AWS managed policies for AWS Systems Manager - AWS Systems Manager

AWS managed policies for AWS Systems Manager

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWS managed policy: AmazonSSMServiceRolePolicy

You can't attach AmazonSSMServiceRolePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows AWS Systems Manager to perform actions on your behalf. For more information, see Using roles to collect inventory and view OpsData.

AmazonSSMServiceRolePolicy allows Systems Manager to complete the following actions on all related resources ("Resource": "*"), except where indicated:

  • ssm:CancelCommand

  • ssm:GetCommandInvocation

  • ssm:ListCommandInvocations

  • ssm:ListCommands

  • ssm:SendCommand

  • ssm:GetAutomationExecution

  • ssm:GetParameters

  • ssm:StartAutomationExecution

  • ssm:StopAutomationExecution

  • ssm:ListTagsForResource

  • ssm:GetCalendarState

  • ssm:UpdateServiceSetting [1]

  • ssm:GetServiceSetting [1]

  • ec2:DescribeInstanceAttribute

  • ec2:DescribeInstanceStatus

  • ec2:DescribeInstances

  • lambda:InvokeFunction [2]

  • states:DescribeExecution [3]

  • states:StartExecution [3]

  • resource-groups:ListGroups

  • resource-groups:ListGroupResources

  • resource-groups:GetGroupQuery

  • tag:GetResources

  • config:SelectResourceConfig

  • config:DescribeComplianceByConfigRule

  • config:DescribeComplianceByResource

  • config:DescribeRemediationConfigurations

  • config:DescribeConfigurationRecorders

  • cloudwatch:DescribeAlarms

  • compute-optimizer:GetEC2InstanceRecommendations

  • compute-optimizer:GetEnrollmentStatus

  • support:DescribeTrustedAdvisorChecks

  • support:DescribeTrustedAdvisorCheckSummaries

  • support:DescribeTrustedAdvisorCheckResult

  • support:DescribeCases

  • iam:PassRole [4]

  • cloudformation:DescribeStacks

  • cloudformation:ListStackResources

  • cloudformation:ListStackInstances [5]

  • cloudformation:DescribeStackSetOperation [5]

  • cloudformation:DeleteStackSet [5]

  • cloudformation:DeleteStackInstances [6]

  • events:PutRule [7]

  • events:PutTargets [7]

  • events:RemoveTargets [8]

  • events:DeleteRule [8]

  • events:DescribeRule

  • securityhub:DescribeHub

[1] The ssm:UpdateServiceSetting and ssm:GetServiceSetting actions are allowed permissions for the following resources only.

arn:aws:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*

[2] The lambda:InvokeFunction action is allowed permissions for the following resources only.

arn:aws:lambda:*:*:function:SSM* arn:aws:lambda:*:*:function:*:SSM*

[3] The states: actions are allowed permissions on the following resources only.

arn:aws:states:*:*:stateMachine:SSM* arn:aws:states:*:*:execution:SSM*

[4] The iam:PassRole action is allowed permissions by the following condition for the Systems Manager service only.

"Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com" ] } }

[5] The cloudformation:ListStackInstances, cloudformation:DescribeStackSetOperation, and cloudformation:DeleteStackSet actions are allowed permissions on the following resource only.

arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*

[6] The cloudformation:DeleteStackInstances action is allowed permissions on the following resources only.

arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:type/resource/*

[7] The events:PutRule and events:PutTargets actions are allowed permissions by the following condition for the Systems Manager service only.

"Condition": { "StringEquals": { "events:ManagedBy": "ssm.amazonaws.com" } }

[8] The events:RemoveTargets and events:DeleteRule actions are allowed permissions on the following resource only.

arn:aws:events:*:*:rule/SSMExplorerManagedRule

To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMServiceRolePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AmazonSSMReadOnlyAccess

You can attach the AmazonSSMReadOnlyAccess policy to your IAM identities. This policy grants read-only access to AWS Systems Manager API operations including Describe*, Get*, and List*.

To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMReadOnlyAccess in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSSystemsManagerOpsDataSyncServiceRolePolicy

You can't attach AWSSystemsManagerOpsDataSyncServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see Using roles to create OpsData and OpsItems for Explorer.

AWSSystemsManagerOpsDataSyncServiceRolePolicy allows the AWSServiceRoleForSystemsManagerOpsDataSync service-linked role to create and update OpsItems and OpsData from AWS Security Hub findings.

