Skip to content

Commit 17a8ea8

Browse files
author
AWS
committed
Amazon Simple Systems Manager (SSM) Update: This release adds support for just-In-time node access in AWS Systems Manager. Just-in-time node access enables customers to move towards zero standing privileges by requiring operators to request access and obtain approval before remotely connecting to nodes managed by the SSM Agent.
1 parent 64b8246 commit 17a8ea8

File tree

2 files changed

+227
-3
lines changed

2 files changed

+227
-3
lines changed
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
{
2+
"type": "feature",
3+
"category": "Amazon Simple Systems Manager (SSM)",
4+
"contributor": "",
5+
"description": "This release adds support for just-In-time node access in AWS Systems Manager. Just-in-time node access enables customers to move towards zero standing privileges by requiring operators to request access and obtain approval before remotely connecting to nodes managed by the SSM Agent."
6+
}

services/ssm/src/main/resources/codegen-resources/service-2.json

Lines changed: 221 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -987,6 +987,23 @@
987987
],
988988
"documentation":"<p>Deletes the association between an OpsItem and a related item. For example, this API operation can delete an Incident Manager incident from an OpsItem. Incident Manager is a tool in Amazon Web Services Systems Manager.</p>"
989989
},
990+
"GetAccessToken":{
991+
"name":"GetAccessToken",
992+
"http":{
993+
"method":"POST",
994+
"requestUri":"/"
995+
},
996+
"input":{"shape":"GetAccessTokenRequest"},
997+
"output":{"shape":"GetAccessTokenResponse"},
998+
"errors":[
999+
{"shape":"InternalServerError"},
1000+
{"shape":"AccessDeniedException"},
1001+
{"shape":"ResourceNotFoundException"},
1002+
{"shape":"ThrottlingException"},
1003+
{"shape":"ValidationException"}
1004+
],
1005+
"documentation":"<p>Returns a credentials set to be used with just-in-time node access.</p>"
1006+
},
9901007
"GetAutomationExecution":{
9911008
"name":"GetAutomationExecution",
9921009
"http":{
@@ -1931,6 +1948,24 @@
19311948
],
19321949
"documentation":"<p>Runs commands on one or more managed nodes.</p>"
19331950
},
1951+
"StartAccessRequest":{
1952+
"name":"StartAccessRequest",
1953+
"http":{
1954+
"method":"POST",
1955+
"requestUri":"/"
1956+
},
1957+
"input":{"shape":"StartAccessRequestRequest"},
1958+
"output":{"shape":"StartAccessRequestResponse"},
1959+
"errors":[
1960+
{"shape":"InternalServerError"},
1961+
{"shape":"AccessDeniedException"},
1962+
{"shape":"ResourceNotFoundException"},
1963+
{"shape":"ServiceQuotaExceededException"},
1964+
{"shape":"ThrottlingException"},
1965+
{"shape":"ValidationException"}
1966+
],
1967+
"documentation":"<p>Starts the workflow for just-in-time node access sessions.</p>"
1968+
},
19341969
"StartAssociationsOnce":{
19351970
"name":"StartAssociationsOnce",
19361971
"http":{
@@ -2292,6 +2327,37 @@
22922327
}
22932328
},
22942329
"shapes":{
2330+
"AccessDeniedException":{
2331+
"type":"structure",
2332+
"required":["Message"],
2333+
"members":{
2334+
"Message":{"shape":"String"}
2335+
},
2336+
"documentation":"<p>The requester doesn't have permissions to perform the requested operation.</p>",
2337+
"exception":true
2338+
},
2339+
"AccessKeyIdType":{
2340+
"type":"string",
2341+
"pattern":"\\w{16,128}"
2342+
},
2343+
"AccessKeySecretType":{
2344+
"type":"string",
2345+
"sensitive":true
2346+
},
2347+
"AccessRequestId":{
2348+
"type":"string",
2349+
"pattern":"^(oi)-[0-9a-f]{12}$"
2350+
},
2351+
"AccessRequestStatus":{
2352+
"type":"string",
2353+
"enum":[
2354+
"Approved",
2355+
"Rejected",
2356+
"Revoked",
2357+
"Expired",
2358+
"Pending"
2359+
]
2360+
},
22952361
"Account":{"type":"string"},
22962362
"AccountId":{
22972363
"type":"string",
@@ -3811,7 +3877,10 @@
38113877
},
