Actions, resources, and condition keys for AWS Systems Manager - AWS Identity and Access Management

Actions, resources, and condition keys for AWS Systems Manager

Tip

This page is moving to a new location on November 16, 2020. Please update your bookmark to use the new page at https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html.

AWS Systems Manager (service prefix: ssm) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Systems Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddTagsToResource Grants permission to add or overwrite one or more tags for a specified AWS resource Tagging

document

maintenancewindow

managed-instance

parameter

patchbaseline

CancelCommand Grants permission to cancel a specified Run Command command Write
CancelMaintenanceWindowExecution Grants permission to cancel an in-progress maintenance window execution Write
CreateActivation Grants permission to create an activation that is used to register on-premises servers and virtual machines (VMs) with Systems Manager Write
CreateAssociation Grants permission to associate a specified Systems Manager document with specified instances or other targets Write

document*

instance

managed-instance

CreateAssociationBatch Grants permission to combine entries for multiple CreateAssociation operations in a single command Write

document*

instance

managed-instance

CreateDocument Grants permission to create a Systems Manager SSM document Write

document*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateMaintenanceWindow Grants permission to create a maintenance window Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateOpsItem Grants permission to create an OpsItem in OpsCenter Write
CreatePatchBaseline Grants permission to create a patch baseline Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateResourceDataSync Grants permission to create a resource data sync configuration, which regularly collects inventory data from managed instances and updates the data in an Amazon S3 bucket Write

resourcedatasync*

ssm:SyncType

DeleteActivation Grants permission to delete a specified activation for managed instances Write
DeleteAssociation Grants permission to disassociate a specified SSM document from a specified instance Write

association

document

instance

managed-instance

DeleteDocument Grants permission to delete a specified SSM document and its instance associations Write

document*

DeleteInventory Grants permission to delete a specified custom inventory type, or the data associated with a custom inventory type Write
DeleteMaintenanceWindow Grants permission to delete a specified maintenance window Write

maintenancewindow*

DeleteParameter Grants permission to delete a specified SSM parameter Write

parameter*

aws:RequestTag/${TagKey}

DeleteParameters Grants permission to delete multiple specified SSM parameters Write

parameter*

aws:RequestTag/${TagKey}

DeletePatchBaseline Grants permission to delete a specified patch baseline Write

patchbaseline*

DeleteResourceDataSync Grants permission to delete a specified resource data sync Write

resourcedatasync*

ssm:SyncType

DeregisterManagedInstance Grants permission to deregister a specified on-premises server or virtual machine (VM) from Systems Manager Write

managed-instance*

DeregisterPatchBaselineForPatchGroup Grants permission to deregister a specified patch baseline from being the default patch baseline for a specified patch group Write

patchbaseline*

DeregisterTargetFromMaintenanceWindow Grants permission to deregister a specified target from a maintenance window Write

maintenancewindow*

DeregisterTaskFromMaintenanceWindow Grants permission to deregister a specified task from a maintenance window Write

maintenancewindow*

DescribeActivations Grants permission to view details about a specified managed instance activation, such as when it was created and the number of instances registered using the activation Read
DescribeAssociation Grants permission to view details about the specified association for a specified instance or target Read

association

document

instance

managed-instance

DescribeAssociationExecutionTargets Grants permission to view information about a specified association execution Read
DescribeAssociationExecutions Grants permission to view all executions for a specified association Read
DescribeAutomationExecutions Grants permission to view details about all active and terminated Automation executions Read
DescribeAutomationStepExecutions Grants permission to view information about all active and terminated step executions in an Automation workflow Read
DescribeAvailablePatches Grants permission to view all patches eligible to include in a patch baseline Read
DescribeDocument Grants permission to view details about a specified SSM document Read

document*

DescribeDocumentParameters Grants permission to display information about SSM document parameters in the Systems Manager console (internal Systems Manager action) Read

document*

DescribeDocumentPermission Grants permission to view the permissions for a specified SSM document Read

document*

DescribeEffectiveInstanceAssociations Grants permission to view all current associations for a specified instance Read

