AWS Systems Manager
User Guide

Create a Custom IAM Instance Profile for Session Manager (Console)

You can create a custom IAM instance profile that provides permissions for only Session Manager actions on your instances. You can also create a policy to provide the permissions needed for logs of session activity to be sent to Amazon S3 and CloudWatch Logs.

After you create an instance profile, see Attaching an IAM Role to an Instance and Attach or Replace an Instance Profile for information about how to attach the instance profile to an instance, For more information about IAM instance profiles and roles, see Using Instance Profile and IAM Roles for Amazon EC2 in the IAM User Guide.

Create an Instance Profile with Minimal Session Manager Permissions

Use the following procedure to create a custom IAM instance profile with a policy that provides permissions for only Session Manager actions on your instances.

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies, and then choose Create policy. (If a Get Started button appears, choose it, and then choose Create Policy.)

  3. Choose the JSON tab.

  4. Replace the default content with the following:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:UpdateInstanceInformation", "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetEncryptionConfiguration" ], "Resource": "*" } ] }

    Note

    For information about ssmmessages, see Reference: ec2messages, ssmmessages, and Other API Calls.

  5. Choose Review policy.

  6. On the Review policy page, for Name, enter a name for the inline policy. For example: SessionManagerPermissions.

  7. (Optional) For Description, enter a description for the policy.

  8. Choose Create policy.

  9. In the navigation pane, choose Roles, and then choose Create role.

  10. On the Create role page, choose AWS service, and from the Choose the service that will use this role list, choose EC2.

  11. Choose Next: Permissions.

  12. On the Attached permissions policy page, select the check box to the left of name of the policy you just created. For example: SessionManagerPermissions.

  13. Choose Next: Review.

  14. On the Review page, for Role name, enter a name for the IAM instance profile. For example MySessionManagerInstanceProfile.

  15. (Optional) For Role description, enter a description for the instance profile.

  16. Choose Create role.

Create an Instance Profile with Permissions for Session Manager and Amazon S3 and CloudWatch Logging

Use the following procedure to create a custom IAM instance profile with a policy that provides permissions for Session Manager actions on your instances> it also provides the permissions needed for session logs to be stored in Amazon S3 bucketsand CloudWatch Logs log groups.

For information about specifying preferences for storing session logs, see Auditing and Logging Session Activity.

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies, and then choose Create policy. (If a Get Started button appears, choose it, and then choose Create Policy.)

  3. Choose the JSON tab.

  4. Replace the default content with the following. Be sure to replace s3-bucket-name and s3-bucket-prefix with the names for your bucket and its prefix (if any):

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel", "ssm:UpdateInstanceInformation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::s3-bucket-name/s3-bucket-prefix" }, { "Effect": "Allow", "Action": [ "s3:GetEncryptionConfiguration" ], "Resource": "*" }, { "Effect": "Allow", "Action": "kms:GenerateDataKey", "Resource": "*" } ] }

    Note

    For information about ssmmessages, see Reference: ec2messages, ssmmessages, and Other API Calls.

  5. Choose Review policy.

  6. On the Review policy page, for Name, enter a name for the inline policy. For example: SessionManagerPermissions.

  7. (Optional) For Description, enter a description for the policy.

  8. Choose Create policy.

  9. In the navigation pane, choose Roles, and then choose Create role.

  10. On the Create role page, choose AWS service, and from the Choose the service that will use this role list, choose EC2.

  11. Choose Next: Permissions.

  12. On the Attached permissions policy page, select the check box to the left of name of the policy you just created. For example: SessionManagerPermissions.

  13. Choose Next: Review.

  14. On the Review page, for Role name, enter a name for the IAM instance profile. For example MySessionManagerInstanceProfile.

  15. (Optional) For Role description, enter a description for the instance profile.

  16. Choose Create role.