IAM permissions change details

Each managed instance must have an AWS Identity and Access Management role that includes the following managed policies:

arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
arn:aws:iam::aws:policy/AMSInstanceProfileBasePolicy

The first two are AWS-managed policies. The AMS-managed policy is:

AMSInstanceProfileBasePolicy


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "secretsmanager:CreateSecret",
                "secretsmanager:UpdateSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:*:secret:/ams/byoa/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

If your instance already has an attached IAM role, but is missing any of these policies, then AMS adds the missing policies to your IAM role. If your instance doesn't have an IAM role, then AMS attaches the AMSOSConfigurationCustomerInstanceProfile IAM role. The AMSOSConfigurationCustomerInstanceProfile IAM role has all policies that are required by AMS Accelerate.

Note

If the default instance profile limit of 10 is reached, then AMS increases the limit to 20, so that the required instance profiles can be attached.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Automated instance configuration changes

CloudWatch configuration change details