instance

managed-instance

DescribeEffectivePatchesForPatchBaseline Grants permission to view details about the patches currently associated with the specified patch baseline (Windows only) Read

patchbaseline*

DescribeInstanceAssociationsStatus Grants permission to view the status of the associations for a specified instance Read

instance

managed-instance

DescribeInstanceInformation Grants permission to view details about a specified instance Read
DescribeInstancePatchStates Grants permission to view status details about patches on a specified instance Read
DescribeInstancePatchStatesForPatchGroup Grants permission to describe the high-level patch state for the instances in the specified patch group Read
DescribeInstancePatches Grants permission to view general details about the patches on a specified instance Read
DescribeInstanceProperties Grants permission to user's Amazon EC2 console to render managed instances' nodes Read
DescribeInventoryDeletions Grants permission to view details about a specified inventory deletion Read
DescribeMaintenanceWindowExecutionTaskInvocations Grants permission to view details of a specified task execution for a maintenance window List
DescribeMaintenanceWindowExecutionTasks Grants permission to view details about the tasks that ran during a specified maintenance window execution List
DescribeMaintenanceWindowExecutions Grants permission to view the executions of a specified maintenance window List

maintenancewindow*

DescribeMaintenanceWindowSchedule Grants permission to view details about upcoming executions of a specified maintenance window List
DescribeMaintenanceWindowTargets Grants permission to view a list of the targets associated with a specified maintenance window List

maintenancewindow*

DescribeMaintenanceWindowTasks Grants permission to view a list of the tasks associated with a specified maintenance window List

maintenancewindow*

DescribeMaintenanceWindows Grants permission to view information about all or specified maintenance windows List
DescribeMaintenanceWindowsForTarget Grants permission to view information about the maintenance window targets and tasks associated with a specified instance List
DescribeOpsItems Grants permission to view details about specified OpsItems Read
DescribeParameters Grants permission to view details about a specified SSM parameter List
DescribePatchBaselines Grants permission to view information about patch baselines that meet the specified criteria List
DescribePatchGroupState Grants permission to view aggregated status details for patches for a specified patch group Read
DescribePatchGroups Grants permission to view information about the patch baseline for a specified patch group List
DescribePatchProperties Grants permission to view details of available patches for a specified operating system and patch property List
DescribeSessions Grants permission to view a list of recent Session Manager sessions that meet the specified search criteria List
GetAutomationExecution Grants permission to view details of a specified Automation execution Read
GetCalendarState Grants permission to view the calendar state for a change calendar or a list of change calendars Read

document*

GetCommandInvocation Grants permission to view details about the command execution of a specified invocation or plugin Read
GetConnectionStatus Grants permission to view the Session Manager connection status for a specified managed instance Read
GetDefaultPatchBaseline Grants permission to view the current default patch baseline for a specified operating system type Read

patchbaseline*

GetDeployablePatchSnapshotForInstance Grants permission to retrieve the current patch baseline snapshot for a specified instance Read
GetDocument Grants permission to view the contents of a specified SSM document Read

document*

GetInventory Grants permission to view instance inventory details per the specified criteria Read
GetInventorySchema Grants permission to view a list of inventory types or attribute names for a specified inventory item type Read
GetMaintenanceWindow Grants permission to view details about a specified maintenance window Read

maintenancewindow*

GetMaintenanceWindowExecution Grants permission to view details about a specified maintenance window execution Read
GetMaintenanceWindowExecutionTask Grants permission to view details about a specified maintenance window execution task Read
GetMaintenanceWindowExecutionTaskInvocation Grants permission to view details about a specific maintenance window task running on a specific target Read
GetMaintenanceWindowTask Grants permission to view details about tasks registered with a specified maintenance window Read

maintenancewindow*

GetManifest Used by Systems Manager and SSM Agent to determine package installation requirements for an instance (internal Systems Manager call) Read
GetOpsItem Grants permission to view information about a specified OpsItem Read
GetOpsSummary Grants permission to view summary information about OpsItems based on specified filters and aggregators Read

