AWS managed policies for AWS Systems Manager

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWS managed policy: AmazonSSMServiceRolePolicy

You can't attach AmazonSSMServiceRolePolicy to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows AWS Systems Manager to perform actions on your behalf. For more information, see Using roles to collect inventory and view OpsData.

AmazonSSMServiceRolePolicy allows Systems Manager to complete the following actions on all related resources ("Resource": "*"), except where indicated:

• ssm:CancelCommand

• ssm:GetCommandInvocation

• ssm:ListCommandInvocations

• ssm:ListCommands

• ssm:SendCommand

• ssm:GetAutomationExecution

• ssm:GetParameters

• ssm:StartAutomationExecution

• ssm:StopAutomationExecution

• ssm:ListTagsForResource

• ssm:GetCalendarState

• ssm:UpdateServiceSetting [1]

• ssm:GetServiceSetting [1]

• ec2:DescribeInstanceAttribute

• ec2:DescribeInstanceStatus

• ec2:DescribeInstances

• lambda:InvokeFunction [2]

• states:DescribeExecution [3]

• states:StartExecution [3]

• resource-groups:ListGroups

• resource-groups:ListGroupResources

• resource-groups:GetGroupQuery

• tag:GetResources

• config:SelectResourceConfig

• config:DescribeComplianceByConfigRule

• config:DescribeComplianceByResource

• config:DescribeRemediationConfigurations

• config:DescribeConfigurationRecorders

• cloudwatch:DescribeAlarms

• compute-optimizer:GetEC2InstanceRecommendations

• compute-optimizer:GetEnrollmentStatus

• support:DescribeTrustedAdvisorChecks

• support:DescribeTrustedAdvisorCheckSummaries

• support:DescribeTrustedAdvisorCheckResult

• support:DescribeCases

• iam:PassRole [4]

• cloudformation:DescribeStacks

• cloudformation:ListStackResources

• cloudformation:ListStackInstances [5]

• cloudformation:DescribeStackSetOperation [5]

• cloudformation:DeleteStackSet [5]

• cloudformation:DeleteStackInstances [6]

• events:PutRule [7]

• events:PutTargets [7]

• events:RemoveTargets [8]

• events:DeleteRule [8]

• events:DescribeRule

• securityhub:DescribeHub

[1] The ssm:UpdateServiceSetting and ssm:GetServiceSetting actions are allowed permissions for the following resources only.

arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*
arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*

[2] The lambda:InvokeFunction action is allowed permissions for the following resources only.

arn:aws:lambda:*:*:function:SSM*
arn:aws:lambda:*:*:function:*:SSM*

[3] The states: actions are allowed permissions on the following resources only.

arn:aws:states:*:*:stateMachine:SSM*
arn:aws:states:*:*:execution:SSM*

[4] The iam:PassRole action is allowed permissions by the following condition for the Systems Manager service only.

"Condition": {
   "StringEquals": {
      "iam:PassedToService": [
         "ssm.amazonaws.com"
      ]
   }
}

[5] The cloudformation:ListStackInstances, cloudformation:DescribeStackSetOperation, and cloudformation:DeleteStackSet actions are allowed permissions on the following resource only.

arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*

[6] The cloudformation:DeleteStackInstances action is allowed permissions on the following resources only.

arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*
arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:*
arn:aws:cloudformation:*:*:type/resource/*

[7] The events:PutRule and events:PutTargets actions are allowed permissions by the following condition for the Systems Manager service only.

"Condition": {
    "StringEquals": {
        "events:ManagedBy": "ssm.amazonaws.com"
    }
}

[8] The events:RemoveTargets and events:DeleteRule actions are allowed permissions on the following resource only.

arn:aws:events:*:*:rule/SSMExplorerManagedRule

To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMServiceRolePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AmazonSSMReadOnlyAccess

You can attach the AmazonSSMReadOnlyAccess policy to your IAM identities. This policy grants read-only access to AWS Systems Manager API operations including Describe*, Get*, and List*.

To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMReadOnlyAccess in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSSystemsManagerOpsDataSyncServiceRolePolicy

You can't attach AWSSystemsManagerOpsDataSyncServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see Using roles to create OpsData and OpsItems for Explorer.

