AWS Systems Manager
User Guide

Step 3: Control User Session Access to Instances

Session Manager allows you to centrally grant and revoke user access to instances. Using IAM policies, you control which instances specific users or groups can connect to, and you control what Session Manager API actions they can perform on the instances they are given access to.

ARN Format

IAM policies for Session Manager access use variables for usernames as part of session IDs. Session IDs in turn are used in session Amazon Resource Names (ARNs) to control access. Session ARNs have the following format:

arn:aws:ssm:region-id:account-id:session/session-id

For example:

arn:aws:ssm:us-east-2:123456789012:session/JohnDoe-1a2b3c4d5eEXAMPLE

You can use a pair of AWS-supplied default IAM policies, one for end users and one for administrators, to supply permissions for Session Manager activities. Or you can create custom IAM policies for different permissions requirements you might have.

For more information about using variables in IAM policies, see IAM Policy Elements: Variables.

For information about how to create policies and attach them to IAM users or groups, see Creating IAM Policies and Adding and Removing IAM Policies in the IAM User Guide.