Menu
Amazon EC2 Systems Manager
User Guide

Optional Set Up Tasks

This section includes two methods for configuring an AWS Identity and Access Management (IAM) instance profile role and a service role for Automation. The instance profile role gives Automation permission to perform actions on your instances, such as executing commands or starting and stopping services. The service role (or assume role) gives Automation permission to perform actions on your behalf.

Note

Automation previously required that you specify a service role (or assume role) so that the service had permission to perform actions on your behalf. Automation no longer requires this role because the service now operates by using the context of the user who invoked the execution.

However, the following situations still require that you specify a service role for Automation:

  • If you specify Automation as the target of a CloudWatch event, then CloudWatch requires the services role.

  • When you want to restrict a user's privileges on a resource, but you want the user to execute an Automation workflow that requires higher privileges. In this scenario, you can create a service role with higher privileges and allow the user to execute the workflow.

  • Operations that you expect to run longer than 12 hours require a service role.