AWSSystemsManagerOpsDataSyncServiceRolePolicy allows the AWSServiceRoleForSystemsManagerOpsDataSync service-linked role to create and update OpsItems and OpsData from AWS Security Hub findings.

The policy allows Systems Manager to complete the following actions on all related resources ("Resource": "*"), except where indicated:

• ssm:GetOpsItem [1]

• ssm:UpdateOpsItem [1]

• ssm:CreateOpsItem

• ssm:AddTagsToResource [2]

• ssm:UpdateServiceSetting [3]

• ssm:GetServiceSetting [3]

• securityhub:GetFindings

• securityhub:GetFindings

• securityhub:BatchUpdateFindings [4]

[1] The ssm:GetOpsItem and ssm:UpdateOpsItem actions are allowed permissions by the following condition for the Systems Manager service only.

"Condition": {
    "StringEquals": {
        "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true"
    }
}

[2] The ssm:AddTagsToResource action is allowed permissions for the following resource only.

arn:aws:ssm:*:*:opsitem/*

[3] The ssm:UpdateServiceSetting and ssm:GetServiceSetting actions are allowed permissions for the following resources only.

arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*
arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*

[4] The securityhub:BatchUpdateFindings are denied permissions by the following condition for the Systems Manager service only.

{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED"
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Confidence": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Criticality": false
				}
			}
		},		
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Note.Text": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Note.UpdatedBy": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/RelatedFindings": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Types": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/UserDefinedFields.key": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/UserDefinedFields.value": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/VerificationState": false
				}
			}

To view more details about the policy, including the latest version of the JSON policy document, see AWSSystemsManagerOpsDataSyncServiceRolePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy

You should only attach AmazonSSMManagedEC2InstanceDefaultPolicy to IAM roles for Amazon EC2 instances that you want to have permission to use Systems Manager functionality. You shouldn't attached this role to other IAM entities, such as IAM users and IAM groups, or to IAM roles that serve other purposes. For more information, see Using the Default Host Management Configuration setting.

This policy grants permissions that allow the SSM Agent on your Amazon EC2 instance to retrieve Documents, execute commands using Run Command, establish sessions using Session Manager, collect an inventory of the instance, and scan for patches and patch compliance using Patch Manager.

Systems Manager uses a personalized authorization token for each instance to ensure that SSM Agent performs the API operations on the correct instance. Systems Manager validates the personalized authorization token against the Amazon Resource Name (ARN) of the instance, provided in the API operation.

The AmazonSSMManagedEC2InstanceDefaultPolicy role permissions policy allows Systems Manager to complete the following actions on all related resources:

• ssm:DescribeAssociation

• ssm:GetDeployablePatchSnapshotForInstance

• ssm:GetDocument

• ssm:DescribeDocument

• ssm:GetManifest

• ssm:ListAssociations

• ssm:ListInstanceAssociations

• ssm:PutInventory

• ssm:PutComplianceItems

• ssm:PutConfigurePackageResult

• ssm:UpdateAssociationStatus

• ssm:UpdateInstanceAssociationStatus

• ssm:UpdateInstanceInformation

• ssmmessages:CreateControlChannel

• ssmmessages:CreateDataChannel

• ssmmessages:OpenControlChannel

• ssmmessages:OpenDataChannel

• ec2messages:AcknowledgeMessage

• ec2messages:DeleteMessage

• ec2messages:FailMessage

• ec2messages:GetEndpoint

• ec2messages:GetMessages

• ec2messages:SendReply

To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMManagedEC2InstanceDefaultPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: SSMQuickSetupRolePolicy

You can't attach SSMQuickSetupRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see Using roles to maintain Quick Setup-provisioned resource health and consistency.

This policy grants read-only permissions that allow Systems Manager to check configuration health, ensure consistent use of parameters and provisioned resources, and remediate resources when drift is detected.

Permissions details

This policy includes the following permissions.

• ssm – Allows principals to read information Resource Data Syncs and SSM Documents in Systems Manager. This is required so Quick Setup can determine the state that configured resources are intended to be in.

• organizations – Allows principals to read information about the member accounts that belong to an organization as configured in AWS Organizations. This is required so Quick Setup can identify all accounts in an organization where resource health checks are to be performed.