38123878
"AutomationSubtype":{
38133879
"type":"string",
3814-
"enum":["ChangeRequest"]
3880+
"enum":[
3881+
"ChangeRequest",
3882+
"AccessRequest"
3883+
]
38153884
},
38163885
"AutomationTargetParameterName":{
38173886
"type":"string",
@@ -5214,6 +5283,34 @@
52145283
}
52155284
},
52165285
"CreatedDate":{"type":"timestamp"},
5286+
"Credentials":{
5287+
"type":"structure",
5288+
"required":[
5289+
"AccessKeyId",
5290+
"SecretAccessKey",
5291+
"SessionToken",
5292+
"ExpirationTime"
5293+
],
5294+
"members":{
5295+
"AccessKeyId":{
5296+
"shape":"AccessKeyIdType",
5297+
"documentation":"<p>The access key ID that identifies the temporary security credentials.</p>"
5298+
},
5299+
"SecretAccessKey":{
5300+
"shape":"AccessKeySecretType",
5301+
"documentation":"<p>The secret access key that can be used to sign requests.</p>"
5302+
},
5303+
"SessionToken":{
5304+
"shape":"SessionTokenType",
5305+
"documentation":"<p>The token that users must pass to the service API to use the temporary credentials.</p>"
5306+
},
5307+
"ExpirationTime":{
5308+
"shape":"DateTime",
5309+
"documentation":"<p>The datetime on which the current credentials expire.</p>"
5310+
}
5311+
},
5312+
"documentation":"<p>The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.</p>"
5313+
},
52175314
"CustomSchemaCountLimitExceededException":{
52185315
"type":"structure",
52195316
"members":{
@@ -7402,7 +7499,9 @@
74027499
"ProblemAnalysisTemplate",
74037500
"CloudFormation",
74047501
"ConformancePackTemplate",
7405-
"QuickSetup"
7502+
"QuickSetup",
7503+
"ManualApprovalPolicy",
7504+
"AutoApprovalPolicy"
74067505
]
74077506
},
74087507
"DocumentVersion":{
@@ -7664,6 +7763,29 @@
76647763
"documentation":"<p>You attempted to register a <code>LAMBDA</code> or <code>STEP_FUNCTIONS</code> task in a region where the corresponding service isn't available. </p>",
76657764
"exception":true
76667765
},
7766+
"GetAccessTokenRequest":{
7767+
"type":"structure",
7768+
"required":["AccessRequestId"],
7769+
"members":{
7770+
"AccessRequestId":{
7771+
"shape":"AccessRequestId",
7772+
"documentation":"<p>The ID of a just-in-time node access request.</p>"
7773+
}
7774+
}
7775+
},
7776+
"GetAccessTokenResponse":{
7777+
"type":"structure",
7778+
"members":{
7779+
"Credentials":{
7780+
"shape":"Credentials",
7781+
"documentation":"<p>The temporary security credentials which can be used to start just-in-time node access sessions.</p>"
7782+
},
7783+
"AccessRequestStatus":{
7784+
"shape":"AccessRequestStatus",
7785+
"documentation":"<p>The status of the access request.</p>"
7786+
}
7787+
}
7788+
},
76677789
"GetAutomationExecutionRequest":{
76687790
"type":"structure",
76697791
"required":["AutomationExecutionId"],
@@ -12902,6 +13024,15 @@
1290213024
"Category",
1290313025
"Severity",
1290413026
"OpsItemType",
13027+
"AccessRequestByRequesterArn",
13028+
"AccessRequestByRequesterId",
13029+
"AccessRequestByApproverArn",
13030+
"AccessRequestByApproverId",
13031+
"AccessRequestBySourceAccountId",
13032+
"AccessRequestBySourceOpsItemId",
13033+
"AccessRequestBySourceRegion",
13034+
"AccessRequestByIsReplica",
13035+
"AccessRequestByTargetResourceId",
1290513036
"ChangeRequestByRequesterArn",
1290613037
"ChangeRequestByRequesterName",
1290713038
"ChangeRequestByApproverArn",
@@ -13152,6 +13283,7 @@
1315213283
"ChangeCalendarOverrideRejected",
1315313284
"PendingApproval",
1315413285
"Approved",
13286+
"Revoked",
1315513287
"Rejected",
1315613288
"Closed"
1315713289
]
@@ -15777,6 +15909,35 @@
1577715909
}
1577815910
}
1577915911
},
15912+
"ServiceQuotaExceededException":{
15913+
"type":"structure",
15914+
"required":[
15915+
"Message",
15916+
"QuotaCode",
15917+
"ServiceCode"
15918+
],
15919+
"members":{
15920+
"Message":{"shape":"String"},
15921+
"ResourceId":{
15922+
"shape":"String",
15923+
