AWS managed policies for AWS Systems Manager
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.
AWS managed policy: AmazonSSMServiceRolePolicy
You can't attach AmazonSSMServiceRolePolicy to your AWS Identity and Access Management
(IAM) entities. This policy is attached to a service-linked role that allows AWS Systems
Manager
to perform actions on your behalf. For more information, see Using roles to collect inventory, run maintenance window tasks, and view OpsData:
AWSServiceRoleForAmazonSSM.
Three Systems Manager capabilities use the service-linked role:
-
The Inventory capability requires a service-linked role. The role allows the system to collect Inventory metadata from tags and resource groups.
-
The Maintenance Windows capability can optionally use the service-linked role. The role allows the Maintenance Windows service to run maintenance tasks on target instances. Note that the service-linked role for Systems Manager doesn't provide the permissions needed for all scenarios. For more information, see Should I use a service-linked role or a custom service role to run maintenance window tasks?.
-
The Explorer capability uses the service-linked role to allow viewing OpsData and OpsItems from multiple accounts. This service-linked role also allows Explorer to create a managed rule when you turn on Security Hub as a data source from Explorer or OpsCenter.
Permissions details
The AWSServiceRoleForAmazonSSM"Resource": "*"), except where indicated:
-
ssm:CancelCommand -
ssm:GetCommandInvocation -
ssm:ListCommandInvocations -
ssm:ListCommands -
ssm:SendCommand -
ssm:GetAutomationExecution -
ssm:GetParameters -
ssm:StartAutomationExecution -
ssm:ListTagsForResource -
ssm:GetCalendarState -
ssm:UpdateServiceSetting[1] -
ssm:GetServiceSetting[1] -
ec2:DescribeInstanceAttribute -
ec2:DescribeInstanceStatus -
ec2:DescribeInstances -
lambda:InvokeFunction[2] -
states:DescribeExecution[3] -
states:StartExecution[3] -
resource-groups:ListGroups -
resource-groups:ListGroupResources -
resource-groups:GetGroupQuery -
tag:GetResources -
config:SelectResourceConfig -
config:DescribeComplianceByConfigRule -
config:DescribeComplianceByResource -
config:DescribeRemediationConfigurations -
config:DescribeConfigurationRecorders -
compute-optimizer:GetEC2InstanceRecommendations -
compute-optimizer:GetEnrollmentStatus -
support:DescribeTrustedAdvisorChecks -
support:DescribeTrustedAdvisorCheckSummaries -
support:DescribeTrustedAdvisorCheckResult -
support:DescribeCases -
iam:PassRole[4] -
cloudformation:DescribeStacks -
cloudformation:ListStackResources -
cloudformation:ListStackInstances[5] -
cloudformation:DescribeStackSetOperation[5] -
cloudformation:DeleteStackSet[5] -
cloudformation:DeleteStackInstances[6] -
events:PutRule[7] -
events:PutTargets[7] -
events:RemoveTargets[8] -
events:DeleteRule[8] -
events:DescribeRule -
securityhub:DescribeHub
[1] The ssm:UpdateServiceSetting and ssm:GetServiceSetting
actions are allowed permissions for the following resources only.
arn:aws:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*
[2] The lambda:InvokeFunction action is allowed permissions for the
following resources only.
arn:aws:lambda:*:*:function:SSM* arn:aws:lambda:*:*:function:*:SSM*
[3] The states: actions are allowed permissions on the following
resources only.
arn:aws:states:*:*:stateMachine:SSM* arn:aws:states:*:*:execution:SSM*
[4] The iam:PassRole action is allowed permissions by the following
condition for the Systems Manager service only.
"Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com" ] } }
[5] The cloudformation:ListStackInstances,
cloudformation:DescribeStackSetOperation, and
cloudformation:DeleteStackSet actions are allowed permissions on the
following resource only.
arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*
[6] The cloudformation:DeleteStackInstances action is allowed permissions
on the following resources only.
arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:type/resource/*
[7] The events:PutRule and events:PutTargets actions are
allowed permissions by the following condition for the Systems Manager service
only.
"Condition": { "StringEquals": { "events:ManagedBy": "ssm.amazonaws.com" } }
[8] The events:RemoveTargets and events:DeleteRule actions
are allowed permissions on the following resource only.
