Enable patching access for users - AMS Accelerate Operations Plan

Enable patching access for users

After your account is onboarded to AMS Accelerate patching, AMS Accelerate deploys a managed policy, amspatchmanagedpolicy, which contains the required permissions for patching using SSM services. For you to access patching services, have the administrator for your account follow these steps:

Create a role using the AWS Management Console:

  1. Sign in to the AWS Management Console and open the IAM console.

  2. In the navigation pane of the console, choose Roles, then Create role.

  3. Choose the Another AWS account role type.

  4. For Account ID, enter the AWS account ID to which you want to grant access to your resources.

    The administrator of the specified account can grant permission to assume this role to any IAM user in that account. To do this, the administrator attaches a policy to the user, or a group, that grants permission for the sts:AssumeRole action. That policy must specify the role's Amazon Resource Name (ARN) as the resource. Note the following:

    • If you are granting permissions to users from an account that you do not control, and the users will assume this role programmatically, then choose Require external ID. The external ID can be any word or number that is agreed upon between you and the administrator of the third-party account. This option automatically adds a condition to the trust policy that enables the user to assume the role only if the request includes the correct sts:ExternalID. For more information, see  How to use an external ID when granting access to your AWS resources to a third party.

    • If you want to restrict the role to users who sign in with multi-factor authentication (MFA), choose Require MFA. This adds a condition to the role's trust policy that checks for an MFA sign-in. A user who wants to assume the role must sign in with a temporary one-time password from a configured MFA device. Users without MFA authentication can't assume the role. For more information about MFA, see Using multi-factor authentication (MFA) in AWS.

  5. Choose Next: Permissions.

    IAM includes a list of the policies managed by and by customers in your account. Choose the policies amspatchmanagedpolicy, customer_ssm_automation_policy, and customer_ssm_automation_policy2 for the permissions policy. After you create the policy, close that tab and return to your original tab. Select the check box next to the permissions policies that you want anyone who assumes the role to have. If you prefer, you can select no policies at this time, and then attach policies to the role later. By default, a role has no permissions.

(Optional) Set a  permissions boundary. To do this, follow these steps:

  1. Open the Set permissions boundary section and choose Use a permissions boundary to control the maximum role permissions. Choose the policy to use for the permissions boundary.

    Choose Next: Tags.

  2. (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM users and roles.

  3. Choose Next: Review.

  4. For Role name, enter a name for your role (for example, PatchRole). Role names must be unique within your AWS account; they're not case sensitive (so you can't create roles named both PRODROLE and prodrole). Because other AWS resources might reference the role, roles names can't be edited after they've been created.

  5. (Optional) For Role description, enter a description for the new role.

  6. Review the role and then choose Create role.