• cloudformation – Allows principals to read information from AWS CloudFormation. This is required so Quick Setup can gather data about the AWS CloudFormation stacks used to manage the state of resources and CloudFormation stackset operations.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "SSMResourceDataSyncPermissions",
			"Effect": "Allow",
			"Action": [
				"ssm:ListResourceDataSync"
			],
			"Resource": "*"
		},
		{
			"Sid": "SSMResourceDataSyncGetOpsSummaryPermissions",
			"Effect": "Allow",
			"Action": [
				"ssm:GetOpsSummary"
			],
			"Resource": "arn:aws:ssm:*:*:resource-data-sync/AWS-QuickSetup-*"
		},
		{
			"Sid": "SSMAssociationsReadOnlyPermissions",
			"Effect": "Allow",
			"Action": [
				"ssm:ListAssociations",
				"ssm:DescribeAssociationExecutions"
			],
			"Resource": "*"
		},
		{
			"Sid": "QuickSetupSSMDocumentsReadOnlyPermissions",
			"Effect": "Allow",
			"Action": [
				"ssm:DescribeDocument",
				"ssm:GetDocument"
			],
			"Resource": [
				"arn:aws:ssm:*:*:document/AWSQuickSetupType-*",
				"arn:aws:ssm:*:*:document/*-AWSQuickSetupType-*"
			]
		},
		{
			"Sid": "OrganizationReadOnlyPermissions",
			"Effect": "Allow",
			"Action": [
				"organizations:ListRoots",
				"organizations:ListAWSServiceAccessForOrganization",
				"organizations:ListDelegatedAdministrators",
				"organizations:ListAccountsForParent",
				"organizations:ListOrganizationalUnitsForParent"
			],
			"Resource": "*"
		},
		{
			"Sid": "QuickSetupStackSetReadOnlyPermissions",
			"Effect": "Allow",
			"Action": [
				"cloudformation:DescribeStackSet",
				"cloudformation:DescribeStackSetOperation",
				"cloudformation:ListStackInstances",
				"cloudformation:ListStackSetOperations",
				"cloudformation:ListStackSetOperationResults"
			],
			"Resource": [
				"arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-*",
				"arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*"
			]
		},
		{
			"Sid": "QuickSetupStackSetDeletePermissions",
			"Effect": "Allow",
			"Action": [
				"cloudformation:DeleteStackInstances",
				"cloudformation:DeleteStackSet"
			],
			"Resource": [
				"arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-*",
				"arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		}
	]
}

To view more details about the policy, including the latest version of the JSON policy document, see SSMQuickSetupRolePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSQuickSetupDeploymentRolePolicy

The managed policy AWSQuickSetupDeploymentRolePolicy supports multiple Quick Setup configuration types. These configuration types create IAM roles and automations that configure frequently used Amazon Web Services services and features with recommended best practices.

You can attach AWSQuickSetupDeploymentRolePolicy to your IAM entities.

This policy grants administrative permissions needed to create resources associated with the following Quick Setup configurations:

• Set up Amazon EC2 host management

• Create an AWS Config configuration recorder using Quick Setup

• Deploy AWS Config conformance pack using Quick Setup

• Set up DevOps Guru with Quick Setup

• Deploy Distributor packages using Quick Setup

• Stop and start EC2 instances automatically on a schedule

Permissions details

This policy includes the following permissions.

• iam – Allows principals to manage and delete IAM roles required for Automation configuration tasks; and to manage Automation role policies.

• cloudformation – Allows principals to create and manage stack sets.

• config – Allows principals to create, manage, and delete conformance packs.

• events – Allows principals to create, update, and delete event rules for scheduled actions.

• resource-groups – Allows principals to retrieve resource queries that are associated with resource groups targeted by Quick Setup configurations.

• ssm – Allows principals to create Automation runbooks and associations that apply Quick Setup configurations.

To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupDeploymentRolePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSQuickSetupPatchPolicyDeploymentRolePolicy

The managed policy AWSQuickSetupPatchPolicyDeploymentRolePolicy supports the Configure patching for instances in an organization Quick Setup type. This configuration type helps automate patching of applications and nodes in a single account or across your organization.

You can attach AWSQuickSetupPatchPolicyDeploymentRolePolicy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.

This policy grants administrative permissions that allow Quick Setup to create resources associated with a patch policy configuration.

Permissions details

This policy includes the following permissions.

• iam – Allows principals to manage and delete IAM roles required for Automation configuration tasks; and to manage Automation role policies.

