Amazon EC2 Systems Manager
User Guide

Configuring Access to Systems Manager Parameters

We recommend the you restrict user access to Systems Manager parameters by creating restrictive AWS Identity and Access Management (IAM) user policies. For example, the following policy gives the user read-only permission (GetParameters and DescribeParameters) to all production parameters (parameters that begin with prod.*).

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters", ], "Resource": "arn:aws:ssm:us-east-1:123456123:parameter/prod.*" } ] }

If you want to provide a user with full access to all Systems Manager Parameter API operations, use a policy like the following example. This policy gives the user full access to all production parameters that begin with*.

{ "Version":"2012-10-17", "Effect":"Allow", "Action":[ "ssm:DescribeParameter", "ssm:PutParameter", "ssm:GetParameter", "ssm:DeleteParameter" ], "Resource":[ "arn:aws:ssm:region:account id:parameter/*" ] }

You can also delegate access so that instances can only run specific parameters. For secure strings, you have to provide KMS decrypt permissions so that secure string parameters can be decrypted by the instance. The following example enable instances to get a parameter value only for parameters that begin with "prod.". If the parameter is a secure string, then the instance decrypts the string using KMS.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:GetParameter" ], "Resource":[ "arn:aws:ssm:region:account-id:parameter/prod.*" ] }, { "Effect":"Allow", "Action":[ "kms:Decrypt" ], "Resource":[ "arn:aws:kms:region:account-id:key/CMK" ] } ] }


Instance policies, like in the previous example, are assigned to the instance role in IAM. For more information about configuring access to Systems Manager features, including how to assign policies to users and instances, see Configuring Access to Systems Manager.