"documentation":"<p>The unique ID of the resource referenced in the failed request.</p>"
15924+
},
15925+
"ResourceType":{
15926+
"shape":"String",
15927+
"documentation":"<p>The resource type of the resource referenced in the failed request.</p>"
15928+
},
15929+
"QuotaCode":{
15930+
"shape":"String",
15931+
"documentation":"<p>The quota code recognized by the Amazon Web Services Service Quotas service.</p>"
15932+
},
15933+
"ServiceCode":{
15934+
"shape":"String",
15935+
"documentation":"<p>The code for the Amazon Web Services service that owns the quota.</p>"
15936+
}
15937+
},
15938+
"documentation":"<p>The request exceeds the service quota. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your Amazon Web Services account.</p>",
15939+
"exception":true
15940+
},
1578015941
"ServiceRole":{"type":"string"},
1578115942
"ServiceSetting":{
1578215943
"type":"structure",
@@ -16012,6 +16173,10 @@
1601216173
"max":400,
1601316174
"min":1
1601416175
},
16176+
"SessionTokenType":{
16177+
"type":"string",
16178+
"sensitive":true
16179+
},
1601516180
"SeveritySummary":{
1601616181
"type":"structure",
1601716182
"members":{
@@ -16055,7 +16220,8 @@
1605516220
"Reject",
1605616221
"StartStep",
1605716222
"StopStep",
16058-
"Resume"
16223+
"Resume",
16224+
"Revoke"
1605916225
]
1606016226
},
1606116227
"SnapshotDownloadUrl":{"type":"string"},
@@ -16087,6 +16253,36 @@
1608716253
"type":"string",
1608816254
"max":24000
1608916255
},
16256+
"StartAccessRequestRequest":{
16257+
"type":"structure",
16258+
"required":[
16259+
"Reason",
16260+
"Targets"
16261+
],
16262+
"members":{
16263+
"Reason":{
16264+
"shape":"String1to256",
16265+
"documentation":"<p>A brief description explaining why you are requesting access to the node.</p>"
16266+
},
16267+
"Targets":{
16268+
"shape":"Targets",
16269+
"documentation":"<p>The node you are requesting access to.</p>"
16270+
},
16271+
"Tags":{
16272+
"shape":"TagList",
16273+
"documentation":"<p>Key-value pairs of metadata you want to assign to the access request.</p>"
16274+
}
16275+
}
16276+
},
16277+
"StartAccessRequestResponse":{
16278+
"type":"structure",
16279+
"members":{
16280+
"AccessRequestId":{
16281+
"shape":"AccessRequestId",
16282+
"documentation":"<p>The ID of the access request.</p>"
16283+
}
16284+
}
16285+
},
1609016286
"StartAssociationsOnceRequest":{
1609116287
"type":"structure",
1609216288
"required":["AssociationIds"],
@@ -16521,6 +16717,11 @@
1652116717
},
1652216718
"StreamUrl":{"type":"string"},
1652316719
"String":{"type":"string"},
16720+
"String1to256":{
16721+
"type":"string",
16722+
"max":256,
16723+
"min":1
16724+
},
1652416725
"StringDateTime":{
1652516726
"type":"string",
1652616727
"pattern":"^([\\-]?\\d{4}(?!\\d{2}\\b))((-?)((0[1-9]|1[0-2])(\\3([12]\\d|0[1-9]|3[01]))?|W([0-4]\\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\\d|[12]\\d{2}|3([0-5]\\d|6[1-6])))([T\\s]((([01]\\d|2[0-3])((:?)[0-5]\\d)?|24\\:?00)([\\.,]\\d(?!:))?)?(\\17[0-5]\\d([\\.,]\\d)?)?([zZ]|([\\-])([01]\\d|2[0-3]):?([0-5]\\d)?)?)?)?$"
@@ -16762,6 +16963,23 @@
1676216963
}
1676316964
}
1676416965
},
16966+
"ThrottlingException":{
16967+
"type":"structure",
16968+
"required":["Message"],
16969+
"members":{
16970+
"Message":{"shape":"String"},
16971+
"QuotaCode":{
16972+
"shape":"String",
16973+
"documentation":"<p>The quota code recognized by the Amazon Web Services Service Quotas service.</p>"
16974+
},
16975+
"ServiceCode":{
16976+
"shape":"String",
16977+
"documentation":"<p>The code for the Amazon Web Services service that owns the quota.</p>"
16978+
}
16979+
},
16980+
"documentation":"<p>The request or operation couldn't be performed because the service is throttling requests.</p>",
16981+
"exception":true
16982+
},
1676516983
"TimeoutSeconds":{
1676616984
"type":"integer",
1676716985
"max":2592000,

0 commit comments

Comments
 (0)