Try it now and let us know what you think. Switch to the new look >>
You can return to the original look by selecting English in the language selector above.
Quickstart Default IAM Policies for Session Manager
Use the following samples to help you create IAM policies that provide the most commonly needed permissions for Session Manager access.
Note
You can also use an AWS KMS key policy to control which IAM users, IAM roles, and AWS accounts are given access to your CMK. For information, see Overview of Managing Access to Your AWS KMS Resources and Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.
Topics
Quickstart End User Policy for Session Manager
Use the following example to create an IAM end user policy for Session Manager. It provides end users the ability start a session to a particular instance and the ability to end only their own sessions. Refer to Additional Sample IAM Policies for Session Manager for examples of customizations you might want to make to the policy.
Replace instance-id with the ID of the instance
you want to grant access to, in the format i-02573cafcfEXAMPLE.
Replace region and
account-id with your AWS Region and AWS
Account ID, such as us-east-2 and
111122223333.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ec2:*:*:instance/instance-id" ] }, { "Effect": "Allow", "Action": [ "ssm:DescribeSessions", "ssm:GetConnectionStatus", "ssm:DescribeInstanceProperties", "ec2:DescribeInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetDocument" ], "Resource": [ "arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell"], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true"
} } }, { "Effect": "Allow", "Action": [ "ssm:TerminateSession" ], "Resource": [ "arn:aws:ssm:*:*:session/${aws:username}-*" ] }, { "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": "
key-name" } ] }
1
SSM-SessionManagerRunShell is the default name of the
SSM document that Session Manager creates to store your session configuration
preferences. You can create a custom configuration document and specify it
in this policy instead. You can also specify the AWS-provided document
AWS-StartSSHSession for users who are starting
sessions using SSH. For information about configuration steps needed to
support sessions using SSH, see (Optional) Enable SSH Connections Through Session Manager.
2 If you
specify the condition element
ssm:SessionDocumentAccessCheck as
true, the system checks that a user was granted explicit access
to the configuration document
SSM-SessionManagerRunShell before allowing a
session to start. For more information, see Enforce Document
Permission Check for Default CLI Scenario.
About 'kms:GenerateDataKey
The kms:GenerateDataKey permission enables the creation
of a data encryption key that will be used to encrypt session data. If
you will use AWS Key Management Service (AWS KMS) encryption for your session data,
replace
key-name with the ARN of the customer
master key (CMK) you want to use, in the format
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-12345EXAMPLE.
If you will not use AWS KMS key encryption for your session data, remove the following content from the policy:
, { "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": "key-name" }
For information about AWS KMS and CMKs for encrypting session data, see Enable AWS KMS Key Encryption of Session Data (Console).
Quickstart Administrator Policy for Session Manager
Use the following example to create an IAM administrator policy for
Session Manager. It provides administrators the ability to start a session to
instances that are tagged with Key=Finance,Value=WebServers,
permission to create, update and delete preferences, and permission to end
only their own sessions. Refer to Additional Sample
IAM Policies for Session Manager for examples
of customizations you might want to make to the policy.
Note
Update the tag/value pair Key=Finance,Value=WebServers
with the tags applied to your instances. Replace
region and
account-id with your AWS Region and AWS
Account ID, such as us-east-2 and
111122223333.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringLike": { "ssm:resourceTag/Finance": [ "WebServers" ] } } }, { "Effect": "Allow", "Action": [ "ssm:DescribeSessions", "ssm:GetConnectionStatus", "ssm:DescribeInstanceProperties", "ec2:DescribeInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:CreateDocument", "ssm:UpdateDocument", "ssm:GetDocument" ], "Resource": "arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell" }, { "Effect": "Allow", "Action": [ "ssm:TerminateSession" ], "Resource": [ "arn:aws:ssm:*:*:session/${aws:username}-*" ] } ] }
