Ssm iam policy. When using IAM policies to restrict access to Systems Manager parameters, we recommend that you create and use restrictive IAM policies. Action. Learn how to configure Amazon EC2 instance permissions for Systems Manager using the Default Host Management Configuration, or an IAM instance profile. . To learn about all of the elements that you use in a JSON policy, see IAM JSON policy elements reference in the IAM User Guide. You can specify the following actions in the Action element of an IAM policy statement. You can use the following methods in the AWS CLI, SDKs or API. With IAM identity-based policies, you can specify allowed or denied actions and resources and the conditions under which actions are allowed or denied. API Methods defined by . Systems Manager also attaches this policy to an IAM role that allows Systems Manager to perform diagnosis actions on your behalf. AWS Systems Manager (service prefix: ssm) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies. By applying the principle of least privilege, we ensure that the instance can communicate with SSM efficiently and securely, without exposing excessive permissions. IAMAPI. Method. Apr 26, 2025 · In this article, we’ll demonstrate how to create an AWS Identity and Access Management (IAM) policy that grants access to the ssm:GetParameter action, allowing you to securely retrieve parameter values. If I have the following policy attached to the user, that user can indeed only successfully execute AWS-RunShellScript (which is an AWS managed) document on EC2 instances. Systems Manager supports specific actions, resources, and condition keys. We'll first locate the managed AWS policy required for this role and create an EC2 instance via the command line, assigning it the instance profile (container for role assigned). IAM Actions. For example, the following policy allows a user to call the DescribeParameters and GetParameters API operations for a limited set of resources. Condition Keys. It should be granted only to an Administrator who needs full control over your organization's Session Manager activities. Description. Oct 12, 2024 · This policy provides the necessary permissions for SSM to work properly without granting full access to SSM, EC2, or other resources. Oct 17, 2012 · Learn how to grant IAM users and roles permission to create or modify Systems Manager resources and perform tasks using the AWS CLI, or API, or console. Resource Types. You can create a custom Session document and specify it in this policy instead. Complete the following steps: Open the IAM console. Used By. API Methods. Actions Administrators can use AWS JSON 6 days ago · In this hands-on lab, we'll be dissecting the IAM role required by an EC2 instance to be able to communicate with the Systems Manager service. This means that the user can get information about and use all parameters that begin with prod-*. In the navigation pane, under Access management, choose Policies. I'm trying to have an IAM user who can only use SSM Run Command with a specific Document. Access Level. Finally, we'll verify that Systems Manager (SSM) can detect the instance SSM-SessionManagerRunShell is the default name of the SSM document that Session Manager creates to store your session configuration preferences. You can attach the AWS-SSM-Automation-DiagnosisBucketPolicy policy to your IAM identities. Then, attach the IAM policy to the IAM user. To allow users to connect to Session Manager, first create an IAM policy that grants StartSession access to the IAM user. The following IAM policy allows a user to fully interact with all managed nodes and all sessions created by all users for all nodes. ilrx bgiuw xutqsbs oldlf baokey pgqv utj hkoqhjg osro wdwhxd