Menu
Sign In to the Console
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Configuring Access Using Systems Manager Managed Policies

IAM managed policies for Systems Manager can help you quickly configure access and permissions for Systems Manager users and instances. Managed policies perform the following functions:

  • AmazonEC2RoleforSSM (instance trust policy): Enables an instance to communicate with the Systems Manager API.

  • AmazonSSMAutomationRole (service role): Provides permissions for EC2 Automation service to execute activities defined within Automation documents.

  • AmazonSSMFullAccess (user trust policy): Grants the user access to the Systems Manager API and documents. Assign this policy to administrators and trusted power users.

  • AmazonSSMMaintenanceWindowRole (service role): Service role for EC2 Maintenance Windows.

  • AmazonSSMReadOnlyAccess (user trust policy): Grants the user access to Systems Manager read-only API actions, such as Get and List.

If you want to create your own custom roles and policies, see Configuring Access Using Custom Roles and Polices.

Topics

Task 1: Create a User Account for Systems Manager

If your IAM user account has administrator access in your VPC, then you have permission to call the Systems Manager API on an instance. If you like, you can create a unique user account specifically for managing instances with Systems Manager. Use the following procedure to create a new user that uses an IAM managed policy for Systems Manager.

To create a user account for Systems Manager

  1. From the Users page on the IAM console, choose Add User.

  2. In the Set user details section, specify a user name (for example, SystemsManagerUserFullAccess or SystemsManagerUserReadOnly).

  3. In the Select AWS access type section, choose one or both access options. If you choose AWS Management Console access, you must also choose passwords options.

  4. Choose Next:Permissions.

  5. In the Set permissions for section, choose Attach existing policies directly.

  6. In the filter field, type AmazonSSM.

  7. Choose either the checkbox beside AmazonSSMFullAccess or AmazonSSMReadOnlyAccess, and then choose Next:Review.

  8. Verify the details, and then choose Create.

Important

If you specified password information for the user, review the password information carefully after the user account is created.

Task 2: Create a Role for Systems Manager Managed Instances

Use the following procedure to create an instance role that enables an instance to communicate with the Systems Manager API. After you create the role, you can assign it to new instances as described in Task 3.

To create role for Systems Manager managed instances

  1. Open the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, and then choose Create New Role.

  3. In Step 1: Set Role Name, enter a name that identifies this role as a Systems Manager role for managed instances.

  4. In Step 2: Select Role Type, choose Amazon EC2. The system skips Step 3: Establish Trust because this is a managed policy.

  5. In Step 4: Attach Policy, choose the AmazonEC2RoleforSSM managed policy.

  6. In Step 5: Review, make a note of the role name. You will specify this role name when you create new instances that you want to manage using Systems Manager.

  7. Choose Create Role. The system returns you to the Roles page.

Task 3: Create an Amazon EC2 Instance that Uses the Systems Manager Role

This procedure describes how to create an Amazon EC2 instance that uses the role you just created. You must assign a role to an EC2 instance when you launch it. You can't assign a role to an instance that is already running. If you want to use the role you just created on an existing instance, you must create an image of the instance, and then launch an instance from that image with the role assigned. For more information about creating an AMI, see Creating an Amazon EBS-Backed Linux AMI.

To create an instance that uses the Systems Manager instance role

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Select a supported region.

  3. Choose Launch Instance and select a Linux instance.

  4. Choose your instance type and then choose Next: Configure Instance Details.

  5. In the IAM role drop-down list choose the EC2 instance role you created earlier.

  6. Complete the wizard.

If you create other instances that you want to configure using Systems Manager, you must specify the Systems Manager instance role for each instance.