Configuring roles and permissions for Systems Manager Explorer - AWS Systems Manager

Configuring roles and permissions for Systems Manager Explorer

Integrated Setup automatically creates and configures AWS Identity and Access Management (IAM) roles for AWS Systems Manager Explorer and AWS Systems Manager OpsCenter. If you completed Integrated Setup, then you don't need to perform any additional tasks to configure roles and permissions for Explorer. However, you must configure permission for OpsCenter, as described later in this topic.

About the roles created by integrated setup

Integrated Setup creates and configures the following roles for working with Explorer and OpsCenter.

  • AWSServiceRoleForAmazonSSM: Provides access to AWS resources managed or used by Systems Manager.

  • OpsItem-CWE-Role: Allows CloudWatch Events and EventBridge to create OpsItems in response to common events.

  • AWSServiceRoleForAmazonSSM_AccountDiscovery: Allows Systems Manager to call other AWS services to discover AWS account information when synchronizing data. For more information about this role, see About the AWSServiceRoleForAmazonSSM_AccountDiscovery role.

  • AmazonSSMExplorerExport: Allows Explorer to export OpsData to a comma-separated value (CSV) file.

About the AWSServiceRoleForAmazonSSM_AccountDiscovery role

If you configure Explorer to display data from multiple accounts and Regions by using AWS Organizations and a resource data sync, then Systems Manager creates a service-linked role. Systems Manager uses this role to get information about your AWS accounts in AWS Organizations. The role uses the following permissions policy.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListChildren", "organizations:ListParents" ], "Resource":"*" } ] }

For more information about the AWSServiceRoleForAmazonSSM_AccountDiscovery role, see Using roles to collect AWS account information for Systems Manager Explorer: AWSServiceRoleForAmazonSSM_AccountDiscovery.

Configuring permissions for Systems Manager OpsCenter

After you complete Integrated Setup, you must configure IAM user, group, or role permissions so that users can perform actions in OpsCenter.

Before You Begin

OpsItems can only be viewed or edited in the account where they were created. You can't share or transfer OpsItems across AWS accounts. For this reason, we recommend that you configure permissions for OpsCenter in the AWS account that is used to run your AWS workloads. You can then create IAM users or groups in that account. In this way, multiple operations engineers or IT professionals can create, view, and edit OpsItems in the same AWS account.

Explorer and OpsCenter use the following API operations. You can use all features of Explorer and OpsCenter if your IAM user, group, or role has access to these actions. You can also create more restrictive access, as described later in this section.

The following procedure describes how to add a full-access inline policy to an IAM user. If you prefer, you can specify read-only permission by assigning the following inline policy to a user's account, group, or role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:GetOpsSummary", "ssm:DescribeOpsItems", "ssm:GetServiceSetting", "ssm:ListResourceDataSync" ], "Resource": "*" } ] }

For more information about creating and editing IAM policies, see Creating IAM Policies in the IAM User Guide. For information about how to assign this policy to an IAM group, see Attaching a Policy to an IAM Group.

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane, choose Users.

  3. In the list, choose a name.

  4. Choose the Permissions tab.

  5. Choose Add inline policy.

  6. Choose the JSON tab.

  7. Replace the default content with the following:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:UpdateOpsItem", "ssm:DescribeOpsItems", "ssm:CreateOpsItem", "ssm:CreateResourceDataSync", "ssm:DeleteResourceDataSync", "ssm:ListResourceDataSync", "ssm:UpdateResourceDataSync" ], "Resource": "*" } ] }
  8. Choose Review policy.

  9. On the Review policy page, for Name, enter a name for the inline policy. For example: OpsCenter-Access-Full.

  10. Choose Create policy.

Restricting access to OpsItems by using tags

You can also restrict access to OpsItems by using an inline IAM policy that specifies tags. Here is an example that specifies a tag key of Department and a tag value of Finance. With this policy, the user can only call the GetOpsItem API operation to view OpsItems that were previously tagged with Key=Department and Value=Finance. Users can't view any other OpsItems.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetOpsItem" ], "Resource": "*" , "Condition": { "StringEquals": { "ssm:resourceTag/Department": "Finance" } } } ] }

Here is an example that specifies API operations for viewing and updating OpsItems. This policy also specifies two sets of tag key-value pairs: Department-Finance and Project-Unity.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:GetOpsItem", "ssm:UpdateOpsItem" ], "Resource":"*", "Condition":{ "StringEquals":{ "ssm:resourceTag/Department":"Finance", "ssm:resourceTag/Project":"Unity" } } } ] }

For information about adding tags to an OpsItem, see Creating OpsItems manually.