AWS Systems Manager
User Guide

Step 2: Verify or Create an IAM Instance Profile with Session Manager Permissions

By default, AWS Systems Manager doesn't have permission to perform actions on your instances. You must grant access by using an IAM instance profile. An instance profile is a container that passes IAM role information to an Amazon EC2 instance at launch. This requirement applies to permissions for all AWS Systems Manager capabilities, not only those specific to Session Manager.

If you already use other Systems Manager capabilities, such as Run Command, an instance profile with the required permissions for Session Manager might already be attached to your instances. If an instance profile that contains the AWS-managed policy AmazonEC2RoleforSSM is already attached to your instances, the permissions for Session Manager are already provided.

However, if you have never used any AWS Systems Manager capabilities before, or if you have created a custom policy for your instance profile, do one of the following to allow Session Manager actions to be performed on your instances:

  • Create and use a new instance profile with permissions for all Systems Manager actions

    To create an IAM instance profile for Systems Manager managed instances that uses an AWS-supplied default policy granting all Systems Manager permissions, follow the steps in Create an Instance Profile for Systems Manager.

  • Embed permissions for Session Manager actions in a custom instance profile

    To add permissions for Session Manager actions to an existing IAM instance profile that does not rely on the AWS-provided default policy AmazonEC2RoleforSSM, follow the steps in Add Session Manager Permissions to an Existing Instance Profile.

  • Create a custom IAM instance profile with Session Manager permissions only

    To create an IAM instance profile that contains permissions only for Session Manager actions, follow the steps in Create a Custom IAM Instance Profile for Session Manager (Console).


    You can attach an IAM instance profile to an Amazon EC2 instance as you launch it or to a previously launched instance. For more information, see Instance Profiles.