Step 3: Control user session access to instances - AWS Systems Manager

Step 3: Control user session access to instances

Session Manager allows you to centrally grant and revoke user access to instances. Using AWS Identity and Access Management (IAM) policies, you control which instances specific users or groups can connect to, and you control what Session Manager API actions they can perform on the instances they are given access to.

About Session ID ARN Formats

IAM policies for Session Manager access use variables for user names as part of session IDs. Session IDs in turn are used in session Amazon Resource Names (ARNs) to control access. Session ARNs have the following format:


For example:


You can use a pair of default IAM policies supplied by AWS, one for end users and one for administrators, to supply permissions for Session Manager activities. Or you can create custom IAM policies for different permissions requirements you might have.

For more information about using variables in IAM policies, see IAM Policy Elements: Variables.

For information about how to create policies and attach them to IAM users or groups, see Creating IAM Policies and Adding and Removing IAM Policies in the IAM User Guide.