AWS Systems Manager
User Guide

Add Session Manager Permissions to an Existing Instance Profile

Follow these steps to embed Session Manager permissions in an existing an IAM instance profile that does not rely on the AWS-provided default policy AmazonEC2RoleforSSM for instance permissions. Note that this procedure assumes that your existing profile already includes other Systems Manager ssm permissions for actions you want to allow access to. This policy alone is not enough to use Session Manager.

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane, choose Roles.

  3. In the list, choose the name of the role to embed a policy in.

  4. Choose the Permissions tab.

  5. Scroll to the bottom of the page and choose Add inline policy.

  6. Choose the JSON tab.

  7. Replace the default content with the following:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetEncryptionConfiguration" ], "Resource": "*" } ] }


    For information about ssmmessages, see Reference: ec2messages, ssmmessages, and Other API Calls.

  8. Choose Review policy.

  9. On the Review policy page, for Name, enter a name for the inline policy. For example: SessionManagerPermissions.

  10. Choose Create policy.