AWS Systems Manager
User Guide

Step 6: (Optional) Disable or Enable ssm-user Account Administrative Permissions

When a version of SSM Agent that supports Session Manager starts on an instance, it creates a user account with root or administrator privileges called ssm-user. On Linux machines, the account is added to /etc/sudoers. On Windows machines, it is added to the Administrators group. Sessions are launched using the credentials of this user account.

If you want to prevent Session Manager users from running administrative commands on an instance, you can update its ssm-user permissions. You can also restore these permissions after they have been removed.

Manage ssm-user sudo Account Permissions on Linux

Use one of the following procedures to disable or enable the ssm-user account sudo permissions on Linux instances:

Use Run Command to modify ssm-user sudo permissions

  • Use the procedure in Running Commands from the Console with the following values:

    • In the Command document list, choose AWS-RunShellScript.

    • To remove sudo access, in the Command parameters area, paste the following in the Commands box:

      cd /etc/sudoers.d echo "User rules for ssm-user" > ssm-agent-users

      -or-

      To restore sudo access, in the Command parameters area, paste the following in the Commands box:

      cd /etc/sudoers.d echo "ssm-user ALL=(ALL) NOPASSWD:ALL" >> ssm-agent-users

Use the command line to modify ssm-user sudo permissions

  1. Connect to the instance and run the following command:

    sudo cd /etc/sudoers.d
  2. Open the file named ssm-agent-users for editing.

  3. To remove sudo access, delete the following line:

    ssm-user ALL=(ALL) NOPASSWD:ALL

    -or-

    To restore sudo access, add the following line:

    ssm-user ALL=(ALL) NOPASSWD:ALL
  4. Save the file.

Manage ssm-user Administrator Account Permissions on Windows Server

Use one of the following procedures to disable or enable the ssm-user account Administrator permissions on Windows Server instances:

Use Run Command to modify Administrator permissions

  • Use the procedure in Running Commands from the Console with the following values:

    In the Command document list, choose AWS-RunPowerShellScript.

    To remove administrative access, in the Command parameters area, paste the following in the Commands box:

    net localgroup "Administrators" "ssm-user" /delete

    -or-

    To restore administrative access, in the Command parameters area, paste the following in the Commands box:

    net localgroup "Administrators" "ssm-user" /add

Use the PowerShell or Command Prompt window to modify Administrator permissions

  1. Connect to the instance and open the PowerShell or Command Prompt window.

  2. To remove administrative access, run the following command:

    net localgroup "Administrators" "ssm-user" /delete

    -or-

    To restore administrative access, run the following command:

    net localgroup "Administrators" "ssm-user" /add

Use the Windows console to modify Administrator permissions

  1. Connect to the instance and open the PowerShell or Command Prompt window.

  2. From the command line, run lusrmgr.msc to open the Local Users and Groups console.

  3. Open the Users directory, and then open ssm-user.

  4. On the Member Of tab, do one of the following:

    • To remove administrative access, select Administrators, and then choose Remove.

      -or-

      To restore administrative access, type Administrators in the text box, and then choose Add.

  5. Choose OK.