arn:aws:events:*:*:rule/SSMExplorerManagedRule
Full AmazonSSMServiceRolePolicy policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:CancelCommand", "ssm:GetCommandInvocation", "ssm:ListCommandInvocations", "ssm:ListCommands", "ssm:SendCommand", "ssm:GetAutomationExecution", "ssm:GetParameters", "ssm:StartAutomationExecution", "ssm:ListTagsForResource", "ssm:GetCalendarState" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting", "ssm:GetServiceSetting" ], "Resource": [ "arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*", "arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:SSM*", "arn:aws:lambda:*:*:function:*:SSM*" ] }, { "Effect": "Allow", "Action": [ "states:DescribeExecution", "states:StartExecution" ], "Resource": [ "arn:aws:states:*:*:stateMachine:SSM*", "arn:aws:states:*:*:execution:SSM*" ] }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroups", "resource-groups:ListGroupResources", "resource-groups:GetGroupQuery" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tag:GetResources" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "config:SelectResourceConfig" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEnrollmentStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "support:DescribeTrustedAdvisorChecks", "support:DescribeTrustedAdvisorCheckSummaries", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeCases" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "config:DescribeComplianceByConfigRule", "config:DescribeComplianceByResource", "config:DescribeRemediationConfigurations", "config:DescribeConfigurationRecorders" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "organizations:DescribeOrganization", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudformation:ListStackSets", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:ListStackInstances", "cloudformation:DescribeStackSetOperation", "cloudformation:DeleteStackSet" ], "Resource": "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*" }, { "Effect": "Allow", "Action": "cloudformation:DeleteStackInstances", "Resource": [ "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*", "arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:*", "arn:aws:cloudformation:*:*:type/resource/*" ] }, { "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "ssm.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:RemoveTargets", "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/SSMExplorerManagedRule" ] }, { "Effect": "Allow", "Action": "events:DescribeRule", "Resource": "*" }, { "Effect": "Allow", "Action": "securityhub:DescribeHub", "Resource": "*" } ] }
AWS managed policy:
AWSSystemsManagerOpsDataSyncServiceRolePolicy
You can't attach AWSSystemsManagerOpsDataSyncServiceRolePolicy to your
IAM entities. This policy is attached to a service-linked role that allows
Systems Manager to perform actions on your behalf. For more information, see Using roles to create OpsData and OpsItems for Systems Manager Explorer:
AWSServiceRoleForSystemsManagerOpsDataSync.
AWSSystemsManagerOpsDataSyncServiceRolePolicy allows the AWSServiceRoleForSystemsManagerOpsDataSync service-linked
role to create and update OpsItems and OpsData from AWS Security Hub findings.
Permissions details
The AWSServiceRoleForAmazonSSM"Resource": "*"), except where indicated:
-
ssm:GetOpsItem[1] -
ssm:UpdateOpsItem[1] -
ssm:CreateOpsItem -
ssm:AddTagsToResource[2] -
ssm:UpdateServiceSetting[3] -
ssm:GetServiceSetting[3] -
securityhub:GetFindings -
securityhub:GetFindings -
securityhub:BatchUpdateFindings[4]
[1] The ssm:GetOpsItem and ssm:UpdateOpsItem actions are
allowed permissions by the following condition for the Systems Manager service
only.
"Condition": { "StringEquals": { "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true" } }
[2] The ssm:AddTagsToResource action is allowed permissions for the
following resource only.
arn:aws:ssm:*:*:opsitem/*
[3] The ssm:UpdateServiceSetting and ssm:GetServiceSetting
actions are allowed permissions for the following resources only.
arn:aws:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*
[4] The securityhub:BatchUpdateFindings are denied permissions by the
following condition for the Systems Manager service only.
"Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" }, "Null": { "securityhub:ASFFSyntaxPath/Confidence": false, "securityhub:ASFFSyntaxPath/Criticality": false, "securityhub:ASFFSyntaxPath/Note": false, "securityhub:ASFFSyntaxPath/RelatedFindings": false, "securityhub:ASFFSyntaxPath/Types": false, "securityhub:ASFFSyntaxPath/UserDefinedFields": false, "securityhub:ASFFSyntaxPath/VerificationState": false } }
Full AWSSystemsManagerOpsDataSyncServiceRolePolicy
policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:UpdateOpsItem" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true" } } }, { "Effect": "Allow", "Action": [ "ssm:CreateOpsItem" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:AddTagsToResource" ], "Resource": "arn:aws:ssm:*:*:opsitem/*" }, { "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting", "ssm:GetServiceSetting" ], "Resource": [ "arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*", "arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*" ] }, { "Effect": "Allow", "Action": [ "securityhub:GetFindings", "securityhub:BatchUpdateFindings" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" }, "Null": { "securityhub:ASFFSyntaxPath/Confidence": false, "securityhub:ASFFSyntaxPath/Criticality": false, "securityhub:ASFFSyntaxPath/Note": false, "securityhub:ASFFSyntaxPath/RelatedFindings": false, "securityhub:ASFFSyntaxPath/Types": false, "securityhub:ASFFSyntaxPath/UserDefinedFields": false, "securityhub:ASFFSyntaxPath/VerificationState": false } } } ] }
Systems Manager updates to AWS managed policies
View details about updates to AWS managed policies for Systems Manager since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Systems Manager Document history page.
| Change | Description | Date |
|---|---|---|
|
AmazonSSMServiceRolePolicy – Update to an existing policy. |
Systems Manager added new permissions to allow Explorer to create a managed rule when you turn on Security Hub from Explorer or OpsCenter. New permissions were added to check that config and the compute-optimizer meet the necessary requirements before allowing OpsData. |
April 27, 2021 |
|
AWSSystemsManagerOpsDataSyncServiceRolePolicy – New policy. |
Systems Manager added a new policy to create and update OpsItems and OpsData from Security Hub findings in Explorer and OpsCenter. |
April 27, 2021 |
|
AmazonSSMServiceRolePolicy – Update to an existing policy. |
Systems Manager added new permissions to allow viewing aggregate OpsData and OpsItems details from multiple accounts and AWS Regions in Explorer. |
March 24, 2021 |
|
Systems Manager started tracking changes |
Systems Manager started tracking changes for its AWS managed policies. |
March 12, 2021 |