resourcedatasync*

GetParameter Grants permission to view information about a specified parameter Read

parameter*

aws:RequestTag/${TagKey}

GetParameterHistory Grants permission to view details and changes for a specified parameter Read

parameter*

aws:RequestTag/${TagKey}

GetParameters Grants permission to view information about multiple specified parameters Read

parameter*

aws:RequestTag/${TagKey}

GetParametersByPath Grants permission to view information about parameters in a specified hierarchy Read

parameter*

GetPatchBaseline Grants permission to view information about a specified patch baseline Read

patchbaseline*

GetPatchBaselineForPatchGroup Grants permission to view the ID of the current patch baseline for a specified patch group Read

patchbaseline*

GetServiceSetting Grants permission to view the account-level setting for an AWS service Read

servicesetting*

LabelParameterVersion Grants permission to apply an identifying label to a specified version of a parameter Write

parameter*

ListAssociationVersions Grants permission to list versions of the specified association List
ListAssociations Grants permission to list the associations for a specified SSM document or managed instance List
ListCommandInvocations Grants permission to list information about command invocations sent to a specified instance Read
ListCommands Grants permission to list the commands sent to a specified instance Read
ListComplianceItems Grants permission to list compliance status for specified resource types on a specified resource List
ListComplianceSummaries Grants permission to list a summary count of compliant and noncompliant resources for a specified compliance type List
ListDocumentVersions Grants permission to list all versions of a specified document List

document*

ListDocuments Grants permission to view information about a specified SSM document List
ListInstanceAssociations Used by SSM Agent to check for new State Manager associations (internal Systems Manager call) List

instance

managed-instance

ListInventoryEntries Grants permission to view a list of specified inventory types for a specified instance List
ListResourceComplianceSummaries Grants permission to list resource-level summary count List
ListResourceDataSync Grants permission to list information about resource data sync configurations in an account List

ssm:SyncType

ListTagsForResource Grants permission to view a list of resource tags for a specified resource Read

document

maintenancewindow

managed-instance

parameter

patchbaseline

ModifyDocumentPermission Grants permission to share a custom SSM document publicly or privately with specified AWS accounts Write

document*

PutComplianceItems Grants permission to register a compliance type and other compliance details on a specified resource Write

instance

managed-instance

PutConfigurePackageResult Used by SSM Agent to generate a report of the results of specific agent requests (internal Systems Manager call) Read
PutInventory Grants permission to add or update inventory items on multiple specified managed instances Write
PutParameter Grants permission to create an SSM parameter Write

parameter*

aws:RequestTag/${TagKey}

aws:TagKeys

RegisterDefaultPatchBaseline Grants permission to specify the default patch baseline for an operating system type Write

patchbaseline*

RegisterPatchBaselineForPatchGroup Grants permission to specify the default patch baseline for a specified patch group Write

patchbaseline*

RegisterTargetWithMaintenanceWindow Grants permission to register a target with a specified maintenance window Write

maintenancewindow*

RegisterTaskWithMaintenanceWindow Grants permission to register a task with a specified maintenance window Write

maintenancewindow*

RemoveTagsFromResource Grants permission to remove a specified tag key from a specified resource Tagging

document

maintenancewindow

managed-instance

parameter

patchbaseline

ResetServiceSetting Grants permission to reset the service setting for an AWS account to the default value Write

servicesetting*

ResumeSession Grants permission to reconnect a Session Manager session to a managed instance Write

session*

SendAutomationSignal Grants permission to send a signal to change the current behavior or status of a specified Automation execution Write
SendCommand Grants permission to run commands on one or more specified managed instances Write

document*

instance

managed-instance

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

StartAssociationsOnce Grants permission to run a specified association manually Write

association*

StartAutomationExecution Grants permission to initiate the execution of an Automation document Write

automation-definition*

StartSession Grants permission to initiate a connection to a specified target for a Session Manager session Write

instance*

document

ssm:SessionDocumentAccessCheck

StopAutomationExecution Grants permission to stop a specified Automation execution that is already in progress Write
TerminateSession Grants permission to permanently end a Session Manager connection to an instance. Write