• cloudformation – Allows principals to read AWS CloudFormation stack information; and to control AWS CloudFormation stacks that were created by Quick Setup using AWS CloudFormation stack sets.

• ssm – Allows principals to create, update, read, and delete Automation runbooks required for configuration tasks; and to create, update, and delete State Manager associations.

• resource-groups – Allows principals to retrieve resource queries that are associated with resource groups targeted by Quick Setup configurations.

• s3 – Allows principals to list Amazon S3 buckets; and to manage the buckets for storing patch policy access logs.

• lambda – Allows principals to manage AWS Lambda remediation functions that maintain configurations in the correct state.

• logs – Allows principals to describe and manage log groups for Lambda configuration resources.

To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupPatchPolicyDeploymentRolePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSQuickSetupPatchPolicyBaselineAccess

The managed policy AWSQuickSetupPatchPolicyBaselineAccess supports the Configure patching for instances in an organization Quick Setup type. This configuration type helps automate patching of applications and nodes in a single account or across your organization.

You can attach AWSQuickSetupPatchPolicyBaselineAccess to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.

This policy provides read-only permissions to access patch baselines that have been configured by an administrator in the current AWS account or organization using Quick Setup. The patch baselines are stored in an Amazon S3 bucket and can be used for patching instances in a single account or across an entire organization.

Permissions details

This policy includes the following permission.

• s3 – Allows principals to read patch baseline overrides stored in Amazon S3 buckets.

To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupPatchPolicyBaselineAccess in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSSystemsManagerEnableExplorerExecutionPolicy

The managed policy AWSSystemsManagerEnableExplorerExecutionPolicy supports enabling Explorer, a capability of AWS Systems Manager.

You can attach AWSSystemsManagerEnableExplorerExecutionPolicy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.

This policy grants administrative permissions for enabling Explorer. This includes permissions to update related Systems Manager service settings, and to create a service-linked role for Systems Manager.

Permissions details

This policy includes the following permissions.

• config – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.

• iam – Allows principals to help enable Explorer.

• ssm – Allows principals to start an Automation workflow that enables Explorer.

To view more details about the policy, including the latest version of the JSON policy document, see AWSSystemsManagerEnableExplorerExecutionPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSSystemsManagerEnableConfigRecordingExecutionPolicy

The managed policy AWSSystemsManagerEnableConfigRecordingExecutionPolicy supports the Create an AWS Config configuration recorder using Quick Setup Quick Setup configuration type. This configuration type enables Quick Setup to track and record changes to the AWS resource types you choose for AWS Config. It also enables Quick Setup to configure delivery and notifications options for the recorded data.

You can attach AWSSystemsManagerEnableConfigRecordingExecutionPolicy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.

This policy grants administrative permissions that allow Quick Setup to enable and configure AWS Config configuration recording.

Permissions details

This policy includes the following permissions.

• s3 – Allows principals to create and configure Amazon S3 buckets for delivery of configuration recordings.

• sns – Allows principals to list and create Amazon SNS topics.

• config – Allows principals to configure and start the configuration recorder; and to help enable Explorer.

• iam – Allows principals to create, get, and pass a service-linked role for AWS Config; and to create a service-linked role for Systems Manager; and to help enable Explorer.

• ssm – Allows principals to start an Automation workflow that enables Explorer.

• compute-optimizer – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

• support – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see AWSSystemsManagerEnableConfigRecordingExecutionPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSQuickSetupDevOpsGuruPermissionsBoundary

Note

This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.

The managed policy AWSQuickSetupDevOpsGuruPermissionsBoundary supports the Set up DevOps Guru with Quick Setup type. The configuration type enables the machine learning-powered Amazon DevOps Guru. The DevOps Guru service can help improve an application’s operational performance and availability.

When you create an AWSQuickSetupDevOpsGuruPermissionsBoundary configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable and configure Amazon DevOps Guru.

Permissions details

This policy includes the following permissions.

• iam – Allows principals to create service-linked roles for DevOps Guru and Systems Manager; and to list roles that help enable Explorer.

• cloudformation – Allows principals to list and describe AWS CloudFormation stacks.

• sns – Allows principals to list and create Amazon SNS topics.

• devops-guru – Allows principals to configure DevOps Guru; and to add a notification channel.

• config – – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.

