Menu
Amazon EC2 Systems Manager
User Guide

Configuring Access Using Systems Manager Managed Policies

IAM managed policies for Systems Manager can help you quickly configure access and permissions for Systems Manager users and instances. Managed policies perform the following functions:

  • AmazonEC2RoleforSSM (instance trust policy): Enables an instance to communicate with the Systems Manager API.

  • AmazonSSMAutomationRole (service role): Provides permissions for EC2 Automation service to execute activities defined within Automation documents.

  • AmazonSSMFullAccess (user trust policy): Grants the user access to the Systems Manager API and documents. Assign this policy to administrators and trusted power users.

  • AmazonSSMMaintenanceWindowRole (service role): Service role for EC2 Maintenance Windows.

  • AmazonSSMReadOnlyAccess (user trust policy): Grants the user access to Systems Manager read-only API actions, such as Get and List.

If you want to create your own custom roles and policies, see Configuring Access Using Custom Roles and Polices.

Task 1: Create a User Account for Systems Manager

If your IAM user account has administrator access in your VPC, then you have permission to call the Systems Manager API on an instance. If you like, you can create a unique user account specifically for managing instances with Systems Manager. Use the following procedure to create a new user that uses an IAM managed policy for Systems Manager.

To create a user account for Systems Manager

  1. From the Users page on the IAM console, choose Add User.

  2. In the Set user details section, specify a user name (for example, SystemsManagerUserFullAccess or SystemsManagerUserReadOnly).

  3. In the Select AWS access type section, choose one or both access options. If you choose AWS Management Console access, you must also choose passwords options.

  4. Choose Next:Permissions.

  5. In the Set permissions for section, choose Attach existing policies directly.

  6. In the filter field, type AmazonSSM.

  7. Choose either the checkbox beside AmazonSSMFullAccess or AmazonSSMReadOnlyAccess, and then choose Next:Review.

  8. Verify the details, and then choose Create.

Important

If you specified password information for the user, review the password information carefully after the user account is created.

Task 2: Create a Role for Systems Manager Managed Instances

Use the following procedure to create an instance role that enables an instance to communicate with the Systems Manager API. After you create the role, you can assign it to instances as described in Task 3.

To create role for Systems Manager managed instances

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, and then choose Create New Role.

  3. In Step 1: Set Role Name, enter a name that identifies this role as a Systems Manager role for managed instances.

  4. In Step 2: Select Role Type, choose Amazon EC2. The system skips Step 3: Establish Trust because this is a managed policy.

  5. In Step 4: Attach Policy, choose the AmazonEC2RoleforSSM managed policy.

  6. In Step 5: Review, make a note of the role name. You will specify this role name when you create new instances that you want to manage using Systems Manager.

  7. Choose Create Role. The system returns you to the Roles page.

Task 3: Create an Amazon EC2 Instance that Uses the Systems Manager Role

This procedure describes how to launch an Amazon EC2 instance that uses the role you just created. You can also attach the role to an existing instance. For more information, see Attaching an IAM Role to an Instance in the Amazon EC2 User Guide.

To create an instance that uses the Systems Manager instance role

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Select a supported region.

  3. Choose Launch Instance and select an instance.

  4. Choose your instance type and then choose Next: Configure Instance Details.

  5. In the IAM role drop-down list choose the EC2 instance role you created earlier.

  6. Complete the wizard.

If you create other instances that you want to configure using Systems Manager, you must specify the Systems Manager instance role for each instance.