Actions, resources, and condition keys for AWS Systems Manager
AWS Systems Manager (service prefix: ssm
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Systems Manager
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AddTagsToResource | Grants permission to add or overwrite one or more tags for a specified AWS resource | Tagging | |||
AssociateOpsItemRelatedItem | Grants permission to associate RelatedItem to an OpsItem | Write | |||
CancelCommand | Grants permission to cancel a specified Run Command command | Write | |||
CancelMaintenanceWindowExecution | Grants permission to cancel an in-progress maintenance window execution | Write | |||
CreateActivation | Grants permission to create an activation that is used to register on-premises servers and virtual machines (VMs) with Systems Manager | Write | |||
CreateAssociation | Grants permission to associate a specified Systems Manager document with specified instances or other targets | Write | |||
CreateAssociationBatch | Grants permission to combine entries for multiple CreateAssociation operations in a single command | Write | |||
CreateDocument | Grants permission to create a Systems Manager SSM document | Write |
iam:PassRole |
||
CreateMaintenanceWindow | Grants permission to create a maintenance window | Write | |||
CreateOpsItem | Grants permission to create an OpsItem in OpsCenter | Write | |||
CreateOpsMetadata | Grants permission to create an OpsMetadata object for an AWS resource | Write | |||
CreatePatchBaseline | Grants permission to create a patch baseline | Write | |||
CreateResourceDataSync | Grants permission to create a resource data sync configuration, which regularly collects inventory data from managed instances and updates the data in an Amazon S3 bucket | Write | |||
DeleteActivation | Grants permission to delete a specified activation for managed instances | Write | |||
DeleteAssociation | Grants permission to disassociate a specified SSM document from a specified instance | Write | |||
DeleteDocument | Grants permission to delete a specified SSM document and its instance associations | Write | |||
DeleteInventory | Grants permission to delete a specified custom inventory type, or the data associated with a custom inventory type | Write | |||
DeleteMaintenanceWindow | Grants permission to delete a specified maintenance window | Write | |||
DeleteOpsItem | Grants permission to delete an OpsItem | Write | |||
DeleteOpsMetadata | Grants permission to delete an OpsMetadata object | Write | |||
DeleteParameter | Grants permission to delete a specified SSM parameter | Write | |||
DeleteParameters | Grants permission to delete multiple specified SSM parameters | Write | |||
DeletePatchBaseline | Grants permission to delete a specified patch baseline | Write | |||
DeleteResourceDataSync | Grants permission to delete a specified resource data sync | Write | |||
DeleteResourcePolicy | Grants permission to delete a Systems Manager resource policy | Permissions management | |||
DeregisterManagedInstance | Grants permission to deregister a specified on-premises server or virtual machine (VM) from Systems Manager | Write | |||
DeregisterPatchBaselineForPatchGroup | Grants permission to deregister a specified patch baseline from being the default patch baseline for a specified patch group | Write | |||
DeregisterTargetFromMaintenanceWindow | Grants permission to deregister a specified target from a maintenance window | Write | |||
DeregisterTaskFromMaintenanceWindow | Grants permission to deregister a specified task from a maintenance window | Write | |||
DescribeActivations | Grants permission to view details about a specified managed instance activation, such as when it was created and the number of instances registered using the activation | Read | |||
DescribeAssociation | Grants permission to view details about the specified association for a specified instance or target | Read | |||
DescribeAssociationExecutionTargets | Grants permission to view information about a specified association execution | Read | |||
DescribeAssociationExecutions | Grants permission to view all executions for a specified association | Read | |||
DescribeAutomationExecutions | Grants permission to view details about all active and terminated Automation executions | Read | |||
DescribeAutomationStepExecutions | Grants permission to view information about all active and terminated step executions in an Automation workflow | Read | |||
DescribeAvailablePatches | Grants permission to view all patches eligible to include in a patch baseline | Read | |||
DescribeDocument | Grants permission to view details about a specified SSM document | Read | |||
