Actions, resources, and condition keys for AWS Systems Manager - Service Authorization Reference

Actions, resources, and condition keys for AWS Systems Manager

AWS Systems Manager (service prefix: ssm) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Systems Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddTagsToResource Grants permission to add or overwrite one or more tags for a specified AWS resource Tagging

association

automation-execution

document

instance

maintenancewindow

managed-instance

opsitem

opsmetadata

parameter

patchbaseline

task

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

AssociateOpsItemRelatedItem Grants permission to associate RelatedItem to an OpsItem Write

opsitem*

CancelCommand Grants permission to cancel a specified Run Command command Write
CancelMaintenanceWindowExecution Grants permission to cancel an in-progress maintenance window execution Write

maintenancewindow*

CreateActivation Grants permission to create an activation that is used to register on-premises servers and virtual machines (VMs) with Systems Manager Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAssociation Grants permission to associate a specified Systems Manager document with specified instances or other targets Write

association*

document*

instance

managed-instance

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAssociationBatch Grants permission to combine entries for multiple CreateAssociation operations in a single command Write

document*

instance

managed-instance

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDocument Grants permission to create a Systems Manager SSM document Write

document*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateMaintenanceWindow Grants permission to create a maintenance window Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateOpsItem Grants permission to create an OpsItem in OpsCenter Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateOpsMetadata Grants permission to create an OpsMetadata object for an AWS resource Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePatchBaseline Grants permission to create a patch baseline Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateResourceDataSync Grants permission to create a resource data sync configuration, which regularly collects inventory data from managed instances and updates the data in an Amazon S3 bucket Write

resourcedatasync*

ssm:SyncType

DeleteActivation Grants permission to delete a specified activation for managed instances Write
DeleteAssociation Grants permission to disassociate a specified SSM document from a specified instance Write

association

document

instance

managed-instance

aws:ResourceTag/${TagKey}

DeleteDocument Grants permission to delete a specified SSM document and its instance associations Write

document*

DeleteInventory Grants permission to delete a specified custom inventory type, or the data associated with a custom inventory type Write
DeleteMaintenanceWindow Grants permission to delete a specified maintenance window Write

maintenancewindow*

DeleteOpsItem Grants permission to delete an OpsItem Write

opsitem*

DeleteOpsMetadata Grants permission to delete an OpsMetadata object Write

opsmetadata*

DeleteParameter Grants permission to delete a specified SSM parameter Write

parameter*

aws:ResourceTag/${TagKey}

DeleteParameters Grants permission to delete multiple specified SSM parameters Write

parameter*

aws:ResourceTag/${TagKey}

DeletePatchBaseline Grants permission to delete a specified patch baseline Write

patchbaseline*

DeleteResourceDataSync Grants permission to delete a specified resource data sync Write

resourcedatasync*

ssm:SyncType

DeleteResourcePolicy Grants permission to delete a Systems Manager resource policy Permissions management

opsitemgroup

parameter

DeregisterManagedInstance Grants permission to deregister a specified on-premises server or virtual machine (VM) from Systems Manager Write

managed-instance*

ssm:resourceTag/tag-key

DeregisterPatchBaselineForPatchGroup Grants permission to deregister a specified patch baseline from being the default patch baseline for a specified patch group Write

patchbaseline*

DeregisterTargetFromMaintenanceWindow Grants permission to deregister a specified target from a maintenance window Write

maintenancewindow*

DeregisterTaskFromMaintenanceWindow Grants permission to deregister a specified task from a maintenance window Write

maintenancewindow*

DescribeActivations Grants permission to view details about a specified managed instance activation, such as when it was created and the number of instances registered using the activation Read
DescribeAssociation Grants permission to view details about the specified association for a specified instance or target Read

association

document

instance

managed-instance

aws:ResourceTag/${TagKey}

DescribeAssociationExecutionTargets Grants permission to view information about a specified association execution Read

association*

aws:ResourceTag/${TagKey}

DescribeAssociationExecutions Grants permission to view all executions for a specified association Read

association*

aws:ResourceTag/${TagKey}

DescribeAutomationExecutions Grants permission to view details about all active and terminated Automation executions Read
DescribeAutomationStepExecutions Grants permission to view information about all active and terminated step executions in an Automation workflow Read

automation-execution*

DescribeAvailablePatches Grants permission to view all patches eligible to include in a patch baseline Read
DescribeDocument Grants permission to view details about a specified SSM document Read

document*

DescribeDocumentParameters Grants permission to display information about SSM document parameters in the Systems Manager console (internal Systems Manager action) Read

