAM user session tags, assumed IAM role tags, then session preferences. This clarifies security controls for session user impersonation but doesn't indicate a security issue was fixed.

Diff

diff --git a/systems-manager/latest/userguide/session-manager-schema.md b/systems-manager/latest/userguide/session-manager-schema.md
index f2394a443..b367e502b 100644
--- a//systems-manager/latest/userguide/session-manager-schema.md
+++ b//systems-manager/latest/userguide/session-manager-schema.md
@@ -122 +122 @@ runAsDefaultUser
-The name of the user account to start sessions with on Linux and macOS managed nodes when the `runAsEnabled` input is set to `true`. The user account you specify for this input must exist on the managed nodes you will be connecting to; otherwise, sessions will fail to start.
+The name of the user account to start sessions with on Linux and macOS managed nodes when the `runAsEnabled` input is set to `true`. The user account you specify for this input must exist on the managed nodes you will be connecting to; otherwise, sessions will fail to start. When determining which OS user account to use, Session Manager checks in the following order: the `SSMSessionRunAs` tag on the IAM user's session tags, then the `SSMSessionRunAs` tag on the assumed IAM role, and finally this `runAsDefaultUser` value from session preferences. For more information, see [Turn on Run As support for Linux and macOS managed nodes](./session-preferences-run-as.html).