The policy allows Systems Manager to complete the following actions on all related resources ("Resource": "*"), except where indicated:

  • ssm:GetOpsItem [1]

  • ssm:UpdateOpsItem [1]

  • ssm:CreateOpsItem

  • ssm:AddTagsToResource [2]

  • ssm:UpdateServiceSetting [3]

  • ssm:GetServiceSetting [3]

  • securityhub:GetFindings

  • securityhub:GetFindings

  • securityhub:BatchUpdateFindings [4]

[1] The ssm:GetOpsItem and ssm:UpdateOpsItem actions are allowed permissions by the following condition for the Systems Manager service only.

"Condition": { "StringEquals": { "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true" } }

[2] The ssm:AddTagsToResource action is allowed permissions for the following resource only.

arn:aws:ssm:*:*:opsitem/*

[3] The ssm:UpdateServiceSetting and ssm:GetServiceSetting actions are allowed permissions for the following resources only.

arn:aws:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*

[4] The securityhub:BatchUpdateFindings are denied permissions by the following condition for the Systems Manager service only.

{ "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Confidence": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Criticality": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Note.Text": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Note.UpdatedBy": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/RelatedFindings": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Types": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/UserDefinedFields.key": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/UserDefinedFields.value": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/VerificationState": false } }

To view more details about the policy, including the latest version of the JSON policy document, see AWSSystemsManagerOpsDataSyncServiceRolePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy

You should only attach AmazonSSMManagedEC2InstanceDefaultPolicy to IAM roles for Amazon EC2 instances that you want to have permission to use Systems Manager functionality. You shouldn't attached this role to other IAM entities, such as IAM users and IAM groups, or to IAM roles that serve other purposes. For more information, see Default Host Management Configuration.

This policy grants permissions that allow the SSM Agent on your Amazon EC2 instance to retrieve Documents, execute commands using Run Command, establish sessions using Session Manager, collect an inventory of the instance, and scan for patches and patch compliance using Patch Manager.

Systems Manager uses a personalized authorization token for each instance to ensure that SSM Agent performs the API operations on the correct instance. Systems Manager validates the personalized authorization token against the Amazon Resource Name (ARN) of the instance, provided in the API operation.

The AmazonSSMManagedEC2InstanceDefaultPolicy role permissions policy allows Systems Manager to complete the following actions on all related resources:

  • ssm:DescribeAssociation

  • ssm:GetDeployablePatchSnapshotForInstance

  • ssm:GetDocument

  • ssm:DescribeDocument

  • ssm:GetManifest

  • ssm:ListAssociations

  • ssm:ListInstanceAssociations

  • ssm:PutInventory

  • ssm:PutComplianceItems

  • ssm:PutConfigurePackageResult

  • ssm:UpdateAssociationStatus

  • ssm:UpdateInstanceAssociationStatus

  • ssm:UpdateInstanceInformation

  • ssmmessages:CreateControlChannel

  • ssmmessages:CreateDataChannel

  • ssmmessages:OpenControlChannel

  • ssmmessages:OpenDataChannel

  • ec2messages:AcknowledgeMessage

  • ec2messages:DeleteMessage

  • ec2messages:FailMessage

  • ec2messages:GetEndpoint

  • ec2messages:GetMessages

  • ec2messages:SendReply

To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMManagedEC2InstanceDefaultPolicy in the AWS Managed Policy Reference Guide.

Systems Manager updates to AWS managed policies

View details about updates to AWS managed policies for Systems Manager since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Systems Manager Document history page.

Change Description Date

AWSSystemsManagerOpsDataSyncServiceRolePolicy – Update to an existing policy.

OpsCenter updated the policy to improve the security of the service code within the service-linked role for Explorer to manage OpsData-related operations. June 28, 2023

AmazonSSMManagedEC2InstanceDefaultPolicy – New policy.

Systems Manager added a new policy to allow Systems Manager functionality on Amazon EC2 instances without the use of an IAM instance profile.

August 18, 2022

AmazonSSMServiceRolePolicy – Update to an existing policy.

Systems Manager added new permissions to allow Explorer to create a managed rule when you turn on Security Hub from Explorer or OpsCenter. New permissions were added to check that config and the compute-optimizer meet the necessary requirements before allowing OpsData.

April 27, 2021

AWSSystemsManagerOpsDataSyncServiceRolePolicy – New policy.

Systems Manager added a new policy to create and update OpsItems and OpsData from Security Hub findings in Explorer and OpsCenter.

April 27, 2021

AmazonSSMServiceRolePolicy – Update to an existing policy.

Systems Manager added new permissions to allow viewing aggregate OpsData and OpsItems details from multiple accounts and AWS Regions in Explorer.

March 24, 2021

Systems Manager started tracking changes

Systems Manager started tracking changes for its AWS managed policies.

March 12, 2021