• ssm – Allows principals to start an Automation workflow that enables Explorer; and to read and update Explorer service settings.

• compute-optimizer – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

• support – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupDevOpsGuruPermissionsBoundary in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSQuickSetupDistributorPermissionsBoundary

Note

This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.

The managed policy AWSQuickSetupDistributorPermissionsBoundary supports the Deploy Distributor packages using Quick Setup Quick Setup configuration type. The configuration type helps enable the distribution of software packages, such as agents, to your Amazon Elastic Compute Cloud (Amazon EC2) instances, using Distributor, a capability of AWS Systems Manager.

When you create an AWSQuickSetupDistributorPermissionsBoundary configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable the distribution of software packages, such as agents, to your Amazon EC2 instances using Distributor.

Permissions details

This policy includes the following permissions.

• iam – Allows principals to get and pass the Distributor automation role; to create, read, update, and delete the default instance role; to pass the default instance role to Amazon EC2 and Systems Manager; to attach instance management policies to instance roles; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about IAM roles and instance profiles; and to create the default instance profile.

• ec2 – Allows principals to associate the default instance profile with EC2 instances; and to help enable Explorer.

• ssm – Allows principals to start automation workflows that which configure instances and install packages; and to help start the automation workflow that enables Explorer; and to read and update Explorer service settings.

• config – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.

• compute-optimizer – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

• support – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupDistributorPermissionsBoundary in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSQuickSetupSSMHostMgmtPermissionsBoundary

Note

This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.

The managed policy AWSQuickSetupSSMHostMgmtPermissionsBoundary supports the Set up Amazon EC2 host management Quick Setup configuration type. This configuration type configures IAM roles and enables commonly used Systems Manager capabilities to securely manage your Amazon EC2 instances.

When you create an AWSQuickSetupSSMHostMgmtPermissionsBoundary configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable and configure Systems Manager capabilities needed for securely managing EC2 instances.

Permissions details

This policy includes the following permissions.

• iam – Allows principals to get and pass the service role to Automation. Allows principals to create, read, update, and delete the default instance role; to pass the default instance role to Amazon EC2 and Systems Manager; to attach instance management policies to instance roles; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about IAM roles and instance profiles; and to create the default instance profile.

• ec2 – Allows principals to associate and disassociate the default instance profile with EC2 instances.

• ssm – Allows principals to start Automation workflows that enable Explorer; to read and update Explorer service settings; to configure instances; and to enable Systems Manager capabilities on instances.

• compute-optimizer – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

• support – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupSSMHostMgmtPermissionsBoundary in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSQuickSetupPatchPolicyPermissionsBoundary

Note

This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.

The managed policy AWSQuickSetupPatchPolicyPermissionsBoundary supports the Configure patching for instances in an organization Quick Setup type. This configuration type helps automate patching of applications and nodes in a single account or across your organization.

When you create an AWSQuickSetupPatchPolicyPermissionsBoundary configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable and configure patch policies in Patch Manager, a capability of AWS Systems Manager.

Permissions details

This policy includes the following permissions.

• iam – Allows principals to get the Patch Manager Automation role; to pass Automation roles to Patch Manager patching operations; to create the default instance role, AmazonSSMRoleForInstancesQuickSetup; to pass the default instance role to Amazon EC2 and Systems Manager; to attach selected AWS managed policies to the instance role; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about instance profiles and roles; to create a default instance profile; and to tag roles that have permissions to read patch baseline overrides.

• ssm – Allows principals to update the instance role this is managed by Systems Manager; to manage associations created by Patch Manager patch policies created in Quick Setup; to tag instances targeted by a patch policy configuration; to read information about instances and patching status; to start Automation workflows that configure, enable and remediate instance patching; to start automation workflows that enable Explorer; to help enable Explorer; and to read and update Explorer service settings.

• ec2 – Allows principals to associate and disassociate the default instance profile with EC2 instances; to tag instances targeted by a patch policy configuration; to tag instances targeted by a patch policy configuration; and to help enable Explorer.

• s3 – Allows principals to create and configure S3 buckets to store patch baseline overrides.

• lambda – Allows principals to invoke AWS Lambda functions that configure patching and to perform clean-up operations after a Quick Setup patch policy configuration is deleted.

• logs – Allows principals to configure logging for Patch Manager Quick Setup AWS Lambda functions.

• config – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.

