In this section system manager run command aws recommend the ‘AmazonEC2RoleforSSM’ but this role is too permission and allows s3:* . So aws released a new role ‘AmazonSSMManagedIntanceCore’
That’s really useful to know, and it’s great that AWS is finally swapping that out. I’ve been having to build custom policies for ages to get around this problem with is being so permissive. For virtually anything with SSM out there to be using a policy with ‘s3:GetObject’ for all resources is terrifying.
Thanks for letting us know, I’ll pass this along to the instructors
Feedback can also be submitted directly to us through our Contact Support form, where one of our technical team members will respond and assess what we need to do to update our content