document*

DescribeDocumentPermission Grants permission to view the permissions for a specified SSM document Read

document*

DescribeEffectiveInstanceAssociations Grants permission to view all current associations for a specified instance Read

instance*

managed-instance*

aws:ResourceTag/${TagKey}

DescribeEffectivePatchesForPatchBaseline Grants permission to view details about the patches currently associated with the specified patch baseline (Windows only) Read

patchbaseline*

DescribeInstanceAssociationsStatus Grants permission to view the status of the associations for a specified instance Read

instance*

managed-instance*

aws:ResourceTag/${TagKey}

DescribeInstanceInformation Grants permission to view details about a specified instance Read
DescribeInstancePatchStates Grants permission to view status details about patches on a specified instance Read

instance*

managed-instance*

aws:ResourceTag/${TagKey}

ssm:resourceTag/${TagKey}

DescribeInstancePatchStatesForPatchGroup Grants permission to describe the high-level patch state for the instances in the specified patch group Read
DescribeInstancePatches Grants permission to view general details about the patches on a specified instance Read

instance*

managed-instance*

aws:ResourceTag/${TagKey}

ssm:resourceTag/${TagKey}

DescribeInstanceProperties Grants permission to user's Amazon EC2 console to render managed instances' nodes Read
DescribeInventoryDeletions Grants permission to view details about a specified inventory deletion Read
DescribeMaintenanceWindowExecutionTaskInvocations Grants permission to view details of a specified task execution for a maintenance window List
DescribeMaintenanceWindowExecutionTasks Grants permission to view details about the tasks that ran during a specified maintenance window execution List
DescribeMaintenanceWindowExecutions Grants permission to view the executions of a specified maintenance window List

maintenancewindow*

DescribeMaintenanceWindowSchedule Grants permission to view details about upcoming executions of a specified maintenance window List
DescribeMaintenanceWindowTargets Grants permission to view a list of the targets associated with a specified maintenance window List

maintenancewindow*

DescribeMaintenanceWindowTasks Grants permission to view a list of the tasks associated with a specified maintenance window List

maintenancewindow*

DescribeMaintenanceWindows Grants permission to view information about all or specified maintenance windows List
DescribeMaintenanceWindowsForTarget Grants permission to view information about the maintenance window targets and tasks associated with a specified instance List
DescribeOpsItems Grants permission to view details about specified OpsItems Read
DescribeParameters Grants permission to view details about a specified SSM parameter List
DescribePatchBaselines Grants permission to view information about patch baselines that meet the specified criteria List
DescribePatchGroupState Grants permission to view aggregated status details for patches for a specified patch group List
DescribePatchGroups Grants permission to view information about the patch baseline for a specified patch group List
DescribePatchProperties Grants permission to view details of available patches for a specified operating system and patch property List
DescribeSessions Grants permission to view a list of recent Session Manager sessions that meet the specified search criteria List
DisassociateOpsItemRelatedItem Grants permission to disassociate RelatedItem from an OpsItem Write

opsitem*

GetAutomationExecution Grants permission to view details of a specified Automation execution Read

automation-execution*

GetCalendar [permission only] Grants permission to view details of a specific calendar Read

document*

GetCalendarState Grants permission to view the calendar state for a change calendar or a list of change calendars Read

document*

GetCommandInvocation Grants permission to view details about the command execution of a specified invocation or plugin Read
GetConnectionStatus Grants permission to view the Session Manager connection status for a specified managed instance Read

instance

managed-instance

task

ssm:resourceTag/${TagKey}

aws:ResourceTag/${TagKey}

GetDefaultPatchBaseline Grants permission to view the current default patch baseline for a specified operating system type Read

patchbaseline*

GetDeployablePatchSnapshotForInstance Grants permission to retrieve the current patch baseline snapshot for a specified instance Read
GetDocument Grants permission to view the contents of a specified SSM document Read

document*

ssm:DocumentCategories

GetInventory Grants permission to view instance inventory details per the specified criteria Read
GetInventorySchema Grants permission to view a list of inventory types or attribute names for a specified inventory item type Read
GetMaintenanceWindow Grants permission to view details about a specified maintenance window Read

maintenancewindow*

GetMaintenanceWindowExecution Grants permission to view details about a specified maintenance window execution Read
GetMaintenanceWindowExecutionTask Grants permission to view details about a specified maintenance window execution task Read
GetMaintenanceWindowExecutionTaskInvocation Grants permission to view details about a specific maintenance window task running on a specific target Read
GetMaintenanceWindowTask Grants permission to view details about tasks registered with a specified maintenance window Read

