Create a custom IAM role for Session Manager
You can create a custom AWS Identity and Access Management (IAM) role that provides permissions for only Session Manager actions on your instances. You can also include a policy to provide the permissions needed for session logs to be sent to Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs.
After you create the IAM role, see Attaching an IAM Role to an Instance and Attach or Replace an Instance Profile
Topics
Creating an IAM role with minimal Session Manager permissions (console)
Use the following procedure to create a custom IAM role with a policy that provides permissions for only Session Manager actions on your instances.
To create an instance profile with minimal Session Manager permissions (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies, and then choose Create policy. (If a Get Started button is displayed, choose it, and then choose Create Policy.)
-
Choose the JSON tab.
-
Replace the default content with the following policy. Replace
key-namewith the Amazon Resource Name (ARN) of the KMS key you want to use.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:UpdateInstanceInformation", "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetEncryptionConfiguration" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "key-name" } ] }For information about using a KMS key to encrypt session data, see Turn on KMS key encryption of session data (console).
If you won't use AWS KMS encryption for your session data, you can remove the following content from the policy.
, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "key-name" } -
Choose Next: Tags.
-
(Optional) Add tags by choosing Add tag, and entering the preferred tags for the policy.
-
Choose Next: Review.
-
On the Review policy page, for Name, enter a name for the inline policy, such as
SessionManagerPermissions. -
(Optional) For Description, enter a description for the policy.
-
Choose Create policy.
-
In the navigation pane, choose Roles, and then choose Create role.
-
On the Create role page, choose AWS service, and for Use case, choose EC2.
-
Choose Next.
-
On the Add permissions page, select the check box to the left of name of the policy you just created, such as
SessionManagerPermissions. -
Choose Next.
-
On the Name, review, and create page, for Role name, enter a name for the IAM role, such as
MySessionManagerRole. -
(Optional) For Role description, enter a description for the instance profile.
-
(Optional) Add tags by choosing Add tag, and entering the preferred tags for the role.
Choose Create role.
For information about ssmmessages actions, see Reference: ec2messages,
ssmmessages, and other API operations.
Creating an IAM role with permissions for Session Manager and Amazon S3 and CloudWatch Logs (console)
Use the following procedure to create a custom IAM role with a policy that provides permissions for Session Manager actions on your instances. The policy also provides the permissions needed for session logs to be stored in Amazon Simple Storage Service (Amazon S3) buckets and Amazon CloudWatch Logs log groups.
To output session logs to an Amazon S3 bucket owned by a different
AWS account, you must add the s3:PutObjectAcl permission
to the IAM role policy. If this permission isn't added, the account
that owns the Amazon S3 bucket can't access the session output logs.
For information about specifying preferences for storing session logs, see Logging session activity.
To create an IAM role with permissions for Session Manager and Amazon S3 and CloudWatch Logs (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies, and then choose Create policy. (If a Get Started button is displayed, choose it, and then choose Create Policy.)
-
Choose the JSON tab.
-
Replace the default content with the following policy. Replace each
example resource placeholderwith your own information.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel", "ssm:UpdateInstanceInformation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/s3-bucket-prefix/*" }, { "Effect": "Allow", "Action": [ "s3:GetEncryptionConfiguration" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "key-name" }, { "Effect": "Allow", "Action": "kms:GenerateDataKey", "Resource": "*" } ] } -
Choose Next: Tags.
-
(Optional) Add tags by choosing Add tag, and entering the preferred tags for the policy.
-
Choose Next: Review.
-
On the Review policy page, for Name, enter a name for the inline policy, such as
SessionManagerPermissions. -
(Optional) For Description, enter a description for the policy.
-
Choose Create policy.
-
In the navigation pane, choose Roles, and then choose Create role.
-
On the Create role page, choose AWS service, and for Use case, choose EC2.
-
Choose Next.
-
On the Add permissions page, select the check box to the left of name of the policy you just created, such as
SessionManagerPermissions. -
Choose Next.
-
On the Name, review, and create page, for Role name, enter a name for the IAM role, such as
MySessionManagerRole. -
(Optional) For Role description, enter a description for the role.
-
(Optional) Add tags by choosing Add tag, and entering the preferred tags for the role.
-
Choose Create role.
