Menu
Amazon EC2 Systems Manager
User Guide

Configuring Access to Systems Manager

To configure access for Systems Manager, you must do the following:

  1. Configure user access: If your AWS Identity and Access Management (IAM) user account, group, or role is assigned administrator permissions, then you have access to Systems Manager. If you don't have administrator permissions, then an administrator must give you permission, as described in this topic.

  2. Configure instance access by using an instance profile role: By default, instances don't have access to Systems Manager. You must enable access by assigning an IAM instance profile role to your instance, as described in this topic. You can assign the role to an existing instance, or you can create a new instance that uses this role. The instance profile role gives Systems Manager permission to perform actions on your instances, such as executing commands or running Systems Manager capabilities.

Note

If you are configuring servers or virtual machines (VMs) in a hybrid environment for Systems Manager, you must also configure an IAM service role. After you complete Task 1 in this topic, see Create an IAM Service Role for information about how to create the service role for managed instances in a hybrid environment.

Task 1: Configure User Access for Systems Manager

If your IAM user account, group, or role is assigned administator permissions, then you have access to Systems Manager. You can skip this task. If you don't have administrator permissions, then an administrator must update your IAM user account, group, or role to include either the AmazonSSMFullAccess policy or the AmazonSSMReadOnlyAccess policy.

The AmazonSSMFullAccess policy grants the user access to the Systems Manager API and Systems Manager (SSM) documents. Assign this policy to administrators and trusted power users. The AmazonSSMReadOnlyAccess policy grants the user access to Systems Manager read-only API actions, such as Get and List.

For information about how to change permissions for an IAM user account, group, or role, see Changing Permissions for an IAM User.

Task 2: Create an Instance Profile Role for Systems Manager

Use the following procedure to create an instance profile role that enables an instance to communicate with Systems Manager. After you create the role, you can assign it to instances as described in Task 3.

To create a role for Systems Manager managed instances

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, and then choose Create role.

  3. On the Select type of trusted entity page, under AWS Service, choose EC2.

  4. In the Select your use case section, choose EC2 Role for Simple Systems Manager, and then choose Next: Permissions.

  5. On the Attached permissions policy page, verify that AmazonEC2RoleforSSM is listed, and then choose Next: Review.

  6. On the Review page, type a name in the Role name box, and then type a description.

    Note

    Make a note of the role name. You will choose this role when you create new instances that you want to manage by using Systems Manager.

  7. Choose Create role. The system returns you to the Roles page.

Note

This procedure creates a new role from a pre-existing IAM policy or managed policy. If you choose to create a role from a custom policy, you must add ssm.amazonaws.com as a trusted entity to your role (after you create it). You add trusted entities on the Trust Relationship tab when viewing the role. For example, you must add the following JSON block to the policy as a trusted entity. For information about how to update a role to include a trusted entity, see Modifying a Role.

Copy
{ "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "Service":"ssm.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }

Task 3: Create an Amazon EC2 Instance that Uses the Systems Manager Role

This procedure describes how to launch an Amazon EC2 instance that uses the role you just created. You can also attach the role to an existing instance. For more information, see Attaching an IAM Role to an Instance in the Amazon EC2 User Guide.

To create an instance that uses the Systems Manager instance role

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Select a supported region.

  3. Choose Launch Instance and select an instance.

  4. Choose your instance type and then choose Next: Configure Instance Details.

  5. In the IAM role drop-down list choose the EC2 instance role you created earlier.

  6. Complete the wizard.

If you create other instances that you want to configure using Systems Manager, you must specify the instance profile role for each instance.

Optional Access Configurations

Task 1 in this section enabled you to grant access to a user by choosing a pre-existing or managed IAM user policy. If you want to limit user access to Systems Manager and SSM documents, you can create your own restrictive user policies, as described in this section. For more information about how to create a custom policy, see Creating a New Policy.

The following example IAM policy allows a user to do the following.

  • List Systems Manager documents and document versions.

  • View details about documents.

  • Send a command using the document specified in the policy.

    The name of the document is determined by this entry:

    arn:aws:ssm:us-east-1:*:document/name_of_restrictive_document
  • Send a command to three instances.

    The instances are determined by the following entries in the second Resource section:

    "arn:aws:ec2:us-east-1:*:instance/i-1234567890abcdef0",
    "arn:aws:ec2:us-east-1:*:instance/i-0598c7d356eba48d7",
    "arn:aws:ec2:us-east-1:*:instance/i-345678abcdef12345",
  • View details about a command after it has been sent.

  • Start and stop Automation executions.

  • Get information about Automation executions.

If you want to give a user permission to use this document to send commands on any instance for which the user currently has access (as determined by their AWS user account), you could specify the following entry in the Resource section and remove the other instance entries.

"arn:aws:ec2:us-east-1:*:instance/*"

Note that the Resource section includes an Amazon S3 ARN entry:

arn:aws:s3:::bucket_name

You can also format this entry as follows:

arn:aws:s3:::bucket_name/*

-or-

arn:aws:s3:::bucket_name/key_prefix_name
Copy
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "ssm:ListDocuments", "ssm:ListDocumentsVersions", "ssm:DescribeDocument", "ssm:GetDocument", "ssm:DescribeInstanceInformation", "ssm:DescribeDocumentParameters", "ssm:DescribeInstanceProperties" ], "Effect":"Allow", "Resource":"*" }, { "Action":"ssm:SendCommand", "Effect":"Allow", "Resource": [ "arn:aws:ec2:us-east-1:*:instance/i-1234567890abcdef0", "arn:aws:ec2:us-east-1:*:instance/i-0598c7d356eba48d7", "arn:aws:ec2:us-east-1:*:instance/i-345678abcdef12345", "arn:aws:s3:::bucket_name", "arn:aws:ssm:us-east-1:*:document/name_of_restrictive_document" ] }, { "Action":[ "ssm:CancelCommand", "ssm:ListCommands", "ssm:ListCommandInvocations" ], "Effect":"Allow", "Resource":"*" }, { "Action":"ec2:DescribeInstanceStatus", "Effect":"Allow", "Resource":"*" }, { "Action":"ssm:StartAutomationExecution", "Effect":"Allow", "Resource":[ "arn:aws:ssm:::automation-definition/" ] }, { "Action":"ssm:DescribeAutomationExecutions ", "Effect":"Allow", "Resource":[ "*" ] }, { "Action":[ "ssm:StopAutomationExecution", "ssm:GetAutomationExecution" ], "Effect":"Allow", "Resource":[ "arn:aws:ssm:::automation-execution/" ] } ] }