maintenancewindow*

GetManifest [permission only] Grants permission to Systems Manager and SSM Agent to determine package installation requirements for an instance (internal Systems Manager call) Read
GetOpsItem Grants permission to view information about a specified OpsItem Read

opsitem*

GetOpsMetadata Grants permission to retrieve an OpsMetadata object Read

opsmetadata*

GetOpsSummary Grants permission to view summary information about OpsItems based on specified filters and aggregators Read

resourcedatasync*

GetParameter Grants permission to view information about a specified parameter Read

parameter*

aws:ResourceTag/${TagKey}

GetParameterHistory Grants permission to view details and changes for a specified parameter Read

parameter*

aws:ResourceTag/${TagKey}

GetParameters Grants permission to view information about multiple specified parameters Read

parameter*

aws:ResourceTag/${TagKey}

GetParametersByPath Grants permission to view information about parameters in a specified hierarchy Read

parameter*

ssm:Recursive

GetPatchBaseline Grants permission to view information about a specified patch baseline Read

patchbaseline*

GetPatchBaselineForPatchGroup Grants permission to view the ID of the current patch baseline for a specified patch group Read
GetResourcePolicies Grants permission to retrieve lists of Systems Manager resource policies List

opsitemgroup

parameter

GetServiceSetting Grants permission to view the account-level setting for an AWS service Read

servicesetting*

LabelParameterVersion Grants permission to apply an identifying label to a specified version of a parameter Write

parameter*

aws:ResourceTag/${TagKey}

ListAssociationVersions Grants permission to list versions of the specified association List

association*

aws:ResourceTag/${TagKey}

ListAssociations Grants permission to list the associations for a specified SSM document or managed instance List
ListCommandInvocations Grants permission to list information about command invocations sent to a specified instance List
ListCommands Grants permission to list the commands sent to a specified instance List
ListComplianceItems Grants permission to list compliance status for specified resource types on a specified resource List
ListComplianceSummaries Grants permission to list a summary count of compliant and noncompliant resources for a specified compliance type List
ListDocumentMetadataHistory Grants permission to view metadata history about a specified SSM document List

document*

ListDocumentVersions Grants permission to list all versions of a specified document List

document*

ListDocuments Grants permission to view information about a specified SSM document List
ListInstanceAssociations Grants permission to SSM Agent to check for new State Manager associations (internal Systems Manager call) List

instance

managed-instance

aws:ResourceTag/${TagKey}

ListInventoryEntries Grants permission to view a list of specified inventory types for a specified instance List
ListOpsItemEvents Grants permission to view details about OpsItemEvents List
ListOpsItemRelatedItems Grants permission to view details about OpsItem RelatedItems List
ListOpsMetadata Grants permission to view a list of OpsMetadata objects List
ListResourceComplianceSummaries Grants permission to list resource-level summary count List
ListResourceDataSync Grants permission to list information about resource data sync configurations in an account List

ssm:SyncType

ListTagsForResource Grants permission to view a list of resource tags for a specified resource List

association

automation-execution

document

maintenancewindow

managed-instance

opsitem

opsmetadata

parameter

patchbaseline

aws:ResourceTag/${TagKey}

ModifyDocumentPermission Grants permission to share a custom SSM document publicly or privately with specified AWS accounts Permissions management

document*

PutCalendar [permission only] Grants permission to create/edit a specific calendar Write

document*

PutComplianceItems Grants permission to register a compliance type and other compliance details on a specified resource Write

instance

managed-instance

ssm:SourceInstanceARN

ec2:SourceInstanceARN

PutConfigurePackageResult [permission only] Grants permission to SSM Agent to generate a report of the results of specific agent requests (internal Systems Manager call) Read
PutInventory Grants permission to add or update inventory items on multiple specified managed instances Write
PutParameter Grants permission to create an SSM parameter Write

parameter*

aws:RequestTag/${TagKey}

aws:TagKeys

ssm:Overwrite

ssm:Policies

PutResourcePolicy Grants permission to create or update a Systems Manager resource policy Permissions management

opsitemgroup

parameter

RegisterDefaultPatchBaseline Grants permission to specify the default patch baseline for an operating system type Write

patchbaseline*

RegisterManagedInstance Grants permission to register a Systems Manager Agent Write

aws:RequestTag/${TagKey}

aws:TagKeys

RegisterPatchBaselineForPatchGroup Grants permission to specify the default patch baseline for a specified patch group Write

