AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Systems Manager

AWS Systems Manager (service prefix: ssm) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Systems Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddTagsToResource Adds or overwrites one or more tags for the specified resource. Tagging

document

maintenancewindow

managed-instance

parameter

patchbaseline

CancelCommand Attempts to cancel the command specified by the Command ID. Write
CancelMaintenanceWindowExecution Attempts to cancel the execution specified by the WindowExecution ID. Write
CreateActivation Registers your on-premises server or virtual machine with Amazon EC2 so that you can manage these resources using Run Command. Write
CreateAssociation Associates the specified SSM document with the specified instance. Write

document*

CreateAssociationBatch Associates the specified SSM document with the specified instances. Write

document*

CreateDocument Creates an SSM document. Tagging

aws:RequestTag/${TagKey}

aws:TagKeys

CreateMaintenanceWindow Create an SSM maintenance window. Tagging
CreateOpsItem Create a new OpsItem Write
CreatePatchBaseline Create a SSM patch baseline. Tagging
CreateResourceDataSync Creates a resource data sync configuration to a single bucket in Amazon S3. Write
DeleteActivation Deletes an activation. Write
DeleteAssociation Disassociates the specified SSM document from the specified instance. Write

document*

DeleteDocument Deletes the SSM document and all instance associations to the document. Write

document*

DeleteInventory Deletes a custom inventory type or the data associated with a custom inventory type. Write
DeleteMaintenanceWindow Delete an SSM maintenance window. Write

maintenancewindow*

DeleteParameter Delete a parameter from the system. Write

parameter*

DeleteParameters Delete a list of parameters. Write

parameter*

DeletePatchBaseline Delete a SSM patch baseline. Write

patchbaseline*

DeleteResourceDataSync Deletes a Resource Data Sync configuration. Write
DeregisterManagedInstance Enables the user to remove on-premises managed instances from the list of managed instances. Write

managed-instance*

DeregisterPatchBaselineForPatchGroup Deregister a SSM patch baseline from a patch group. Write

patchbaseline*

DeregisterTargetFromMaintenanceWindow Deregister a target from SSM maintenance window. Write

maintenancewindow*

DeregisterTaskFromMaintenanceWindow Deregister a task from SSM maintenance window. Write

maintenancewindow*

DescribeActivations Details about the activation, including: the date and time the activation was created, the expiration date, the IAM role assigned to the instances in the activation, and the number of instances activated by this registration. Read
DescribeAssociation Describes the associations for the specified SSM document or instance. Read

document*

DescribeAssociationExecutionTargets Describes the detailed information about a specific execution of a specific association. Read
DescribeAssociationExecutions Describes all executions for a specific association id. Read
DescribeAvailablePatches Describes one or more available patches. Read
DescribeDocument Describes the specified SSM document. Read

document*

DescribeDocumentParameters Describes the parameters for an SSM document. Read

document*

DescribeDocumentPermission Describes the permissions for an SSM document. Read

document*

DescribeEffectivePatchesForPatchBaseline Describes the the evaluation of patch baseline for patches and corresponding state. Read

patchbaseline*

DescribeInstanceInformation Describes one or more your instances. Read
DescribeInstancePatchStates Describe one or more of your instance patch states. One per each instance ID. Read
DescribeInstancePatchStatesForPatchGroup Describe one or more of your instance patch states over all instances in given patch group. Read
DescribeInstancePatches Describe one or more of your instance patch states for a given instance ID. Read
DescribeInstanceProperties Enables user's Amazon EC2 console to render managed instances' nodes Read
DescribeInventoryDeletions Describes a specific delete inventory operation. Read
DescribeMaintenanceWindowExecutionTaskInvocations Describe one or more of your maintenance window execution task invocations history. List
DescribeMaintenanceWindowExecutionTasks Describe one or more of your maintenance window execution tasks history. List
DescribeMaintenanceWindowExecutions Describe one or more of your maintenance window execution history. List

maintenancewindow*

DescribeMaintenanceWindowSchedule Describe the upcoming executions of one or more of your maintenance windows. List
DescribeMaintenanceWindowTargets Describe one or more of your maintenance windows targets. List

maintenancewindow*

DescribeMaintenanceWindowTasks Describe one or more of your maintenance windows tasks. List

maintenancewindow*

DescribeMaintenanceWindows Describe one or more of your maintenance windows. List
DescribeMaintenanceWindowsForTarget Describe the maintenance windows to which your target belongs. List
DescribeOpsItems Returns a list of OpsItem based on different search criteria Read
DescribeParameters Describes one or more parameters in Parameter Store. List
DescribePatchBaselines Describes one or more SSM patch baselines. List
DescribePatchGroupState Get a high level patch state report of given patch group. Read
DescribePatchGroups Describes one or more patch group to SSM patch baseline mappings. List
DescribeSessions Describe one or more Session Manager sessions. List
GetAutomationExecution Read
GetConnectionStatus Get the connection status for an instance. Read
GetDefaultPatchBaseline Get the default SSM patch baseline. Read

patchbaseline*

GetDeployablePatchSnapshotForInstance Get the snapshot of patches to be installed for given instances. Read
GetDocument Gets the contents of the specified SSM document. Read