session*

UpdateAssociation Grants permission to update an association and immediately run the association on the specified targets Write

association*

document

instance

managed-instance

UpdateAssociationStatus Grants permission to update the status of the SSM document associated with a specified instance Write

document*

instance

managed-instance

UpdateDocument Grants permission to update one or more values for an SSM document Write

document*

UpdateDocumentDefaultVersion Grants permission to change the default version of an SSM document Write

document*

UpdateInstanceAssociationStatus Used by SSM Agent to update the status of the association that it is currently running (internal Systems Manager call) Write

association*

instance

managed-instance

UpdateInstanceInformation Used by SSM Agent to send a heartbeat signal to the Systems Manager service in the cloud Write
UpdateMaintenanceWindow Grants permission to update a specified maintenance window Write

maintenancewindow*

UpdateMaintenanceWindowTarget Grants permission to update a specified maintenance window target Write

maintenancewindow*

UpdateMaintenanceWindowTask Grants permission to update a specified maintenance window task Write

maintenancewindow*

UpdateManagedInstanceRole Grants permission to assign or change the IAM role assigned to a specified managed instance Write

managed-instance*

UpdateOpsItem Grants permission to edit or change an OpsItem Write
UpdatePatchBaseline Grants permission to update a specified patch baseline Write

patchbaseline*

UpdateResourceDataSync Grants permission to update a resource data sync Write

resourcedatasync*

ssm:SyncType

UpdateServiceSetting Grants permission to update the service setting for an AWS account Write

servicesetting*

Resource types defined by AWS Systems Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
association arn:${Partition}:ssm:${Region}:${Account}:association/${AssociationId}
automation-execution arn:${Partition}:ssm:${Region}:${Account}:automation-execution/${AutomationExecutionId}
automation-definition arn:${Partition}:ssm:${Region}:${Account}:automation-definition/${AutomationDefinitionName:VersionId}
document arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

instance arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

maintenancewindow arn:${Partition}:ssm:${Region}:${Account}:maintenancewindow/${ResourceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

managed-instance arn:${Partition}:ssm:${Region}:${Account}:managed-instance/${ManagedInstanceName}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

managed-instance-inventory arn:${Partition}:ssm:${Region}:${Account}:managed-instance-inventory/${InstanceId}
opsitem arn:${Partition}:ssm:${Region}:${Account}:opsitem/${ResourceId}
parameter arn:${Partition}:ssm:${Region}:${Account}:parameter/${FullyQualifiedParameterName}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

patchbaseline arn:${Partition}:ssm:${Region}:${Account}:patchbaseline/${PatchBaselineIdResourceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

session arn:${Partition}:ssm:${Region}:${Account}:session/${SessionId}
resourcedatasync arn:${Partition}:ssm:${Region}:${Account}:resource-data-sync/${SyncName}
servicesetting arn:${Partition}:ssm:${Region}:${Account}:servicesetting/${ResourceId}
windowtarget arn:${Partition}:ssm:${Region}:${Account}:windowtarget/${WindowTargetId}
windowtask arn:${Partition}:ssm:${Region}:${Account}:windowtask/${WindowTaskId}

Condition keys for AWS Systems Manager

AWS Systems Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters 'Create' requests based on the allowed set of values for a specified tags String
aws:ResourceTag/${TagKey} Filters access based on a tag key-value pair assigned to the AWS resource String
aws:TagKeys Filters 'Create' requests based on whether mandatory tags are included in the request String
ssm:Overwrite Filters access by controlling whether the values for specified resources can be overwritten. String
ssm:Recursive Filters access for resources created in a hierarchical structure. String
ssm:SessionDocumentAccessCheck Filters access by verifying that a user has permission to access either the default Session Manager configuration document or the custom configuration document specified in a request. Boolean
ssm:SyncType Filters access by verifying that a user also has access to the ResourceDataSync SyncType specified in the request String
ssm:resourceTag/tag-key Filters access based on a tag key-value pair assigned to the Systems Manager resource String