patchbaseline*

RegisterTargetWithMaintenanceWindow Grants permission to register a target with a specified maintenance window Write

maintenancewindow*

RegisterTaskWithMaintenanceWindow Grants permission to register a task with a specified maintenance window Write

maintenancewindow*

RemoveTagsFromResource Grants permission to remove a specified tag key from a specified resource Tagging

association

automation-execution

document

instance

maintenancewindow

managed-instance

opsitem

opsmetadata

parameter

patchbaseline

task

aws:ResourceTag/${TagKey}

aws:TagKeys

ResetServiceSetting Grants permission to reset the service setting for an AWS account to the default value Write

servicesetting*

ResumeSession Grants permission to reconnect a Session Manager session to a managed instance Write

session*

ssm:resourceTag/aws:ssmmessages:session-id

ssm:resourceTag/aws:ssmmessages:target-id

SendAutomationSignal Grants permission to send a signal to change the current behavior or status of a specified Automation execution Write

automation-execution*

SendCommand Grants permission to run commands on one or more specified managed instances Write

document*

bucket

instance

managed-instance

aws:ResourceTag/${TagKey}

ssm:resourceTag/${TagKey}

StartAssociationsOnce Grants permission to run a specified association manually Write

association*

aws:ResourceTag/${TagKey}

StartAutomationExecution Grants permission to initiate the execution of an Automation document Write

automation-definition*

aws:RequestTag/${TagKey}

aws:TagKeys

StartChangeRequestExecution Grants permission to initiate the execution of an Automation Change Template document Write

automation-definition*

aws:RequestTag/${TagKey}

aws:TagKeys

ssm:AutoApprove

StartSession Grants permission to initiate a connection to a specified target for a Session Manager session Write

document

instance

managed-instance

task

ssm:SessionDocumentAccessCheck

ssm:resourceTag/${TagKey}

aws:ResourceTag/${TagKey}

StopAutomationExecution Grants permission to stop a specified Automation execution that is already in progress Write

automation-execution*

TerminateSession Grants permission to permanently end a Session Manager connection to an instance Write

session*

ssm:resourceTag/aws:ssmmessages:session-id

ssm:resourceTag/aws:ssmmessages:target-id

UnlabelParameterVersion Grants permission to remove an identifying label from a specified version of a parameter Write

parameter*

aws:ResourceTag/${TagKey}

UpdateAssociation Grants permission to update an association and immediately run the association on the specified targets Write

association*

document

instance

managed-instance

aws:ResourceTag/${TagKey}

UpdateAssociationStatus Grants permission to update the status of the SSM document associated with a specified instance Write

document*

instance

managed-instance

ssm:SourceInstanceARN

ec2:SourceInstanceARN

aws:ResourceTag/${TagKey}

UpdateDocument Grants permission to update one or more values for an SSM document Write

document*

UpdateDocumentDefaultVersion Grants permission to change the default version of an SSM document Write

document*

UpdateDocumentMetadata Grants permission to update the metadata of an SSM document Write

document*

UpdateInstanceAssociationStatus [permission only] Grants permission to SSM Agent to update the status of the association that it is currently running (internal Systems Manager call) Write

association*

instance

managed-instance

ssm:SourceInstanceARN

ec2:SourceInstanceARN

aws:ResourceTag/${TagKey}

UpdateInstanceInformation Grants permission to SSM Agent to send a heartbeat signal to the Systems Manager service in the cloud Write

instance

managed-instance

ssm:SourceInstanceARN

ec2:SourceInstanceARN

UpdateMaintenanceWindow Grants permission to update a specified maintenance window Write

maintenancewindow*

UpdateMaintenanceWindowTarget Grants permission to update a specified maintenance window target Write

maintenancewindow*

windowtarget*

UpdateMaintenanceWindowTask Grants permission to update a specified maintenance window task Write

maintenancewindow*

windowtask*

UpdateManagedInstanceRole Grants permission to assign or change the IAM role assigned to a specified managed instance Write

iam-role*

managed-instance*

ssm:resourceTag/tag-key

UpdateOpsItem Grants permission to edit or change an OpsItem Write

opsitem*

UpdateOpsMetadata Grants permission to update an OpsMetadata object Write

opsmetadata*

UpdatePatchBaseline Grants permission to update a specified patch baseline Write

patchbaseline*

UpdateResourceDataSync Grants permission to update a resource data sync Write

resourcedatasync*

ssm:SyncType

UpdateServiceSetting Grants permission to update the service setting for an AWS account Write

servicesetting*

Resource types defined by AWS Systems Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Note

Some State Manager API parameters have been deprecated. This might lead to unexpected behavior. For more information, see Working with associations using IAM.