DescribeDocumentParameters | Grants permission to display information about SSM document parameters in the Systems Manager console (internal Systems Manager action) | Read | |||
DescribeDocumentPermission | Grants permission to view the permissions for a specified SSM document | Read | |||
DescribeEffectiveInstanceAssociations | Grants permission to view all current associations for a specified instance | Read | |||
DescribeEffectivePatchesForPatchBaseline | Grants permission to view details about the patches currently associated with the specified patch baseline (Windows only) | Read | |||
DescribeInstanceAssociationsStatus | Grants permission to view the status of the associations for a specified instance | Read | |||
DescribeInstanceInformation | Grants permission to view details about a specified instance | Read | |||
DescribeInstancePatchStates | Grants permission to view status details about patches on a specified instance | Read | |||
DescribeInstancePatchStatesForPatchGroup | Grants permission to describe the high-level patch state for the instances in the specified patch group | Read | |||
DescribeInstancePatches | Grants permission to view general details about the patches on a specified instance | Read | |||
DescribeInstanceProperties | Grants permission to user's Amazon EC2 console to render managed instances' nodes | Read | |||
DescribeInventoryDeletions | Grants permission to view details about a specified inventory deletion | Read | |||
DescribeMaintenanceWindowExecutionTaskInvocations | Grants permission to view details of a specified task execution for a maintenance window | List | |||
DescribeMaintenanceWindowExecutionTasks | Grants permission to view details about the tasks that ran during a specified maintenance window execution | List | |||
DescribeMaintenanceWindowExecutions | Grants permission to view the executions of a specified maintenance window | List | |||
DescribeMaintenanceWindowSchedule | Grants permission to view details about upcoming executions of a specified maintenance window | List | |||
DescribeMaintenanceWindowTargets | Grants permission to view a list of the targets associated with a specified maintenance window | List | |||
DescribeMaintenanceWindowTasks | Grants permission to view a list of the tasks associated with a specified maintenance window | List | |||
DescribeMaintenanceWindows | Grants permission to view information about all or specified maintenance windows | List | |||
DescribeMaintenanceWindowsForTarget | Grants permission to view information about the maintenance window targets and tasks associated with a specified instance | List | |||
DescribeOpsItems | Grants permission to view details about specified OpsItems | Read | |||
DescribeParameters | Grants permission to view details about a specified SSM parameter | List | |||
DescribePatchBaselines | Grants permission to view information about patch baselines that meet the specified criteria | List | |||
DescribePatchGroupState | Grants permission to view aggregated status details for patches for a specified patch group | List | |||
DescribePatchGroups | Grants permission to view information about the patch baseline for a specified patch group | List | |||
DescribePatchProperties | Grants permission to view details of available patches for a specified operating system and patch property | List | |||
DescribeSessions | Grants permission to view a list of recent Session Manager sessions that meet the specified search criteria | List | |||
DisassociateOpsItemRelatedItem | Grants permission to disassociate RelatedItem from an OpsItem | Write | |||
GetAutomationExecution | Grants permission to view details of a specified Automation execution | Read | |||
GetCalendar [permission only] | Grants permission to view details of a specific calendar | Read | |||
GetCalendarState | Grants permission to view the calendar state for a change calendar or a list of change calendars | Read | |||
GetCommandInvocation | Grants permission to view details about the command execution of a specified invocation or plugin | Read | |||
GetConnectionStatus | Grants permission to view the Session Manager connection status for a specified managed instance | Read | |||
GetDefaultPatchBaseline | Grants permission to view the current default patch baseline for a specified operating system type | Read | |||
GetDeployablePatchSnapshotForInstance | Grants permission to retrieve the current patch baseline snapshot for a specified instance | Read | |||
GetDocument | Grants permission to view the contents of a specified SSM document | Read | |||
