Menu
AWS Systems Manager
User Guide

AWS Systems Manager Permissions Reference

The following table lists the AWS Systems Manager API operations and their corresponding actions for which you can grant permissions. Use this table as a reference when setting up Access Control and writing permissions policies to attach to an IAM identity (identity-based policies). . You specify the actions in the policy's Action field. To specify an action, use the ssm: prefix followed by the API operation name (for example, ssm:GetDocument and ssm:CreateDocument. To specify multiple actions in a single statement, separate them with commas (for example, "Action": ["ssm:action1", "ssm:action2"]). For the resource value in the policy's Resource field, you specify an ARN. To specify multiple actions or resources, use a wildcard character (*) in your ARN. For example, ssm:* specifies all of the Systems Manager actions, and ssm:Get* specifies all of the Systems Manager actions that begin with the word Get. The following example grants access to all documents with names that begin with West:

arn:aws:ssm:us-west-2:111222333444:document:West*

For more information about wildcards, see IAM Identifiers in IAM User Guide. For a list of Systems Manager resources with the ARN format, see AWS Systems Manager Resources and Operations.

To express conditions, use AWS-wide condition keys in your Systems Manager policies. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Specifying multiple actions or resources

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Systems Manager API Operations and Required Permissions for Actions

Systems Manager API Operations Required Permissions (API Actions)

AddTagsToResource

ssm:AddTagsToResource

Required to add or overwrite tags for a specified resource.

CancelCommand

ssm:CancelCommand

Required to attempt to cancel the command with the specified command ID.

CreateActivation

ssm:CreateActivation

Required to register an on-premises server or virtual machine with Amazon EC2 so that it can be managed using '.

CreateAssociation

ssm:CreateAssociation

Required to associate a Systems Manager document with the specified instances or targets.

CreateAssociationBatch

ssm:CreateAssociationBatch

Required to associate multiple Systems Manager documents with the specified instances or targets.

CreateDocument

ssm:CreateDocument

Required to create a Systems Manager document.

CreateMaintenanceWindow

ssm:CreateMaintenanceWindow

Required to create a Maintenance Window.

CreatePatchBaseline

ssm:CreatePatchBaseline

Required to create a patch baseline.

CreateResourceDataSync

ssm:CreateResourceDataSync

Required to create a resource data sync configuration for a single Amazon S3 bucket.

DeleteActivation

ssm:DeleteActivation

Required to delete an activation.

DeleteAssociation

ssm:DeleteAssociation

Required to disassociate the specified Systems Manager document from the specified instance.

DeleteDocument

ssm:DeleteDocument

Required to delete a Systems Manager document and all instance associations to the document.

DeleteMaintenanceWindow

ssm:DeleteMaintenanceWindow

Required to delete a Maintenance Window.

DeleteParameter

ssm:DeleteParameter

Required to delete a parameter from the system.

DeleteParameters

ssm:DeleteParameters

Required to delete one or more parameters from the system.

DeletePatchBaseline

ssm:DeletePatchBaseline

Required to delete a patch baseline.

DeleteResourceDataSync

ssm:DeleteResourceDataSync

Required to delete a resource data sync configuration.

DeregisterManagedInstance

ssm:DeregisterManagedInstance

Required to remove a server or virtual machine from the list of registered servers.

DeregisterPatchBaselineForPatchGroup

ssm:DeregisterPatchBaselineForPatchGroup

Required to remove a patch group from a patch baseline.

DeregisterTargetFromMaintenanceWindow

ssm:DeregisterTargetFromMaintenanceWindow

Required to remove a target from a Maintenance Window.

DeregisterTaskFromMaintenanceWindow

ssm:DeregisterTaskFromMaintenanceWindow

Required to remove a task from a Maintenance Window.

DescribeActivations

ssm:DescribeActivations

Required to view details about an activation, such as the date and time the activation was created, the expiration date, and the IAM role assigned to the instances in the activation.

DescribeAssociation

ssm:DescribeAssociation

Required to view the associations for the specified Systems Manager document or instance.

DescribeAutomationExecutions

ssm:DescribeAutomationExecutions

Required to view information about all active and terminated Automation executions.

DescribeAutomationStepExecutions

ssm:DescribeAutomationStepExecutions

Required to view information about all active and terminated step executions in an Automation workflow.

DescribeAvailablePatches

ssm:DescribeAvailablePatches

Required to view information about patches that could be included in a patch baseline.

DescribeDocument

ssm:DescribeDocument

Required to view information about the specified Systems Manager document.

DescribeDocumentPermission

ssm:DescribeDocumentPermission

Required to view the permissions for a Systems Manager document.

