AWS Systems Manager
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Create a Custom IAM Instance Profile for Session Manager

You can create a custom IAM instance profile that provides permissions for only Session Manager actions on your instances. You can also create a policy to provide the permissions needed for logs of session activity to be sent to Amazon S3 and CloudWatch Logs.

After you create an instance profile, see Attaching an IAM Role to an Instance and Attach or Replace an Instance Profile for information about how to attach the instance profile to an instance, For more information about IAM instance profiles and roles, see Using Instance Profile and IAM Roles for Amazon EC2 in the IAM User Guide.

Creating an Instance Profile with Minimal Session Manager Permissions (Console)

Use the following procedure to create a custom IAM instance profile with a policy that provides permissions for only Session Manager actions on your instances.

To create an instance profile with minimal Session Manager permissions (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies, and then choose Create policy. (If a Get Started button appears, choose it, and then choose Create Policy.)

  3. Choose the JSON tab.

  4. Replace the default content with the following:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:UpdateInstanceInformation", "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetEncryptionConfiguration" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "key-name" } ] }

    About 'ssmmessages'

    For information about ssmmessages, see Reference: ec2messages, ssmmessages, and Other API Calls.

    About 'kms:Decrypt'

    In this policy, the kms:Decrypt permission enables customer key encryption and decryption for session data. If you will use AWS Key Management Service (AWS KMS) encryption for your session data, replace key-name with the ARN of the customer master key (CMK) you want to use, in the format arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-12345EXAMPLE.

    If you will not use AWS KMS encryption for your session data, you can remove the following content from the policy:

    , { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "key-name" }

    For information about using AWS KMS and a CMK to encrypt session data, see Enable AWS KMS Key Encryption of Session Data (Console).

  5. Choose Review policy.

  6. On the Review policy page, for Name, enter a name for the inline policy, such as SessionManagerPermissions.

  7. (Optional) For Description, enter a description for the policy.

  8. Choose Create policy.

  9. In the navigation pane, choose Roles, and then choose Create role.

  10. On the Create role page, choose AWS service, and from the Choose the service that will use this role list, choose EC2.

  11. Choose Next: Permissions.

  12. On the Attached permissions policy page, select the check box to the left of name of the policy you just created, such as SessionManagerPermissions.

  13. Choose Next: Review.

  14. On the Review page, for Role name, enter a name for the IAM instance profile, such as MySessionManagerInstanceProfile.

  15. (Optional) For Role description, enter a description for the instance profile.

  16. Choose Create role.

Creating an Instance Profile with Permissions for Session Manager and Amazon S3 and CloudWatch Logs (Console)

Use the following procedure to create a custom IAM instance profile with a policy that provides permissions for Session Manager actions on your instances. The policy also provides the permissions needed for session logs to be stored in Amazon S3 buckets and CloudWatch Logs log groups.

For information about specifying preferences for storing session logs, see Auditing and Logging Session Activity.

To create an instance profile with permissions for Session Manager and Amazon S3 and CloudWatch Logs (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies, and then choose Create policy. (If a Get Started button appears, choose it, and then choose Create Policy.)

  3. Choose the JSON tab.

  4. Replace the default content with the following. Be sure to replace s3-bucket-name and s3-bucket-prefix with the names for your bucket and its prefix (if any). For information about ssmmessages in the following policy, see Reference: ec2messages, ssmmessages, and Other API Calls.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel", "ssm:UpdateInstanceInformation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::s3-bucket-name/s3-bucket-prefix" }, { "Effect": "Allow", "Action": [ "s3:GetEncryptionConfiguration" ], "Resource": "*" }, { "Effect": "Allow", "Action": "kms:GenerateDataKey", "Resource": "*" } ] }

    Important

    To output session logs to an Amazon S3 bucket owned by a different AWS account, you must add the IAM s3:PutObjectAcl permission to this policy. If this permission isn't added, the account that owns the S3 bucket cannot access the session output logs.

  5. Choose Review policy.

  6. On the Review policy page, for Name, enter a name for the inline policy, such as SessionManagerPermissions.

  7. (Optional) For Description, enter a description for the policy.

  8. Choose Create policy.

  9. In the navigation pane, choose Roles, and then choose Create role.

  10. On the Create role page, choose AWS service, and from the Choose the service that will use this role list, choose EC2.

  11. Choose Next: Permissions.

  12. On the Attached permissions policy page, select the check box to the left of name of the policy you just created, such as SessionManagerPermissions.

  13. Choose Next: Review.

  14. On the Review page, for Role name, enter a name for the IAM instance profile, such as MySessionManagerInstanceProfile.

  15. (Optional) For Role description, enter a description for the instance profile.

  16. Choose Create role.