AWS managed policies for AWS Systems Manager Incident Manager - Incident Manager
AWSIncidentManagerIncidentAccessServiceRolePolicyAWSIncidentManagerServiceRolePolicyAWSIncidentManagerResolverAccessPolicy updates

AWS managed policies for AWS Systems Manager Incident Manager

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWS managed policy: AWSIncidentManagerIncidentAccessServiceRolePolicy

You can attach AWSIncidentManagerIncidentAccessServiceRolePolicy to your IAM entities. Incident Manager also attaches this policy to an Incident Manager role that allows Incident Manager to perform actions on your behalf.

This policy grants read-only permissions that allow Incident Manager to read resources in certain other AWS services to identify findings related to incidents in those services.

Permissions details

This policy includes the following permissions.

  • cloudformation – Allows principals to describe AWS CloudFormation stacks. This is required for Incident Manager to identify CloudFormation events and resources related to an incident.

  • codedeploy – Allows principals to read AWS CodeDeploy deployments. This is required for Incident Manager to identify CodeDeploy deployments and targets related to an incident.

  • autoscaling – Allows principals to determine if an Amazon Elastic Compute Cloud (EC2) instance is part of an Auto Scaling group. This is needed so Incident Manager can provide findings for EC2 instances that are part of Auto Scaling groups.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IncidentAccessPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "codedeploy:BatchGetDeployments",
                "codedeploy:ListDeployments",
                "codedeploy:ListDeploymentTargets",
                "autoscaling:DescribeAutoScalingInstances"
            ],
            "Resource": "*"
        }
    ]
}

To view more details about the policy, including the latest version of the JSON policy document, see AWSIncidentManagerIncidentAccessServiceRolePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSIncidentManagerServiceRolePolicy

You can't attach AWSIncidentManagerServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Incident Manager to perform actions on your behalf. For more information, see Using service-linked roles for Incident Manager.

This policy grants Incident Manager permissions to list incidents, create timeline events, create OpsItems, associate related items to OpsItems, start engagements, and publish CloudWatch metrics related to an incident.

Permissions details

This policy includes the following permissions.

  • ssm-incidents – Allows principals to list incidents and create timeline events. This is required so responders can collaborate during an incident on the incident dashboard.

  • ssm – Allows principals to create OpsItems and associate related items. This is required to create a parent OpsItem when an incident starts.

  • ssm-contacts – Allows principals to start engagements. This is required for Incident Manager to engage contacts during an incident.

  • cloudwatch – Allows principals to publish CloudWatch metrics. This is required for Incident Manager to publish metrics related to an incident.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "UpdateIncidentRecordPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm-incidents:ListIncidentRecords",
                "ssm-incidents:CreateTimelineEvent"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RelatedOpsItemPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm:CreateOpsItem",
                "ssm:AssociateOpsItemRelatedItem"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IncidentEngagementPermissions",
            "Effect": "Allow",
            "Action": "ssm-contacts:StartEngagement",
            "Resource": "*"
        },
        {
            "Sid": "PutCloudWatchMetricPermission",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "AWS/IncidentManager"
                }
            }
        }
    ]
}

To view more details about the policy, including the latest version of the JSON policy document, see AWSIncidentManagerServiceRolePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSIncidentManagerResolverAccess

You can attach AWSIncidentManagerResolverAccess to your IAM entities to allow them to start, view, and update incidents. This also allows them to create customer timeline events and related items in the incident dashboard. You can also attach this policy to the AWS Chatbot service role or directly to your customer managed role associated with any chat channel used for incident collaboration. To learn more about IAM policies in AWS Chatbot, see Managing permissions for running commands using AWS Chatbot in the AWS Chatbot Administrator Guide.

Permissions details

This policy includes the following permissions.

  • ssm-incidents – Allows you to start incidents, list response plans, list incidents, update incidents, list timeline events, create custom timeline events, update custom timeline events, delete custom timeline events, list related items, create related items, and update related items.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StartIncidentPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm-incidents:StartIncident"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResponsePlanReadOnlyPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm-incidents:ListResponsePlans",
                "ssm-incidents:GetResponsePlan"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IncidentRecordResolverPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm-incidents:ListIncidentRecords",
                "ssm-incidents:GetIncidentRecord",
                "ssm-incidents:UpdateIncidentRecord",
                "ssm-incidents:ListTimelineEvents",
                "ssm-incidents:CreateTimelineEvent",
                "ssm-incidents:GetTimelineEvent",
                "ssm-incidents:UpdateTimelineEvent",
                "ssm-incidents:DeleteTimelineEvent",
                "ssm-incidents:ListRelatedItems",
                "ssm-incidents:UpdateRelatedItems"
            ],
            "Resource": "*"
        }
    ]
}

To view more details about the policy, including the latest version of the JSON policy document, see AWSIncidentManagerResolverAccess in the AWS Managed Policy Reference Guide.

Incident Manager updates to AWS managed policies

View details about updates to AWS managed policies for Incident Manager since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Incident Manager Document history page.

Change Description Date
AWSIncidentManagerIncidentAccessServiceRolePolicy

– Policy update

 Incident Manager has added a new permission to AWSIncidentManagerIncidentAccessServiceRolePolicy, in support of the Findings feature, that allows it to check whether an EC2 instance is part of an Auto Scaling group. February 20, 2024

AWSIncidentManagerIncidentAccessServiceRolePolicy – New policy

Incident Manager added a new policy that grants Incident Manager permissions to call other AWS services as a part of managing an incident.

 November 17, 2023

AWSIncidentManagerServiceRolePolicy – Policy update

Incident Manager added a new permission that allows Incident Manager to publish metrics into your account.

 Dec 16, 2022

AWSIncidentManagerResolverAccess – New policy

Incident Manager added a new policy to allow you to start incidents, list response plans, list incidents, update incidents, list timeline events, create custom timeline events, update custom timeline events, delete custom timeline events, list related items, create related items, and update related items.

 April 26, 2021

AWSIncidentManagerServiceRolePolicy – New policy

Incident Manager added a new policy to grant Incident Manager permissions to list incidents, create timeline events, create OpsItems, associate related items to OpsItems, and start engagements related to an incident.

 April 26, 2021

Incident Manager started tracking changes

Incident Manager started tracking changes for its AWS managed policies.

 April 26, 2021