Menu
Amazon EC2 Systems Manager
User Guide

Setting Up Automation

To set up Systems Manager Automation, you must verify that your instances are configured with an AWS Identity and Access Management (IAM) instance profile role. The instance profile role gives Automation permission to perform actions on your instances, such as executing commands or starting and stopping services. You must also verify that your IAM user account, group, or role is assigned the AmazonSSMAutomationRole managed policy, or a policy that provides comparable permissions. For information about how to configure an instance profile role for Systems Manager, see Configuring Security Roles for Systems Manager. For information about how to configure your IAM user account, group, or role to use the AmazonSSMAutomationRole managed policy, see Working with Managed Policies in the IAM User Guide.

Note

Automation previously required that you specify a service role (or assume role) so that the service had permission to perform actions on your behalf. Automation no longer requires this role because the service now operates by using the context of the user who invoked the execution.

However, the following situations still require that you specify a service role for Automation:

  • When you want to restrict a user's privileges on a resource, but you want the user to execute an Automation workflow that requires higher privileges. In this scenario, you can create a service role with higher privileges and allow the user to execute the workflow.

  • Operations that you expect to run longer than 12 hours require a service role.

This section includes information about how to create CloudWatch Events to receive notifications about Automation actions, and how to specify Automation as the target of a CloudWatch event. This section also includes optional set up information about how to configure an instance profile role and a service role by using either AWS CloudFormation or IAM.