GetInventory | Grants permission to view instance inventory details per the specified criteria | Read | |||
GetInventorySchema | Grants permission to view a list of inventory types or attribute names for a specified inventory item type | Read | |||
GetMaintenanceWindow | Grants permission to view details about a specified maintenance window | Read | |||
GetMaintenanceWindowExecution | Grants permission to view details about a specified maintenance window execution | Read | |||
GetMaintenanceWindowExecutionTask | Grants permission to view details about a specified maintenance window execution task | Read | |||
GetMaintenanceWindowExecutionTaskInvocation | Grants permission to view details about a specific maintenance window task running on a specific target | Read | |||
GetMaintenanceWindowTask | Grants permission to view details about tasks registered with a specified maintenance window | Read | |||
GetManifest [permission only] | Grants permission to Systems Manager and SSM Agent to determine package installation requirements for an instance (internal Systems Manager call) | Read | |||
GetOpsItem | Grants permission to view information about a specified OpsItem | Read | |||
GetOpsMetadata | Grants permission to retrieve an OpsMetadata object | Read | |||
GetOpsSummary | Grants permission to view summary information about OpsItems based on specified filters and aggregators | Read | |||
GetParameter | Grants permission to view information about a specified parameter | Read | |||
GetParameterHistory | Grants permission to view details and changes for a specified parameter | Read | |||
GetParameters | Grants permission to view information about multiple specified parameters | Read | |||
GetParametersByPath | Grants permission to view information about parameters in a specified hierarchy | Read | |||
GetPatchBaseline | Grants permission to view information about a specified patch baseline | Read | |||
GetPatchBaselineForPatchGroup | Grants permission to view the ID of the current patch baseline for a specified patch group | Read | |||
GetResourcePolicies | Grants permission to retrieve lists of Systems Manager resource policies | List | |||
GetServiceSetting | Grants permission to view the account-level setting for an AWS service | Read | |||
LabelParameterVersion | Grants permission to apply an identifying label to a specified version of a parameter | Write | |||
ListAssociationVersions | Grants permission to list versions of the specified association | List | |||
ListAssociations | Grants permission to list the associations for a specified SSM document or managed instance | List | |||
ListCommandInvocations | Grants permission to list information about command invocations sent to a specified instance | List | |||
ListCommands | Grants permission to list the commands sent to a specified instance | List | |||
ListComplianceItems | Grants permission to list compliance status for specified resource types on a specified resource | List | |||
ListComplianceSummaries | Grants permission to list a summary count of compliant and noncompliant resources for a specified compliance type | List | |||
ListDocumentMetadataHistory | Grants permission to view metadata history about a specified SSM document | List | |||
ListDocumentVersions | Grants permission to list all versions of a specified document | List | |||
ListDocuments | Grants permission to view information about a specified SSM document | List | |||
ListInstanceAssociations | Grants permission to SSM Agent to check for new State Manager associations (internal Systems Manager call) | List | |||
ListInventoryEntries | Grants permission to view a list of specified inventory types for a specified instance | List | |||
ListOpsItemEvents | Grants permission to view details about OpsItemEvents | List | |||
ListOpsItemRelatedItems | Grants permission to view details about OpsItem RelatedItems | List | |||
ListOpsMetadata | Grants permission to view a list of OpsMetadata objects | List | |||
ListResourceComplianceSummaries | Grants permission to list resource-level summary count | List | |||
ListResourceDataSync | Grants permission to list information about resource data sync configurations in an account | List | |||
ListTagsForResource | Grants permission to view a list of resource tags for a specified resource | List | |||
ModifyDocumentPermission | Grants permission to share a custom SSM document publicly or privately with specified AWS accounts | Permissions management | |||
PutCalendar [permission only] | Grants permission to create/edit a specific calendar | Write | |||
PutComplianceItems | Grants permission to register a compliance type and other compliance details on a specified resource | Write | |||
