Configuring roles and permissions for Systems Manager Explorer - AWS Systems Manager

Configuring roles and permissions for Systems Manager Explorer

Integrated Setup automatically creates and configures AWS Identity and Access Management (IAM) roles for AWS Systems Manager Explorer and AWS Systems Manager OpsCenter. If you completed Integrated Setup, then you don't need to perform any additional tasks to configure roles and permissions for Explorer. However, you must configure permission for OpsCenter, as described later in this topic.

About the roles created by integrated setup

Integrated Setup creates and configures the following roles for working with Explorer and OpsCenter.

  • AWSServiceRoleForAmazonSSM: Provides access to AWS resources managed or used by Systems Manager.

  • OpsItem-CWE-Role: Allows CloudWatch Events and EventBridge to create OpsItems in response to common events.

  • AWSServiceRoleForAmazonSSM_AccountDiscovery: Allows Systems Manager to call other AWS services to discover AWS account information when synchronizing data. For more information about this role, see About the AWSServiceRoleForAmazonSSM_AccountDiscovery role.

  • AmazonSSMExplorerExport: Allows Explorer to export OpsData to a comma-separated value (CSV) file.

About the AWSServiceRoleForAmazonSSM_AccountDiscovery role

If you configure Explorer to display data from multiple accounts and Regions by using AWS Organizations and a resource data sync, then Systems Manager creates a service-linked role. Systems Manager uses this role to get information about your AWS accounts in AWS Organizations. The role uses the following permissions policy.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListChildren", "organizations:ListParents" ], "Resource":"*" } ] }

For more information about the AWSServiceRoleForAmazonSSM_AccountDiscovery role, see Using roles to collect AWS account information for OpsCenter and Explorer.

Configuring permissions for Systems Manager OpsCenter

After you complete Integrated Setup, you must configure user, group, or role permissions so that users can perform actions in OpsCenter.

Before you begin

You can configure your OpsCenter to create and manage OpsItems across multiple accounts or just a single account. If you configure OpsCenter to create and manage OpsItems across multiple accounts, the AWS Organizations management account can create, view, or edit OpsItems in other accounts manually. If required, you can also select the Systems Manager delegated administrator account to create and manage OpsItems in member accounts.  However, if you configure OpsCenter for a single account, you can only view or edit OpsItems in the account where OpsItems were created. You can't share or transfer OpsItems across AWS accounts. For this reason, we recommend that you configure permissions for OpsCenter in the AWS account that is used to run your AWS workloads. You can then create users or groups in that account. In this way, multiple operations engineers or IT professionals can create, view, and edit OpsItems in the same AWS account.

Explorer and OpsCenter use the following API operations. You can use all features of Explorer and OpsCenter if your user, group, or role has access to these actions. You can also create more restrictive access, as described later in this section.

If you prefer, you can specify read-only permission by adding the following inline policy to your account, group, or role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:GetOpsSummary", "ssm:DescribeOpsItems", "ssm:GetServiceSetting", "ssm:ListResourceDataSync" ], "Resource": "*" } ] }

For more information about creating and editing IAM policies, see Creating IAM Policies in the IAM User Guide. For information about how to assign this policy to an IAM group, see Attaching a Policy to an IAM Group.

Create a permission using the following and add it to your users, groups, or roles:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:UpdateOpsItem", "ssm:DescribeOpsItems", "ssm:CreateOpsItem", "ssm:CreateResourceDataSync", "ssm:DeleteResourceDataSync", "ssm:ListResourceDataSync", "ssm:UpdateResourceDataSync" ], "Resource": "*" } ] }

Depending on the identity application that you are using in your organization, you can select any of the following options to configure user access.

To provide access, add permissions to your users, groups, or roles:

Restricting access to OpsItems by using tags

You can also restrict access to OpsItems by using an inline IAM policy that specifies tags. Here is an example that specifies a tag key of Department and a tag value of Finance. With this policy, the user can only call the GetOpsItem API operation to view OpsItems that were previously tagged with Key=Department and Value=Finance. Users can't view any other OpsItems.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetOpsItem" ], "Resource": "*" , "Condition": { "StringEquals": { "ssm:resourceTag/Department": "Finance" } } } ] }

Here is an example that specifies API operations for viewing and updating OpsItems. This policy also specifies two sets of tag key-value pairs: Department-Finance and Project-Unity.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:GetOpsItem", "ssm:UpdateOpsItem" ], "Resource":"*", "Condition":{ "StringEquals":{ "ssm:resourceTag/Department":"Finance", "ssm:resourceTag/Project":"Unity" } } } ] }

For information about adding tags to an OpsItem, see Create OpsItems manually.