Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Simple Systems Manager

Amazon Simple Systems Manager (service prefix: ssm) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Simple Systems Manager

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddTagsToResource Adds or overwrites one or more tags for the specified resource.

Tagging

document

CancelCommand Attempts to cancel the command specified by the Command ID.

Write

CreateActivation Registers your on-premises server or virtual machine with Amazon EC2 so that you can manage these resources using Run Command.

Write

CreateAssociation Associates the specified SSM document with the specified instance.

Write

document*

CreateAssociationBatch Associates the specified SSM document with the specified instances.

Write

document*

CreateDocument Creates an SSM document.

Write

CreateMaintenanceWindow Create an SSM maintenance window.

Write

CreatePatchBaseline Create a SSM patch baseline.

Write

CreateResourceDataSync Creates a resource data sync configuration to a single bucket in Amazon S3.

Write

DeleteActivation Deletes an activation.

Write

DeleteAssociation Disassociates the specified SSM document from the specified instance.

Write

document*

DeleteDocument Deletes the SSM document and all instance associations to the document.

Write

document*

DeleteMaintenanceWindow Delete an SSM maintenance window.

Write

maintenancewindow*

DeleteParameter Delete a parameter from the system.

Write

parameter*

DeleteParameters Delete a list of parameters.

Write

parameter*

DeletePatchBaseline Delete a SSM patch baseline.

Write

patchbaseline*

DeleteResourceDataSync Deletes a Resource Data Sync configuration.

Write

DeregisterManagedInstance Removes the server or virtual machine from the list of registered servers.

Write

managed-instance*

DeregisterPatchBaselineForPatchGroup Deregister a SSM patch baseline from a patch group.

Write

patchbaseline*

DeregisterTargetFromMaintenanceWindow Deregister a target from SSM maintenance window.

Write

maintenancewindow*

DeregisterTaskFromMaintenanceWindow Deregister a task from SSM maintenance window.

Write

maintenancewindow*

DescribeActivations Details about the activation, including: the date and time the activation was created, the expiration date, the IAM role assigned to the instances in the activation, and the number of instances activated by this registration.

Read

DescribeAssociation Describes the associations for the specified SSM document or instance.

Read

document*

DescribeAvailablePatches Describes one or more available patches.

Read

DescribeDocument Describes the specified SSM document.

Read

document*

DescribeDocumentParameters Describes the parameters for an SSM document.

Read

document*

DescribeDocumentPermission Describes the permissions for an SSM document.

Read

document*

DescribeEffectivePatchesForPatchBaseline Describes the the evaluation of patch baseline for patches and corresponding state.

Read

patchbaseline*

DescribeInstanceInformation Describes one or more your instances.

Read

document

DescribeInstancePatchStates Describe one or more of your instance patch states. One per each instance ID.

Read

DescribeInstancePatchStatesForPatchGroup Describe one or more of your instance patch states over all instances in given patch group.

Read

DescribeInstancePatches Describe one or more of your instance patch states for a given instance ID.

Read

DescribeInstanceProperties Describes one or more your instances.

Read

document

DescribeMaintenanceWindowExecutionTaskInvocations Describe one or more of your maintenance window execution task invocations history.

List

DescribeMaintenanceWindowExecutionTasks Describe one or more of your maintenance window execution tasks history.

List

DescribeMaintenanceWindowExecutions Describe one or more of your maintenance window execution history.

List

maintenancewindow*

DescribeMaintenanceWindowTargets Describe one or more of your maintenance windows targets.

List

maintenancewindow*

DescribeMaintenanceWindowTasks Describe one or more of your maintenance windows tasks.

List

maintenancewindow*

DescribeMaintenanceWindows Describe one or more of your maintenance windows.

List

DescribeParameters Describes one or more parameters in Parameter Store.

List

DescribePatchBaselines Describes one or more SSM patch baselines.

List

DescribePatchGroupState Get a high level patch state report of given patch group.

Read

DescribePatchGroups Describes one or more patch group to SSM patch baseline mappings.

List

GetAutomationExecution

Read

GetDefaultPatchBaseline Get the default SSM patch baseline.

Read

patchbaseline*

GetDeployablePatchSnapshotForInstance Get the snapshot of patches to be installed for given instances.