document*

GetMaintenanceWindow Get a SSM maintenance window. Read

maintenancewindow*

GetMaintenanceWindowExecution Get a SSM maintenance window execution. Read
GetMaintenanceWindowExecutionTask Get a SSM maintenance window execution task. Read
GetMaintenanceWindowExecutionTaskInvocation Get a SSM maintenance window execution task invocation. Read
GetMaintenanceWindowTask Get a SSM maintenance window task. Read

maintenancewindow*

GetManifest Fetches the installation description for a package. Read
GetOpsItem Returns details of an OpsItem Read
GetOpsSummary View a summary of OpsItems based on specified filters and aggregators. Filter is used to scope down the returned OpsItems. Aggregator is used to return counts of OpsItems. Read
GetParameter Get information about a parameter by using the parameter name. Read

parameter*

GetParameterHistory Query a list of all modifications of a parameter. Read

parameter*

GetParameters Get details of a list of parameters. Read

parameter*

GetParametersByPath Retrieve parameters in a specific hierarchy. Read

parameter*

GetPatchBaseline Get a SSM patch baseline Read

patchbaseline*

GetPatchBaselineForPatchGroup Get the SSM patch baseline associated to the given patch group. Read

patchbaseline*

LabelParameterVersion Attaches labels to a specific version of an existing parameter. Write

parameter*

ListAssociationVersions Lists versions of the specified association. List
ListAssociations Lists the associations for the specified SSM document or instance. List
ListCommandInvocations An invocation is copy of a command sent to a specific instance. Read
ListCommands Lists the commands requested by users of the AWS account. Read
ListComplianceItems Returns a list of compliance statuses for different resource types for a specific resource. List
ListComplianceSummaries Returns a summary count of compliant and non-compliant resources for a compliance type. List
ListDocuments Describes one or more your SSM documents. List
ListResourceComplianceSummaries Returns a resource-level summary count. List
ListTagsForResource Returns a list of the tags assigned to the specified resource. Read

document

maintenancewindow

managed-instance

parameter

patchbaseline

ModifyDocumentPermission Share a document publicly or privately. Write

document*

PutComplianceItems Registers a compliance type and other compliance details on a designated resource. Write
PutConfigurePackageResult Reports installation result for a package. Read
PutParameter Add a parameter to the system. Tagging

parameter*

aws:RequestTag/${TagKey}

aws:TagKeys

RegisterDefaultPatchBaseline Register a SSM patch baseline as the default. Write

patchbaseline*

RegisterPatchBaselineForPatchGroup Register a SSM patch baseline to a patch group. Write

patchbaseline*

RegisterTargetWithMaintenanceWindow Register a SSM window target to a maintenance window. Write

maintenancewindow*

RegisterTaskWithMaintenanceWindow Register a SSM window task to a maintenance window. Write

maintenancewindow*

RemoveTagsFromResource Removes all tags from the specified resource. Tagging

document

maintenancewindow

managed-instance

parameter

patchbaseline

ResumeSession Resume a disconnected SSM session manager connection. Write

session*

SendAutomationSignal Write
SendCommand Executes commands on one or more remote instances. Write

document

ssm:resourceTag/tag-key

StartAutomationExecution Initiates execution of an Automation document. Write
StartSession Start a connection to an instance using SSM Session Manager. Write

instance*

document

ssm:SessionDocumentAccessCheck

StopAutomationExecution Stop an Automation that is currently executing. Write
TerminateSession Terminate an ongoing SSM Session Manager connection. Write

session*

UpdateAssociationStatus Updates the status of the SSM document associated with the specified instance. Write

document

UpdateInstanceInformation Enables user's SSM Agents to call the Systems Manager service in the cloud to provide heartbeat information. Write
UpdateMaintenanceWindow Update a SSM maintenance window. Write

maintenancewindow*

UpdateMaintenanceWindowTarget Update a SSM maintenance window target. Write

maintenancewindow*

UpdateMaintenanceWindowTask Update a SSM maintenance window task. Write

maintenancewindow*

UpdateManagedInstanceRole Assigns or changes an Amazon Identity and Access Management (IAM) role to the managed instance. Write

managed-instance*

UpdateOpsItem Edit or change an OpsItem Write
UpdatePatchBaseline Update a SSM patch baseline. Write

patchbaseline*

Resources Defined by AWS Systems Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
document arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

maintenancewindow arn:${Partition}:ssm:${Region}:${Account}:maintenancewindow/${ResourceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

managed-instance arn:${Partition}:ssm:${Region}:${Account}:managed-instance/${ManagedInstanceName}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

instance arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

parameter arn:${Partition}:ssm:${Region}:${Account}:parameter/${FullyQualifiedParameterName}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

patchbaseline arn:${Partition}:ssm:${Region}:${Account}:patchbaseline/${ResourceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

session arn:${Partition}:ssm:${Region}:${Account}:session/${ResourceId}
opsitem arn:${Partition}:ssm:${Region}:${Account}:opsitem/${ResourceId}

Condition Keys for AWS Systems Manager

AWS Systems Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters create requests based on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters actions based on tag-value assoicated with the resource. String
aws:TagKeys Filters create requests based on the presence of mandatory tags in the request String
ssm:SessionDocumentAccessCheck Filters access by verifying that a user also has access to the default Session Manager configuration document. Boolean
ssm:resourceTag/tag-key A tag key and value pair. String