Sharing SSM documents
You can share AWS Systems Manager (SSM) documents privately or publicly with accounts in the
same AWS Region. To privately share a document, you modify the document permissions
and allow specific individuals to access it according to their AWS account ID. To
publicly share an SSM document, you modify the document permissions and specify
All
.
Warning
Use shared SSM documents only from trusted sources. When using any shared document, carefully review the contents of the document before using it so that you understand how it will change the configuration of your instance. For more information about shared document best practices, see Best practices for shared SSM documents.
Limitations
As you begin working with SSM documents, be aware of the following limitations.
-
Only the owner can share a document.
-
You must stop sharing a document before you can delete it. For more information, see Modify permissions for a shared SSM document.
-
You can share a document with a maximum of 1000 AWS accounts. You can request an increase to this limit in the AWS Support Center
. For Limit type, choose EC2 Systems Manager and describe your reason for the request. -
You can publicly share a maximum of five SSM documents. You can request an increase to this limit in the AWS Support Center
. For Limit type, choose EC2 Systems Manager and describe your reason for the request. -
Documents can be shared with other accounts in the same AWS Region only. Cross-Region sharing isn't supported.
For more information about Systems Manager service quotas, see AWS Systems Manager Service Quotas.
Contents
Best practices for shared SSM documents
Review the following guidelines before you share or use a shared document.
- Remove sensitive information
-
Review your AWS Systems Manager (SSM) document carefully and remove any sensitive information. For example, verify that the document doesn't include your AWS credentials. If you share a document with specific individuals, those users can view the information in the document. If you share a document publicly, anyone can view the information in the document.
- Block public sharing for documents
-
Unless your use case requires public sharing to be turned on, we recommend turning on the block public sharing setting for your Systems Manager documents in the Preferences section of the Systems Manager Documents console.
- Restrict Run Command actions using an IAM trust policy
-
Create a restrictive AWS Identity and Access Management (IAM) policy for users who will have access to the document. The IAM policy determines which SSM documents a user can see in either the Amazon Elastic Compute Cloud (Amazon EC2) console or by calling
ListDocuments
using the AWS Command Line Interface (AWS CLI) or AWS Tools for Windows PowerShell. The policy also restricts the actions the user can perform with SSM documents. You can create a restrictive policy so that a user can only use specific documents. For more information, see Customer managed policy examples. - Use caution when using shared SSM documents
-
Review the contents of every document that is shared with you, especially public documents, to understand the commands that will be run on your instances. A document could intentionally or unintentionally have negative repercussions after it's run. If the document references an external network, review the external source before you use the document.
- Send commands using the document hash
-
When you share a document, the system creates a Sha-256 hash and assigns it to the document. The system also saves a snapshot of the document content. When you send a command using a shared document, you can specify the hash in your command to ensure that the following conditions are true:
-
You're running a command from the correct Systems Manager document
-
The content of the document hasn't changed since it was shared with you.
If the hash doesn't match the specified document or if the content of the shared document has changed, the command returns an
InvalidDocument
exception. The hash can't verify document content from external locations. -
Block public sharing for SSM documents
Unless your use case requires public sharing to be turned on, we recommend turning on the block public sharing setting for your AWS Systems Manager (SSM) documents. Turning on this setting prevents unwanted access to your SSM documents. The block public sharing setting is an account level setting that can differ for each AWS Region. Complete the following tasks to block public sharing for your SSM documents.
Block public sharing (console)
To block public sharing of your SSM documents
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. In the navigation pane, choose Documents.
-or-
If the AWS Systems Manager home page opens first, choose the menu icon (
) to open the navigation pane, and then choose Documents in the navigation pane.
-
Choose Preferences, and then choose Edit in the Block public sharing section.
-
Select the Block public sharing check box, and then choose Save.
Block public sharing (command line)
Open the AWS Command Line Interface (AWS CLI) or AWS Tools for Windows PowerShell on your local computer and run the following command to block public sharing of your SSM documents.