Read

GetDocument Gets the contents of the specified SSM document.

Read

document*

GetMaintenanceWindow Get a SSM maintenance window.

Read

maintenancewindow*

GetMaintenanceWindowExecution Get a SSM maintenance window execution.

Read

GetMaintenanceWindowExecutionTask Get a SSM maintenance window execution task.

Read

GetMaintenanceWindowExecutionTaskInvocation Get a SSM maintenance window execution task invocation.

Read

GetMaintenanceWindowTask Get a SSM maintenance window task.

Read

maintenancewindow*

windowtask*

GetManifest Fetches the installation description for a package.

Read

GetParameter Get information about a parameter by using the parameter name.

Read

parameter*

GetParameterHistory Query a list of all modifications of a parameter.

Read

parameter*

GetParameters Get details of a list of parameters.

Read

parameter*

GetParametersByPath Retrieve parameters in a specific hierarchy.

Read

parameter*

GetPatchBaseline Get a SSM patch baseline

Read

patchbaseline*

GetPatchBaselineForPatchGroup Get the SSM patch baseline associated to the given patch group.

Read

patchbaseline*

ListAssociationVersions Lists versions of the specified association.

List

ListAssociations Lists the associations for the specified SSM document or instance.

List

ListCommandInvocations An invocation is copy of a command sent to a specific instance.

Read

ListCommands Lists the commands requested by users of the AWS account.

Read

ListDocuments Describes one or more your SSM documents.

List

ListTagsForResource Returns a list of the tags assigned to the specified resource.

Read

document

ModifyDocumentPermission Share a document publicly or privately.

Write

document*

PutComplianceItems Registers a compliance type and other compliance details on a designated resource.

Write

PutConfigurePackageResult Reports installation result for a package.

Read

PutParameter Add a parameter to the system.

Write

parameter*

RegisterDefaultPatchBaseline Register a SSM patch baseline as the default.

Write

patchbaseline*

RegisterPatchBaselineForPatchGroup Register a SSM patch baseline to a patch group.

Write

patchbaseline*

RegisterTargetWithMaintenanceWindow Register a SSM window target to a maintenance window.

Write

maintenancewindow*

RegisterTaskWithMaintenanceWindow Register a SSM window task to a maintenance window.

Write

maintenancewindow*

RemoveTagsFromResource Removes all tags from the specified resource.

Tagging

document

SendAutomationSignal

Write

SendCommand Executes commands on one or more remote instances.

Write

document

StartAutomationExecution Initiates execution of an Automation document.

Write

StopAutomationExecution Stop an Automation that is currently executing.

Write

UpdateAssociationStatus Updates the status of the SSM document associated with the specified instance.

Write

document

UpdateInstanceInformation Updates the status of the SSM document associated with the specified instance.

Write

document

UpdateMaintenanceWindow Update a SSM maintenance window.

Write

maintenancewindow*

UpdateMaintenanceWindowTarget Update a SSM maintenance window target.

Write

maintenancewindow*

windowtarget*

UpdateMaintenanceWindowTask Update a SSM maintenance window task.

Write

maintenancewindow*

windowtask*

UpdateManagedInstanceRole Assigns or changes an Amazon Identity and Access Management (IAM) role to the managed instance.

Write

managed-instance*

UpdatePatchBaseline Update a SSM patch baseline.

Write

patchbaseline*

Resources Defined by SSM

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
document arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}
maintenancewindow arn:${Partition}:ssm:${Region}:${Account}:maintenancewindow/${ResourceId}
managed-instance arn:${Partition}:ssm:${Region}:${Account}:managed-instance/${ManagedInstanceName}
parameter arn:${Partition}:ssm:${Region}:${Account}:parameter/${FullyQualifiedParameterName}
patchbaseline arn:${Partition}:ssm:${Region}:${Account}:patchbaseline/${ResourceId}
windowtarget arn:${Partition}:ssm:${Region}:${Account}:windowtarget/${ResourceId}
windowtask arn:${Partition}:ssm:${Region}:${Account}:windowtask/${ResourceId}

Condition Keys for Amazon Simple Systems Manager

SSM has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.