DescribeEffectiveInstanceAssociations

ssm:DescribeEffectiveInstanceAssociations

Required to view information about assocations for one or more instances.

DescribeEffectivePatchesForPatchBaseline

ssm:DescribeEffectivePatchesForPatchBaseline

Required to view information about the current effective patches (the patch and the approval state) for the specified patch baseline. Applies only to Windows Server patch baselines.

DescribeInstanceAssociationsStatus

ssm:DescribeInstanceAssociationsStatus

Required to view the status of the associations for one or more instances.

DescribeInstanceInformation

ssm:DescribeInstanceInformation

Required to view information about one or more instances.

DescribeInstancePatches

ssm:DescribeInstancePatches

Required to view information about the patches on a specified instance and their state relative to the patch baseline being used for the instance.

DescribeInstancePatchStates

ssm:DescribeInstancePatchStates

Required to view information about the high-level patch state of one or more instances.

DescribeInstancePatchStatesForPatchGroup

ssm:DescribeInstancePatchStatesForPatchGroup

Required to view the high-level patch state for the instances in a specified patch group.

DescribeMaintenanceWindowExecutions

ssm:DescribeMaintenanceWindowExecutions

Required to view information about the execution of a maintenance window. This includes details about when the Maintenance Window was scheduled to be active and information about tasks registered and run with the Maintenance Window.

DescribeMaintenanceWindowExecutionTaskInvocations

ssm:DescribeMaintenanceWindowExecutionTaskInvocations

Required to retrieve information about the individual task executions (one per target) for a particular task executed as part of a Maintenance Window execution.

DescribeMaintenanceWindowExecutionTasks

ssm:DescribeMaintenanceWindowExecutionTasks

Required to view information about the tasks that have been run for a specified Maintenance Window execution.

DescribeMaintenanceWindows

ssm:DescribeMaintenanceWindows

Required to view information about the Maintenance Windows created in an AWS account.

DescribeMaintenanceWindowTargets

ssm:DescribeMaintenanceWindowTargets

Required to view information about the targets registered with a specified Maintenance Window.

DescribeMaintenanceWindowTasks

ssm:DescribeMaintenanceWindowTasks

Required to view information about the tasks in a specified Maintenance Window.

DescribeParameters

ssm:DescribeParameters

Required to view information about one or more parameters.

DescribePatchBaselines

ssm:DescribePatchBaselines

Required to view information about the patch baselines in an AWS account.

DescribePatchGroups

ssm:DescribePatchGroups

Required to view information about all patch groups that have been registered with patch baselines.

DescribePatchGroupState

ssm:DescribePatchGroupState

Required to view information about the high-level aggregated patch compliance state for a patch group.

GetAutomationExecution

ssm:GetAutomationExecution

Required to view detailed information about a particular Automation execution.

GetCommandInvocation

ssm:GetCommandInvocation

Required to view detailed information about command execution for an invocation or plugin.

GetDefaultPatchBaseline

ssm:GetDefaultPatchBaseline

Required to view information about the default patch baseline.

GetDeployablePatchSnapshotForInstance

ssm:GetDeployablePatchSnapshotForInstance

Required to view the current snapshot for the patch baseline used by the instance. Used primarily by the AWS-RunPatchBaseline Systems Manager document.

GetDocument

ssm:GetDocument

Required to view the contents of a specified Systems Manager document.

GetInventory

ssm:GetInventory

Required to view information about inventory items.

GetInventorySchema

ssm:GetInventorySchema

Required to view inventory type names for the account, or to return a list of attribute names for a specific inventory item type.

GetMaintenanceWindow

ssm:GetMaintenanceWindow

Required to view information about a specified maintenance window.

GetMaintenanceWindowExecution

ssm:GetMaintenanceWindowExecution

Required to view information about a specific task run as part of a Maintenance Window execution.

GetMaintenanceWindowExecutionTask

ssm:GetMaintenanceWindowExecutionTask

Required to view information about a specific task run as part of a Maintenance Window execution.

GetMaintenanceWindowExecutionTaskInvocation

ssm:GetMaintenanceWindowExecutionTaskInvocation

Required to retrieve a task invocation, which is a specific task executing on a specific target.

GetMaintenanceWindowTask

ssm:GetMaintenanceWindowTask

Required to list the tasks in a Maintenance Window.

GetParameter

ssm:GetParameter

Required to view information about a specified parameter, including the parameter name, type, and value.

GetParameterHistory

ssm:GetParameterHistory

Required to view historical information about a specified parameter. In addition to parameter name, type, and value, returns the paramter description, query key ID, last modified date, and ARN of the AWS user who last modified the parameter.

