AWS Systems Manager
User Guide

Step 3: Control User Access

Using IAM policies, you can control who can create, deploy, and manage packages. You also control which Run Command and State Manager\ API actions they can perform on managed instances.

ARN Format

User-defined packages are associated with document ARNs and have the following format:

arn:aws:ssm:region_ID:account_ID_number:document/document_name

The following is an example.

arn:aws:ssm:us-west-1:123456789012:document/ExampleDocumentName

You can use a pair of AWS-supplied default IAM policies, one for end users and one for administrators, to grant permissions for Distributor activities. Or you can create custom IAM policies appropriate for your permissions requirements.

For more information about using variables in IAM policies, see IAM Policy Elements: Variables.

For information about how to create policies and attach them to IAM users or groups, see Creating IAM Policies and Adding and Removing IAM Policies in the IAM User Guide.