Resource types ARN Condition keys
association arn:${Partition}:ssm:${Region}:${Account}:association/${AssociationId}

aws:ResourceTag/${TagKey}

automation-execution arn:${Partition}:ssm:${Region}:${Account}:automation-execution/${AutomationExecutionId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

automation-definition arn:${Partition}:ssm:${Region}:${Account}:automation-definition/${AutomationDefinitionName}:${VersionId}
bucket arn:${Partition}:s3:::${BucketName}
document arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}

aws:ResourceTag/${TagKey}

ssm:DocumentCategories

ssm:resourceTag/${TagKey}

iam-role arn:${Partition}:iam::${Account}:role/${RoleName}
instance arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/${TagKey}

maintenancewindow arn:${Partition}:ssm:${Region}:${Account}:maintenancewindow/${ResourceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

managed-instance arn:${Partition}:ssm:${Region}:${Account}:managed-instance/${InstanceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

managed-instance-inventory arn:${Partition}:ssm:${Region}:${Account}:managed-instance-inventory/${InstanceId}
opsitem arn:${Partition}:ssm:${Region}:${Account}:opsitem/${ResourceId}

aws:ResourceTag/${TagKey}

opsitemgroup arn:${Partition}:ssm:${Region}:${Account}:opsitemgroup/default
opsmetadata arn:${Partition}:ssm:${Region}:${Account}:opsmetadata/${ResourceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/${TagKey}

parameter arn:${Partition}:ssm:${Region}:${Account}:parameter/${ParameterNameWithoutLeadingSlash}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

patchbaseline arn:${Partition}:ssm:${Region}:${Account}:patchbaseline/${PatchBaselineIdResourceId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

session arn:${Partition}:ssm:${Region}:${Account}:session/${SessionId}

ssm:resourceTag/aws:ssmmessages:session-id

ssm:resourceTag/aws:ssmmessages:target-id

resourcedatasync arn:${Partition}:ssm:${Region}:${Account}:resource-data-sync/${SyncName}
servicesetting arn:${Partition}:ssm:${Region}:${Account}:servicesetting/${ResourceId}
windowtarget arn:${Partition}:ssm:${Region}:${Account}:windowtarget/${WindowTargetId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

windowtask arn:${Partition}:ssm:${Region}:${Account}:windowtask/${WindowTaskId}

aws:ResourceTag/${TagKey}

ssm:resourceTag/tag-key

task arn:${Partition}:ecs:${Region}:${Account}:task/${TaskId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Systems Manager

AWS Systems Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by 'Create' requests based on the allowed set of values for a specified tags String
aws:ResourceTag/${TagKey} Filters access by based on a tag key-value pair assigned to the AWS resource String
aws:TagKeys Filters access by 'Create' requests based on whether mandatory tags are included in the request ArrayOfString
ec2:SourceInstanceARN Filters access by the ARN of the instance from which the request originated ARN
ssm:AutoApprove Filters access by verifying that a user has permission to start Change Manager workflows without a review step (with the exception of change freeze events) Bool
ssm:DocumentCategories Filters access by verifying that a user has permission to access a document belonging to a specific category enum ArrayOfString
ssm:Overwrite Filters access by controling whether Systems Manager parameters can be overwritten String
ssm:Policies Filters access by controlling whether an IAM Entity (user or role) can create or update a parameter that includes a parameter policy String
ssm:Recursive Filters access by Systems Manager parameters created in a hierarchical structure String
ssm:SessionDocumentAccessCheck Filters access by verifying that a user has permission to access either the default Session Manager configuration document or the custom configuration document specified in a request Bool
ssm:SourceInstanceARN Filters access by verifying the Amazon Resource Name (ARN) of the AWS Systems Manager's managed instance from which the request is made. This key is not present when the request comes from the managed instance authenticated with an IAM role associated with EC2 instance profile ARN
ssm:SyncType Filters access by verifying that a user also has access to the ResourceDataSync SyncType specified in the request String
ssm:resourceTag/${TagKey} Filters access by a tag key-value pair assigned to the Systems Manager resource String
ssm:resourceTag/aws:ssmmessages:session-id Filters access by based on a tag key-value pair assigned to the Systems Manager session resource String
ssm:resourceTag/aws:ssmmessages:target-id Filters access by based on a tag key-value pair assigned to the Systems Manager session resource String
ssm:resourceTag/tag-key Filters access by based on a tag key-value pair assigned to the Systems Manager resource String