• compute-optimizer – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

• support – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupPatchPolicyPermissionsBoundary in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSQuickSetupSchedulerPermissionsBoundary

Note

This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.

The managed policy AWSQuickSetupSchedulerPermissionsBoundary supports the Quick Setup configuration type. This configuration type lets you stop and start your EC2 instances and other resources at the times you specify.

When you create an AWSQuickSetupSchedulerPermissionsBoundary configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable and configure scheduled operations on EC2 instances and other resources.

Permissions details

This policy includes the following permissions.

• iam – Allows principals to retrieve and pass roles for instance management automation actions; to manage, pass, and attach default instance roles for EC2 instance management; to create default instance profiles; to add default instance roles to instance profiles; to create a service-linked role for Systems Manager; to read information about IAM roles and instance profiles; to associate a default instance profile with EC2 instances; and to start Automation workflows to configure instances and enable Systems Manager capabilities on them.

• ssm – Allows principals to start Automation workflows that enable Explorer; and to read and update Explorer service settings.

• ec2 – Allows principals to locate targeted instances and to start and stop them on a schedule.

• config – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.

• compute-optimizer – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

• support – Allows principals to help enable Explorer by providing read-only access to AWS Trusted Advisor checks for an account.

To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupSchedulerPermissionsBoundary in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSQuickSetupCFGCPacksPermissionsBoundary

Note

This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.

The managed policy AWSQuickSetupCFGCPacksPermissionsBoundarysupports the Quick Setup configuration type. This configuration type deploys AWS Config conformance packs. Conformance packs are collections of AWS Config rules and remediation actions that can be deployed as a single entity.

When you create an AWSQuickSetupCFGCPacksPermissionsBoundary configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to deploy AWS Config conformance packs.

Permissions details

This policy includes the following permissions.

• iam – Allows principals to create, get, and pass a service-linked role for AWS Config.

• sns – Allows principals to list platform applications in Amazon SNS.

• config – Allows principals to deploy AWS Config conformance packs; to get the status of conformance packs; and to get information about configuration recorders.

• ssm – Allows principals to get information about SSM documents and Automation workflows; to get information about resource tags; and to get information about and update service settings.

• compute-optimizer – Allows principals to get the opt-in status of an account.

• support – Allows principals to get information about AWS Trusted Advisor checks.

To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupCFGCPacksPermissionsBoundary in the AWS Managed Policy Reference Guide.

Systems Manager updates to AWS managed policies

In the following table, view details about updates to AWS managed policies for Systems Manager since this service began tracking these changes on March 12, 2021. For information about other managed policies for the Systems Manager service, see Additional managed policies for Systems Manager later in this topic. For automatic alerts about changes to this page, subscribe to the RSS feed on the Systems Manager Document history page.