PutConfigurePackageResult [permission only] | Grants permission to SSM Agent to generate a report of the results of specific agent requests (internal Systems Manager call) | Read | |||
PutInventory | Grants permission to add or update inventory items on multiple specified managed instances | Write | |||
PutParameter | Grants permission to create an SSM parameter | Write | |||
PutResourcePolicy | Grants permission to create or update a Systems Manager resource policy | Permissions management | |||
RegisterDefaultPatchBaseline | Grants permission to specify the default patch baseline for an operating system type | Write | |||
RegisterManagedInstance | Grants permission to register a Systems Manager Agent | Write | |||
RegisterPatchBaselineForPatchGroup | Grants permission to specify the default patch baseline for a specified patch group | Write | |||
RegisterTargetWithMaintenanceWindow | Grants permission to register a target with a specified maintenance window | Write | |||
RegisterTaskWithMaintenanceWindow | Grants permission to register a task with a specified maintenance window | Write | |||
RemoveTagsFromResource | Grants permission to remove a specified tag key from a specified resource | Tagging | |||
ResetServiceSetting | Grants permission to reset the service setting for an AWS account to the default value | Write | |||
ResumeSession | Grants permission to reconnect a Session Manager session to a managed instance | Write | |||
SendAutomationSignal | Grants permission to send a signal to change the current behavior or status of a specified Automation execution | Write | |||
SendCommand | Grants permission to run commands on one or more specified managed instances | Write | |||
StartAssociationsOnce | Grants permission to run a specified association manually | Write | |||
StartAutomationExecution | Grants permission to initiate the execution of an Automation document | Write | |||
StartChangeRequestExecution | Grants permission to initiate the execution of an Automation Change Template document | Write | |||
StartSession | Grants permission to initiate a connection to a specified target for a Session Manager session | Write | |||
StopAutomationExecution | Grants permission to stop a specified Automation execution that is already in progress | Write | |||
TerminateSession | Grants permission to permanently end a Session Manager connection to an instance | Write | |||
UnlabelParameterVersion | Grants permission to remove an identifying label from a specified version of a parameter | Write | |||
UpdateAssociation | Grants permission to update an association and immediately run the association on the specified targets | Write | |||
UpdateAssociationStatus | Grants permission to update the status of the SSM document associated with a specified instance | Write | |||
UpdateDocument | Grants permission to update one or more values for an SSM document | Write | |||
UpdateDocumentDefaultVersion | Grants permission to change the default version of an SSM document | Write | |||
UpdateDocumentMetadata | Grants permission to update the metadata of an SSM document | Write | |||
UpdateInstanceAssociationStatus [permission only] | Grants permission to SSM Agent to update the status of the association that it is currently running (internal Systems Manager call) | Write | |||
UpdateInstanceInformation | Grants permission to SSM Agent to send a heartbeat signal to the Systems Manager service in the cloud | Write | |||
UpdateMaintenanceWindow | Grants permission to update a specified maintenance window | Write | |||
UpdateMaintenanceWindowTarget | Grants permission to update a specified maintenance window target | Write | |||
UpdateMaintenanceWindowTask | Grants permission to update a specified maintenance window task | Write | |||
UpdateManagedInstanceRole | Grants permission to assign or change the IAM role assigned to a specified managed instance | Write | |||
UpdateOpsItem | Grants permission to edit or change an OpsItem | Write | |||
UpdateOpsMetadata | Grants permission to update an OpsMetadata object | Write | |||
UpdatePatchBaseline | Grants permission to update a specified patch baseline | Write | |||
UpdateResourceDataSync | Grants permission to update a resource data sync | Write | |||
UpdateServiceSetting | Grants permission to update the service setting for an AWS account | Write |
Resource types defined by AWS Systems Manager
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
Note
Some State Manager API parameters have been deprecated. This might lead to unexpected behavior. For more information, see Working with associations using IAM.
