Amazon EC2 Systems Manager
User Guide

Configuring Access to Maintenance Windows

Use the following procedures to configure security roles and permissions for EC2 Maintenance Windows. After you configure roles and permissions, you can perform a test run with Maintenance Windows as described in Systems Manager Maintenance Window Walkthroughs.

Create an IAM Role for Systems Manager

Use the following procedure to create a role so that Systems Manager can act on your behalf when creating and processing Maintenance Windows.

To create an IAM role for Maintenance Windows

  1. Open the IAM console at

  2. In the navigation pane, choose Roles, and then choose Create New Role.

  3. In Step 1: Set Role Name, enter a name that identifies this role as a Maintenance Windows role.

  4. In Step 2: Select Role Type, choose Amazon EC2. The system skips Step 3: Establish Trust because this is a managed policy.

  5. In Step 4: Attach Policy, choose AmazonSSMMaintenanceWindowRole.

  6. In Step 5: Review, make a note of the Role Name and Role ARN. You will specify the role ARN when you attach the iam:PassRole policy to your IAM account in the next procedure. You will also specify the role name and the ARN when you create a Maintenance Window.

  7. Choose Create Role. The system returns you to the Roles page.

  8. Locate the role you just created and double-click it.

  9. Choose the Trust Relationships tab, and then choose Edit Trust Relationship.

  10. Add a comma after "", and then add "Service": "" to the existing policy as the following code snippet illustrates:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "", "Service": "" }, "Action": "sts:AssumeRole" } ] }
  11. Choose Update Trust Policy.

  12. Copy or make a note of the Role ARN. You will specify this ARN when you create your Maintenance Window.

Configure Account Permissions

Systems Manager must assume your role so that it has permission to perform the actions you specify for your Maintenance Window. Use the following procedure to attach the iam:PassRole policy to your existing IAM user account, or create a new IAM account and attach this policy to it. If you create a new account, you must also attach the AmazonSSMFullAccess policy so the account can communicate with the Systems Manager API. If you need to create a new user account, see Creating an IAM User in Your AWS Account in the IAM User Guide.

To attach the iam:PassRole policy to your user account

  1. In the IAM console navigation pane, choose Users and then double-click your user account.

  2. In the Managed Policies section, verify that either the AmazonSSMFullAccess policy is listed or there is a comparable policy that gives you permission to the Systems Manager API.

  3. In the Inline Policies section, choose Create User Policy. If you don't see this button, choose the down arrow beside Inline Policies, and then choose click here.

  4. On the Set Permissions page, choose Policy Generator, and then choose Select.

  5. Verify that Effect is set to Allow.

  6. From AWS Services choose AWS Identity and Access Management.

  7. From Actions choose PassRole.

  8. In the Amazon Resource Name (ARN) field, paste the role ARN you created in the previous procedure.

  9. Choose Add Statement, and then choose Next Step.

  10. On the Review Policy page, choose Apply Policy.