Change	Description	Date
SSMQuickSetupRolePolicy – New policy	Systems Manager added a new policy to allow Quick Setup to check the health of deployed resources and remediate instances that have drifted from the original configuration.	July 3, 2024
AWSQuickSetupDeploymentRolePolicy – New policy	Systems Manager added a new policy to support multiple Quick Setup configuration types that create IAM roles and automations, which in turn configure frequently used Amazon Web Services services and features with recommended best practices.	July 3, 2024
AWSQuickSetupPatchPolicyDeploymentRolePolicy – New policy	Systems Manager added a new policy to allow Quick Setup to create resources associated with Patch Manager patch policy Quick Setup configurations.	July 3, 2024
AWSQuickSetupPatchPolicyBaselineAccess – New policy	Systems Manager added a new policy to allow Quick Setup to access patch baselines in Patch Manager with read-only permissions.	July 3, 2024
AWSSystemsManagerEnableExplorerExecutionPolicy – New policy	Systems Manager added a new policy to allow Quick Setup to grant administrative permissions for enabling Explorer.	July 3, 2024
AWSSystemsManagerEnableConfigRecordingExecutionPolicy – New policy	Systems Manager added a new policy to allow Quick Setup to enable and configure AWS Config configuration recording.	July 3, 2024
AWSQuickSetupDevOpsGuruPermissionsBoundary – New policy	Systems Manager added a new policy to allow Quick Setup to enable and configure Amazon DevOps Guru.	July 3, 2024
AWSQuickSetupDistributorPermissionsBoundary – New policy	Systems Manager added a new policy to allow Quick Setup to enable and configure Distributor, a capability of AWS Systems Manager.	July 3, 2024
AWSQuickSetupSSMHostMgmtPermissionsBoundary – New policy	Systems Manager added a new policy to allow Quick Setup to enable and configure Systems Manager capabilities for securely managing Amazon EC2 instances.	July 3, 2024
AWSQuickSetupPatchPolicyPermissionsBoundary – New policy	Systems Manager added a new policy to allow Quick Setup to enable and configure patch policies in Patch Manager, a capability of AWS Systems Manager.	July 3, 2024
AWSQuickSetupSchedulerPermissionsBoundary – New policy	Systems Manager added a new policy to allow Quick Setup to enable and configure scheduled operations on Amazon EC2 instances and other resources.	July 3, 2024
AWSQuickSetupCFGCPacksPermissionsBoundary – New policy	Systems Manager added a new policy to allow Quick Setup to deploy AWS Config conformance packs.	July 3, 2024
AWSSystemsManagerOpsDataSyncServiceRolePolicy – Update to an existing policy	OpsCenter updated the policy to improve the security of the service code within the service-linked role for Explorer to manage OpsData-related operations.	July 3, 2023
AmazonSSMManagedEC2InstanceDefaultPolicy – New policy	Systems Manager added a new policy to allow Systems Manager functionality on Amazon EC2 instances without the use of an IAM instance profile.	August 18, 2022
AmazonSSMServiceRolePolicy – Update to an existing policy	Systems Manager added new permissions to allow Explorer to create a managed rule when you turn on Security Hub from Explorer or OpsCenter. New permissions were added to check that config and the compute-optimizer meet the necessary requirements before allowing OpsData.	April 27, 2021
AWSSystemsManagerOpsDataSyncServiceRolePolicy – New policy	Systems Manager added a new policy to create and update OpsItems and OpsData from Security Hub findings in Explorer and OpsCenter.	April 27, 2021
AmazonSSMServiceRolePolicy – Update to an existing policy	Systems Manager added new permissions to allow viewing aggregate OpsData and OpsItems details from multiple accounts and AWS Regions in Explorer.	March 24, 2021
Systems Manager started tracking changes	Systems Manager started tracking changes for its AWS managed policies.	March 12, 2021

Additional managed policies for Systems Manager

In addition to the managed policies described earlier in this topic, the following policies are also supported by Systems Manager.

• AmazonSSMAutomationApproverAccess – AWS managed policy that allows access to view automation executions and send approval decisions to automation that is waiting for approval.

• AmazonSSMAutomationRole – AWS managed policy that provides permissions for the Systems Manager Automation service to run activities defined within Automation runbooks. Assign this policy to administrators and trusted power users.

• AmazonSSMDirectoryServiceAccess – AWS managed policy that that allows SSM Agent to access AWS Directory Service on behalf of the user for requests to join the domain by the managed node.

• AmazonSSMFullAccess – AWS managed policy that grants full access to the Systems Manager API and documents.

• AmazonSSMMaintenanceWindowRole – AWS managed policy that provides maintenance windows with permissions to the Systems Manager API.

• AmazonSSMManagedInstanceCore – AWS managed policy that allows a node to use Systems Manager service core functionality.

• AmazonSSMPatchAssociation – AWS managed policy that provides access to child instances for patch association operations.

• AmazonSSMReadOnlyAccess – AWS managed policy that grants access to Systems Manager read-only API operations, such as Get* and List*.

• AWSSSMOpsInsightsServiceRolePolicy – AWS managed policy that provides permissions for creating and updating operational insight OpsItems in Systems Manager. Used to provide permissions through the service-linked role AWSServiceRoleForAmazonSSM_OpsInsights.

• AWSSystemsManagerAccountDiscoveryServicePolicy – AWS managed policy that grants Systems Manager permission to discover AWS account information.

• AWSSystemsManagerChangeManagementServicePolicy – AWS managed policy that provides access to AWS resources managed or used by the Systems Manager change management framework and used by the service-linked role AWSServiceRoleForSystemsManagerChangeManagement.

• AmazonEC2RoleforSSM – This policy is no longer supported and should not be used. In its place, use the AmazonSSMManagedInstanceCore policy to allow Systems Manager service core functionality on EC2 instances. For information, see Configure instance permissions required for Systems Manager.