Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Simple Systems Manager

Amazon Simple Systems Manager (service prefix: ssm) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Simple Systems Manager

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddTagsToResource Adds or overwrites one or more tags for the specified resource. Tagging

document

CancelCommand Attempts to cancel the command specified by the Command ID. Write
CreateActivation Registers your on-premises server or virtual machine with Amazon EC2 so that you can manage these resources using Run Command. Write
CreateAssociation Associates the specified SSM document with the specified instance. Write

document*

CreateAssociationBatch Associates the specified SSM document with the specified instances. Write

document*

CreateDocument Creates an SSM document. Write
CreateMaintenanceWindow Create an SSM maintenance window. Write
CreatePatchBaseline Create a SSM patch baseline. Write
CreateResourceDataSync Creates a resource data sync configuration to a single bucket in Amazon S3. Write
DeleteActivation Deletes an activation. Write
DeleteAssociation Disassociates the specified SSM document from the specified instance. Write

document*

DeleteDocument Deletes the SSM document and all instance associations to the document. Write

document*

DeleteMaintenanceWindow Delete an SSM maintenance window. Write

maintenancewindow*

DeleteParameter Delete a parameter from the system. Write

parameter*

DeleteParameters Delete a list of parameters. Write

parameter*

DeletePatchBaseline Delete a SSM patch baseline. Write

patchbaseline*

DeleteResourceDataSync Deletes a Resource Data Sync configuration. Write
DeregisterManagedInstance Removes the server or virtual machine from the list of registered servers. Write

managed-instance*

DeregisterPatchBaselineForPatchGroup Deregister a SSM patch baseline from a patch group. Write

patchbaseline*

DeregisterTargetFromMaintenanceWindow Deregister a target from SSM maintenance window. Write

maintenancewindow*

DeregisterTaskFromMaintenanceWindow Deregister a task from SSM maintenance window. Write

maintenancewindow*

DescribeActivations Details about the activation, including: the date and time the activation was created, the expiration date, the IAM role assigned to the instances in the activation, and the number of instances activated by this registration. Read
DescribeAssociation Describes the associations for the specified SSM document or instance. Read

document*

DescribeAvailablePatches Describes one or more available patches. Read
DescribeDocument Describes the specified SSM document. Read

document*

DescribeDocumentParameters Describes the parameters for an SSM document. Read

document*

DescribeDocumentPermission Describes the permissions for an SSM document. Read

document*

DescribeEffectivePatchesForPatchBaseline Describes the the evaluation of patch baseline for patches and corresponding state. Read

patchbaseline*

DescribeInstanceInformation Describes one or more your instances. Read

document

DescribeInstancePatchStates Describe one or more of your instance patch states. One per each instance ID. Read
DescribeInstancePatchStatesForPatchGroup Describe one or more of your instance patch states over all instances in given patch group. Read
DescribeInstancePatches Describe one or more of your instance patch states for a given instance ID. Read
DescribeInstanceProperties Describes one or more your instances. Read

document

DescribeMaintenanceWindowExecutionTaskInvocations Describe one or more of your maintenance window execution task invocations history. List
DescribeMaintenanceWindowExecutionTasks Describe one or more of your maintenance window execution tasks history. List
DescribeMaintenanceWindowExecutions Describe one or more of your maintenance window execution history. List

maintenancewindow*

DescribeMaintenanceWindowTargets Describe one or more of your maintenance windows targets. List

maintenancewindow*

DescribeMaintenanceWindowTasks Describe one or more of your maintenance windows tasks. List

maintenancewindow*

DescribeMaintenanceWindows Describe one or more of your maintenance windows. List
DescribeParameters Describes one or more parameters in Parameter Store. List
DescribePatchBaselines Describes one or more SSM patch baselines. List
DescribePatchGroupState Get a high level patch state report of given patch group. Read
DescribePatchGroups Describes one or more patch group to SSM patch baseline mappings. List
DescribeSessions Describe one or more Session Manager sessions. List
GetAutomationExecution Read
GetConnectionStatus Get the connection status for an instance. Read
GetDefaultPatchBaseline Get the default SSM patch baseline. Read

patchbaseline*

GetDeployablePatchSnapshotForInstance Get the snapshot of patches to be installed for given instances. Read
GetDocument Gets the contents of the specified SSM document. Read

