Step 1: Create an IAM policy with Fleet Manager permissions - AWS Systems Manager

Step 1: Create an IAM policy with Fleet Manager permissions

To use Fleet Manager, a capability of AWS Systems Manager, your AWS Identity and Access Management (IAM) user or role must have the required permissions. You can create an IAM policy that provides access to all Fleet Manager features, or modify your policy to grant access to the features you choose. The following policy samples provide the required permissions for all Fleet Manager features and the permissions needed for subsets of features.

Note

In all the following policies, replace key-name with the name of the AWS Key Management Service (AWS KMS) key you want to use to encrypt Session Manager session data. Replace region and account-id with your AWS Region and AWS account ID, such as us-east-2 and 111122223333.

Administrator policy

The following policy provides permissions to all Fleet Manager features. This means a user can create and delete local users and groups, modify group membership for any local group, and modify Windows registry keys or values.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteTags", "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:AddTagsToResource", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations", "ssm:RemoveTagsFromResource" ], "Resource":"*" }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws:ec2:*:account-id:instance/*", "arn:aws:ssm:*:account-id:managed-instance/*", "arn:aws:ssm:*:account-id:document/SSM-SessionManagerRunShell", "arn:aws:ssm:*:*:document/AWS-PasswordReset", "arn:aws:ssm:*:*:document/AWSFleetManager-AddUsersToGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateGroup", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateUser", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateUserInteractive", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateWindowsRegistryKey", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteGroup", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteUser", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryKey", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryValue", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent", "arn:aws:ssm:*:*:document/AWSFleetManager-RemoveUsersFromGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-SetWindowsRegistryValue" ], "Condition":{ "BoolIfExists":{ "ssm:SessionDocumentAccessCheck":"true" } } }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws:kms:region:account-id:key/key-name" ] } ] }

Read-only features policy

The following policy provides permissions to read-only Fleet Manager features.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations" ], "Resource":"*" }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws:ec2:*:account-id:instance/*", "arn:aws:ssm:*:account-id:managed-instance/*", "arn:aws:ssm:*:account-id:document/SSM-SessionManagerRunShell", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent" ], "Condition":{ "BoolIfExists":{ "ssm:SessionDocumentAccessCheck":"true" } } }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws:kms:region:account-id:key/key-name" ] } ] }