Confirm the setting value was updated using the following command.
Restricting access to block public sharing with IAM
You can create AWS Identity and Access Management (IAM) policies that restrict users from modifying the block public sharing setting. This prevents users from allowing unwanted access to your SSM documents.
The following is an example of an IAM policy that prevents users from updating the block public sharing setting. To use this example, you must replace the example Amazon Web Services account ID with your own account ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ssm:UpdateServiceSetting", "Resource": "arn:aws:ssm:*:
987654321098
:servicesetting/ssm/documents/console/public-sharing-permission" } ] }
Share an SSM document
You can share AWS Systems Manager (SSM) documents by using the Systems Manager console. You can also
share SSM documents programmatically by calling the
ModifyDocumentPermission
API operation using the AWS Command Line Interface (AWS CLI),
AWS Tools for Windows PowerShell, or the AWS SDK. Before you share a document, get the AWS account IDs
of the people with whom you want to share. You will specify these account IDs when
you share the document.
Share a document (console)
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. In the navigation pane, choose Documents.
-or-
If the AWS Systems Manager home page opens first, choose the menu icon (
) to open the navigation pane, and then choose Documents in the navigation pane.
-
In the documents list, choose the document you want to share, and then choose View details. On the Permissions tab, verify that you're the document owner. Only a document owner can share a document.
-
Choose Edit.
-
To share the command publicly, choose Public and then choose Save. To share the command privately, choose Private, enter the AWS account ID, choose Add permission, and then choose Save.
Share a document (command line)
The following procedure requires that you specify an AWS Region for your command line session.
-
Open the AWS CLI or AWS Tools for Windows PowerShell on your local computer and run the following command to specify your credentials.
In the following command, replace
region
with your own information. For a list of supportedregion
values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference. -
Use the following command to list all of the SSM documents that are available for you. The list includes documents that you created and documents that were shared with you.
-
Use the following command to get a specific document.
-
Use the following command to get a description of the document.
-
Use the following command to view the permissions for the document.
-
Use the following command to modify the permissions for the document and share it. You must be the owner of the document to edit the permissions. Optionally, you can specify a version of the document you want to share using the
--shared-document-version
parameter. If you don't specify a version, the system shares theDefault
version of the document. This example command privately shares the document with a specific individual, based on that person's AWS account ID. -
Use the following command to share a document publicly.
Modify permissions for a shared SSM document
If you share a command, users can view and use that command until you either remove access to the AWS Systems Manager (SSM) document or delete the SSM document. However, you can't delete a document as long as it's shared. You must stop sharing it first and then delete it.
Stop sharing a document (console)
Stop sharing a document
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. In the navigation pane, choose Documents.
-or-
If the AWS Systems Manager home page opens first, choose the menu icon (
) to open the navigation pane, and then choose Documents in the navigation pane.
-
In the documents list, choose the document you want to stop sharing, and then choose View details. On the Permissions tab, verify that you're the document owner. Only a document owner can stop sharing a document.
-
Choose Edit.
-
Choose X to delete the AWS account ID that should no longer have access to the command, and then choose Save.
Stop sharing a document (command line)
Open the AWS CLI or AWS Tools for Windows PowerShell on your local computer and run the following command to stop sharing a command.
Using shared SSM documents
When you share an AWS Systems Manager (SSM) document, the system generates an Amazon
Resource Name (ARN) and assigns it to the command. If you select and run a shared
document from the Systems Manager console, you don't see the ARN. However, if you want to run
a shared SSM document using a method other than the Systems Manager console, you must
specify the full ARN of the document for the DocumentName
request
parameter. You're shown the full ARN for an SSM document when you run the command
to list documents.
Note
You aren't required to specify ARNs for AWS public documents (documents that
begin with AWS-*
) or documents that you own.
Use a shared SSM document (command line)
To list all public SSM documents
To list private SSM documents that have been shared with you
To list all SSM documents available to you
To get information about an SSM document that has been shared with you
To run a shared SSM document