document*

GetMaintenanceWindow Get a SSM maintenance window. Read

maintenancewindow*

GetMaintenanceWindowExecution Get a SSM maintenance window execution. Read
GetMaintenanceWindowExecutionTask Get a SSM maintenance window execution task. Read
GetMaintenanceWindowExecutionTaskInvocation Get a SSM maintenance window execution task invocation. Read
GetMaintenanceWindowTask Get a SSM maintenance window task. Read

maintenancewindow*

windowtask*

GetManifest Fetches the installation description for a package. Read
GetParameter Get information about a parameter by using the parameter name. Read

parameter*

ssm:resourceTag/tag-key

GetParameterHistory Query a list of all modifications of a parameter. Read

parameter*

ssm:resourceTag/tag-key

GetParameters Get details of a list of parameters. Read

parameter*

ssm:resourceTag/tag-key

GetParametersByPath Retrieve parameters in a specific hierarchy. Read

parameter*

GetPatchBaseline Get a SSM patch baseline Read

patchbaseline*

GetPatchBaselineForPatchGroup Get the SSM patch baseline associated to the given patch group. Read

patchbaseline*

ListAssociationVersions Lists versions of the specified association. List
ListAssociations Lists the associations for the specified SSM document or instance. List
ListCommandInvocations An invocation is copy of a command sent to a specific instance. Read
ListCommands Lists the commands requested by users of the AWS account. Read
ListDocuments Describes one or more your SSM documents. List
ListTagsForResource Returns a list of the tags assigned to the specified resource. Read

document

ModifyDocumentPermission Share a document publicly or privately. Write

document*

PutComplianceItems Registers a compliance type and other compliance details on a designated resource. Write
PutConfigurePackageResult Reports installation result for a package. Read
PutParameter Add a parameter to the system. Write

parameter*

RegisterDefaultPatchBaseline Register a SSM patch baseline as the default. Write

patchbaseline*

RegisterPatchBaselineForPatchGroup Register a SSM patch baseline to a patch group. Write

patchbaseline*

RegisterTargetWithMaintenanceWindow Register a SSM window target to a maintenance window. Write

maintenancewindow*

RegisterTaskWithMaintenanceWindow Register a SSM window task to a maintenance window. Write

maintenancewindow*

RemoveTagsFromResource Removes all tags from the specified resource. Tagging

document

ResumeSession Resume a disconnected SSM session manager connection. Write

session*

SendAutomationSignal Write
SendCommand Executes commands on one or more remote instances. Write

document

ssm:resourceTag/tag-key

StartAutomationExecution Initiates execution of an Automation document. Write
StartSession Start a connection to an instance using SSM Session Manager. Write
StopAutomationExecution Stop an Automation that is currently executing. Write
TerminateSession Terminate an ongoing SSM Session Manager connection. Write

session*

UpdateAssociationStatus Updates the status of the SSM document associated with the specified instance. Write

document

UpdateInstanceInformation Updates the status of the SSM document associated with the specified instance. Write

document

UpdateMaintenanceWindow Update a SSM maintenance window. Write

maintenancewindow*

UpdateMaintenanceWindowTarget Update a SSM maintenance window target. Write

maintenancewindow*

windowtarget*

UpdateMaintenanceWindowTask Update a SSM maintenance window task. Write

maintenancewindow*

windowtask*

UpdateManagedInstanceRole Assigns or changes an Amazon Identity and Access Management (IAM) role to the managed instance. Write

managed-instance*

UpdatePatchBaseline Update a SSM patch baseline. Write

patchbaseline*

Resources Defined by SSM

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
document arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}
maintenancewindow arn:${Partition}:ssm:${Region}:${Account}:maintenancewindow/${ResourceId}
managed-instance arn:${Partition}:ssm:${Region}:${Account}:managed-instance/${ManagedInstanceName}
parameter arn:${Partition}:ssm:${Region}:${Account}:parameter/${FullyQualifiedParameterName}

ssm:resourceTag/tag-key

patchbaseline arn:${Partition}:ssm:${Region}:${Account}:patchbaseline/${ResourceId}
session arn:${Partition}:ssm:${Region}:${Account}:session/${ResourceId}
windowtarget arn:${Partition}:ssm:${Region}:${Account}:windowtarget/${ResourceId}
windowtask arn:${Partition}:ssm:${Region}:${Account}:windowtask/${ResourceId}

Condition Keys for Amazon Simple Systems Manager

Amazon Simple Systems Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
ssm:resourceTag/tag-key A tag key and value pair. String