Step 3: Control session access to managed nodes

You grant or revoke Session Manager access to managed nodes by using AWS Identity and Access Management (IAM) policies. You can create a policy and attach it to an IAM user or group that specifies which managed nodes the user or group can connect to. You can also specify the Session Manager API operations the user or groups can perform on those managed nodes.

To help you get started with IAM permission policies for Session Manager, we've created sample policies for an end user and an administrator user. You can use these policies with only minor changes. Or, use them as a guide to create custom IAM policies. For more information, see Sample IAM policies for Session Manager. For information about how to create IAM policies and attach them to users or groups, see Creating IAM Policies and Adding and Removing IAM Policies in the IAM User Guide.

About session ID ARN formats

When you create an IAM policy for Session Manager access, you specify a session ID as part of the Amazon Resource Name (ARN). The session ID includes the user name as a variable. To help illustrate this, here's the format of a Session Manager ARN and an example:

arn:aws:ssm:region-id:account-id:session/session-id

For example:

arn:aws:ssm:us-east-2:123456789012:session/JohnDoe-1a2b3c4d5eEXAMPLE

For more information about using variables in IAM policies, see IAM Policy Elements: Variables.

Topics

• Start a default shell session by specifying the default session document in IAM policies
• Start a session with a document by specifying the session documents in IAM policies
• Sample IAM policies for Session Manager
• Additional sample IAM policies for Session Manager