GetParameters

ssm:GetParameters

Required to view information about parameters.

GetParametersByPath

ssm:GetParametersByPath

Required to view information about parameters in a hierarchical structure.

GetPatchBaseline

ssm:GetPatchBaseline

Required to view information about a patch baseline.

GetPatchBaselineForPatchGroup

ssm:GetPatchBaselineForPatchGroup

Required to view information about the patch baseline that should be used for a specified patch group.

ListAssociations

ssm:ListAssociations

Required to view the associations for the specified Systems Manager document or instance.

ListAssociationVersions

ssm:ListAssociationVersions

Required to retrieve all versions of an association for a specific association ID.

ListCommandInvocations

ssm:ListCommandInvocations

Required to view a list of invocations, or copies of commands sent to a specific instance.

ListCommands

ssm:ListCommands

Required to view a list of commands requested by users of the AWS account.

ListComplianceItems

ssm:ListComplianceItems

Required to retrieve a list of compliance statuses for different resource types for a specific resource ID.

ListComplianceSummaries

ssm:ListComplianceSummaries

Required to retrieve a summary count of compliant and non-compliant resources for a compliance type.

ListDocuments

ssm:ListDocuments

Required to view a list of Systems Manager documents.

ListDocumentVersions

ssm:ListDocumentVersions

Required to view information about the versions of a document.

ListInventoryEntries

ssm:ListInventoryEntries

Required to view information about inventory items on an instance.

ListResourceComplianceSummaries

ssm:ListResoureComplianceSummaries

Required to retrieve a resource-level summary count, including information about compliant and non-compliant statuses.

ListResourceDataSync

ssm:ListResourceDataSync

Required to view information about resource data sync configurations, including when a sync last attempted to start, the last sync status, and the last time a sync completed successfully.

ListTagsForResource

ssm:ListTagsForResource

Required to view a list of tags assigned to a specified resource.

ModifyDocumentPermission

ssm:ModifyDocumentPermission

Required to shared a Systems Manager document publicly or privately.

PutComplianceItems

ssm:PutComplianceItems

Required to register a compliance type and other compliance details on a designated resource.

PutInventory

ssm:PutInventory

Required to add or update custom inventory items on one or more instances.

PutParameter

ssm:PutParameter

Required to add one or more parameters to the system.

RegisterDefaultPatchBaseline

ssm:RegisterDefaultPatchBaseline

Required to define the default patch baseline.

RegisterPatchBaselineForPatchGroup

ssm:RegisterPatchBaselineForPatchGroup

Required to register a patch baseline for a patch group.

RegisterTargetWithMaintenanceWindow

ssm:RegisterTargetWithMaintenanceWindow

Required to register a target with a Maintenance Window.

RegisterTaskWithMaintenanceWindow

ssm:RegisterTaskWithMaintenanceWindow

Required to register a task with a Maintenance Window.

RemoveTagsFromResource

ssm:RemoveTagsFromResource

Required to remove tags from a specified resource.

SendAutomationSignal

ssm:SendAutomationSignal

Required to send a signal to an Automation execution to change the current behavior or status of the execution.

SendCommand

ssm:SendCommand

Required to run commands on one or more managed instances.

StartAutomationExecution

ssm:StartAutomationExecution

Required to start running an Automation document.

StopAutomationExecution

ssm:StopAutomationExecution

Required to start running an Automation document..

UpdateAssociation

ssm:UpdateAssociation

Required to update an association. Updates can be made only to the document version, schedule, parameters, and Amazon S3 output of an association.

UpdateAssociationStatus

ssm:UpdateAssociationStatus

Required to update the status of the Systems Manager document associated with a specified instance.

UpdateDocument

ssm:UpdateDocument

Required to update the content, version, or name of a document.

UpdateDocumentDefaultVersion

ssm:UpdateDocumentDefaultVersion

Required to set the default version of a document.

UpdateMaintenanceWindow

ssm:UpdateMaintenanceWindow

Required to update one or more parameters in a maintenance window.

UpdateMaintenanceWindowTarget

ssm:UpdateMaintenanceWindowTarget

Required to modify the target of an existing Maintenance Window.

UpdateMaintenanceWindowTask

ssm:UpdateMaintenanceWindowTask

Required to modify the task assigned to a Maintenance Window.

UpdateManagedInstanceRole

ssm:UpdateManagedInstanceRole

Required to assign an Amazon Identity and Access Management (IAM) role to a managed instance, or to change the assigned IAM role.

UpdatePatchBaseline

ssm:UpdatePatchBaseline

Required to update one or more fields in an existing patch baseline.