Working with associations using IAM - AWS Systems Manager

Working with associations using IAM

State Manager, a capability of AWS Systems Manager, uses targets to choose which instances you configure your associations with. Originally, associations were created by specifying a document name (Name) and instance ID (InstanceId). This created an association between a document and an instance or managed instance. Associations used to be identified by these parameters. These parameters are now deprecated, but they're still supported. The resources instance and managed-instance were added as resources to actions with Name and InstanceId.

AWS Identity and Access Management (IAM) policy enforcement behavior depends on the type of resource specified. Resources for State Manager operations are only enforced based on the passed-in request. State Manager doesn't perform a deep check for the properties of resources in your account. A request is only validated against policy resources if the request parameter contains the specified policy resources. For example, if you specify an instance in the resource block, the policy is enforced if the request uses the InstanceId parameter. The Targets parameter for each resource in the account isn't checked for that InstanceId.

Following are some cases with confusing behavior:

  • DescribeAssociation, DeleteAssociation, and UpdateAssociation use instance, managed-instance, and document resources to specify the deprecated way of referring to associations. This includes all associations created with the deprecated InstanceId parameter.

  • CreateAssociation, CreateAssociationBatch, and UpdateAssociation use instance and managed-instance resources to specify the deprecated way of referring to associations. This includes all associations created with the deprecated InstanceId parameter. The document resource type is part of the deprecated way of referring to associations and is an actual property of an association. This means you can construct IAM policies with Allow or Deny permissions for both Create and Update actions based on document name.

For more information about using IAM policies with Systems Manager, see Identity and access management for AWS Systems Manager or Actions, resources, and condition keys for AWS Systems Manager in the Service Authorization Reference.