Control access to maintenance windows (console) - AWS Systems Manager

Control access to maintenance windows (console)

The following procedures describe how to use the AWS Systems Manager console to create the required roles and permissions for maintenance windows.

Task 1: (Optional) Create a custom service role for maintenance windows (console)

Use the following procedure to create a custom service role for the Maintenance Windows capability so that Systems Manager can run tasks on your behalf.

Important

A custom service role is not required if you choose to use a Systems Manager service-linked role to let maintenance windows run tasks on your behalf instead. If you do not have a Systems Manager service-linked role in your account, you can create it when you create or update a maintenance window task using the Systems Manager console. For more information, see the following topics:

To create a custom service role (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, and then choose Create role.

  3. Mark the following selections:

    1. Select type of trusted entity area: AWS service

    2. Choose the service that will use this role area: Systems Manager

  4. Choose Next: Permissions.

  5. In the list of policies, select the box next to AmazonSSMMaintenanceWindowRole, and then choose Next: Tags.

  6. (Optional) Add one or more tag-key value pairs to organize, track, or control access for this role, and then choose Next: Review.

  7. In Role name, enter a name that identifies this role as a Maintenance Windows role; for example my-maintenance-window-role.

  8. (Optional) Change the default role description to reflect the purpose of this role. For example: Performs maintenance window tasks on your behalf.

  9. Choose Create role. The system returns you to the Roles page.

  10. Choose the name of the role you just created.

  11. Choose the Trust relationships tab, and then choose Edit trust relationship.

  12. Verify that the following policy appears in the Policy Document field:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  13. Choose Update Trust Policy, and then copy or make a note of the role name and the Role ARN value on the Summary page. You specify this information when you create your maintenance window.

  14. (Optional) If you plan to configure a maintenance window to send notifications about command statuses using Amazon SNS, when run through a Run Command command task, do the following:

    1. Choose the Permissions tab.

    2. Choose Add inline policy, and then choose the JSON tab.

    3. In Policy Document, paste the following:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "sns-access-role-arn" } ] }

      Replace sns-access-role-arn with the ARN of the existing IAM role to use to send Amazon Simple Notification Service (Amazon SNS) notifications related to the maintenance window, in the format of arn:aws:iam::account-id:role/role-name. For example: arn:aws:iam::123456789012:role/my-sns-access-role. For information about configuring Amazon SNS notifications for Systems Manager, including information about creating an IAM role to use for sending SNS notifications, see Monitoring Systems Manager status changes using Amazon SNS notifications.

      Note

      In the Systems Manager console, this ARN is selected in the IAM Role list on the Register run command task page. For information, see Assign tasks to a maintenance window (console). In the Systems Manager API, this ARN is entered as the value of ServiceRoleArn in the SendCommand request.

    4. Choose Review policy.

    5. For Name, enter a name to identify this as a policy to allow sending Amazon SNS notifications.

  15. Choose Create policy.

Task 2: Assign the IAM PassRole policy to an IAM user or group (console)

When you register a task with a maintenance window, you specify either a custom service role or a Systems Manager service-linked role to run the actual task operations. This is the role that the service assumes when it runs tasks on your behalf. Before that, to register the task itself, you must assign the IAM PassRole policy to an IAM user account or an IAM group. This allows the IAM user or IAM group to specify, as part of registering those tasks with the maintenance window, the role that should be used when running tasks. For information, see Granting a User Permissions to Pass a Role to an AWS Service in the IAM User Guide.

Depending on whether you are assigning the iam:Passrole permission to an individual user or a group, use one of the following procedures to provide the minimum permissions required to register tasks with a maintenance window.

To assign the IAM PassRole policy to an IAM user account (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Users, and then choose the name of the user account you want to update.

  3. On the Permissions tabs, in the policies list, verify that the AmazonSSMFullAccess policy is listed, or that there is a comparable policy that gives the IAM user permission to call the Systems Manager API. Add the permission if it is not included already. For information, see Adding and Removing IAM Policies (Console) in the IAM User Guide.

  4. Choose Add inline policy, and then choose the JSON tab.

  5. In Policy Document, paste the following:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "custom-role-arn" }, { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::account-id:role/" }, { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::account-id:role/aws-service-role/ssm.amazonaws.com/" } ] }

    Replace custom-role-arn with the ARN of the custom maintenance window role you created earlier, such as arn:aws:iam::123456789012:role/my-maintenance-window-role.

    Replace account-id in the two iam:ListRoles permissions with the ID of your AWS account. Adding this permission for the resource arn:aws:iam::account-id:role/ allows a user to view and choose from customer roles in the console when they create a maintenance window task. Adding this permission for arn:aws:iam::account-id:role/aws-service-role/ssm.amazonaws.com/ allows a user to choose the Systems Manager service-linked role in the console when they create a maintenance window task.

  6. Choose Review policy.

  7. On the Review policy page, enter a name in the Name box to identify this PassRole policy, such as my-iam-passrole-policy, and then choose Create policy.

To assign the IAM PassRole policy to an IAM group (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Groups.

  3. In the list of groups, select the name of the group you want to assign the iam:PassRole permission to.

  4. On the Permissions tab, in the Inline Policies section, do one of the following:

    • If no inline policies have been added yet, choose click here.

    • If one or more inline policies have been added, choose Create Group Policy.

  5. Select Custom Policy, and then choose Select.

  6. For Policy Name, enter a name to identify this as a maintenance windows PassRole policy for your group, such as my-group-iam-passrole-policy.

  7. In Policy Document, paste the following:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "custom-role-arn" }, { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::account-id:role/" }, { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::account-id:role/aws-service-role/ssm.amazonaws.com/" } ] }

    Replace custom-role-arn with the ARN of the custom maintenance window role you created earlier, such as arn:aws:iam::123456789012:role/my-maintenance-window-role.

    Replace account-id in the two iam:ListRoles permissions with the ID of your AWS account. Adding this permission for the resource arn:aws:iam::account-id:role/ allows users in the group to view and choose from customer roles in the console when they create a maintenance window task. Adding this permission for arn:aws:iam::account-id:role/aws-service-role/ssm.amazonaws.com/ allows users in the group to choose the Systems Manager service-linked role in the console when they create a maintenance window task.

  8. Choose Apply Policy.