Resource types | ARN | Condition keys |
---|---|---|
association |
arn:${Partition}:ssm:${Region}:${Account}:association/${AssociationId}
|
|
automation-execution |
arn:${Partition}:ssm:${Region}:${Account}:automation-execution/${AutomationExecutionId}
|
|
automation-definition |
arn:${Partition}:ssm:${Region}:${Account}:automation-definition/${AutomationDefinitionName}:${VersionId}
|
|
bucket |
arn:${Partition}:s3:::${BucketName}
|
|
document |
arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}
|
|
iam-role |
arn:${Partition}:iam::${Account}:role/${RoleName}
|
|
instance |
arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}
|
|
maintenancewindow |
arn:${Partition}:ssm:${Region}:${Account}:maintenancewindow/${ResourceId}
|
|
managed-instance |
arn:${Partition}:ssm:${Region}:${Account}:managed-instance/${InstanceId}
|
|
managed-instance-inventory |
arn:${Partition}:ssm:${Region}:${Account}:managed-instance-inventory/${InstanceId}
|
|
opsitem |
arn:${Partition}:ssm:${Region}:${Account}:opsitem/${ResourceId}
|
|
opsitemgroup |
arn:${Partition}:ssm:${Region}:${Account}:opsitemgroup/default
|
|
opsmetadata |
arn:${Partition}:ssm:${Region}:${Account}:opsmetadata/${ResourceId}
|
|
parameter |
arn:${Partition}:ssm:${Region}:${Account}:parameter/${ParameterNameWithoutLeadingSlash}
|
|
patchbaseline |
arn:${Partition}:ssm:${Region}:${Account}:patchbaseline/${PatchBaselineIdResourceId}
|
|
session |
arn:${Partition}:ssm:${Region}:${Account}:session/${SessionId}
|
|
resourcedatasync |
arn:${Partition}:ssm:${Region}:${Account}:resource-data-sync/${SyncName}
|
|
servicesetting |
arn:${Partition}:ssm:${Region}:${Account}:servicesetting/${ResourceId}
|
|
windowtarget |
arn:${Partition}:ssm:${Region}:${Account}:windowtarget/${WindowTargetId}
|
|
windowtask |
arn:${Partition}:ssm:${Region}:${Account}:windowtask/${WindowTaskId}
|
|
task |
arn:${Partition}:ecs:${Region}:${Account}:task/${TaskId}
|
Condition keys for AWS Systems Manager
AWS Systems Manager defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access by 'Create' requests based on the allowed set of values for a specified tags | String |
aws:ResourceTag/${TagKey} | Filters access by based on a tag key-value pair assigned to the AWS resource | String |
aws:TagKeys | Filters access by 'Create' requests based on whether mandatory tags are included in the request | ArrayOfString |
ec2:SourceInstanceARN | Filters access by the ARN of the instance from which the request originated | ARN |
ssm:AutoApprove | Filters access by verifying that a user has permission to start Change Manager workflows without a review step (with the exception of change freeze events) | Bool |
ssm:DocumentCategories | Filters access by verifying that a user has permission to access a document belonging to a specific category enum | ArrayOfString |
ssm:Overwrite | Filters access by controling whether Systems Manager parameters can be overwritten | String |
ssm:Policies | Filters access by controlling whether an IAM Entity (user or role) can create or update a parameter that includes a parameter policy | String |
ssm:Recursive | Filters access by Systems Manager parameters created in a hierarchical structure | String |
ssm:SessionDocumentAccessCheck | Filters access by verifying that a user has permission to access either the default Session Manager configuration document or the custom configuration document specified in a request | Bool |
ssm:SourceInstanceARN | Filters access by verifying the Amazon Resource Name (ARN) of the AWS Systems Manager's managed instance from which the request is made. This key is not present when the request comes from the managed instance authenticated with an IAM role associated with EC2 instance profile | ARN |
ssm:SyncType | Filters access by verifying that a user also has access to the ResourceDataSync SyncType specified in the request | String |
ssm:resourceTag/${TagKey} | Filters access by a tag key-value pair assigned to the Systems Manager resource | String |
ssm:resourceTag/aws:ssmmessages:session-id | Filters access by based on a tag key-value pair assigned to the Systems Manager session resource | String |
ssm:resourceTag/aws:ssmmessages:target-id | Filters access by based on a tag key-value pair assigned to the Systems Manager session resource | String |
ssm:resourceTag/tag-key | Filters access by based on a tag key-value pair assigned to the Systems Manager resource | String |