Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring roles and permissions for Systems Manager Explorer

Integrated Setup automatically creates and configures Amazon Identity and Access Management (IAM) roles for Amazon Systems Manager Explorer and Amazon Systems Manager OpsCenter. If you completed Integrated Setup, then you don't need to perform any additional tasks to configure roles and permissions for Explorer. However, you must configure permission for OpsCenter, as described later in this topic.

About the roles created by integrated setup

Integrated Setup creates and configures the following roles for working with Explorer and OpsCenter.

About the AWSServiceRoleForAmazonSSM_AccountDiscovery role

If you configure Explorer to display data from multiple accounts and Regions by using Amazon Organizations and a resource data sync, then Systems Manager creates a service-linked role. Systems Manager uses this role to get information about your Amazon Web Services accounts in Amazon Organizations. The role uses the following permissions policy.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "organizations:DescribeAccount",
            "organizations:DescribeOrganization",
            "organizations:ListAccounts",
            "organizations:ListAWSServiceAccessForOrganization",
            "organizations:ListChildren",
            "organizations:ListParents"
         ],
         "Resource":"*"
      }
   ]
}

For more information about the AWSServiceRoleForAmazonSSM_AccountDiscovery role, see Using roles to collect Amazon Web Services account information for OpsCenter and Explorer.

Configuring permissions for Systems Manager OpsCenter

After you complete Integrated Setup, you must configure user, group, or role permissions so that users can perform actions in OpsCenter.

Before you begin

You can configure your OpsCenter to create and manage OpsItems across multiple accounts or just a single account. If you configure OpsCenter to create and manage OpsItems across multiple accounts, the Amazon Organizations management account can create, view, or edit OpsItems in other accounts manually. If required, you can also select the Systems Manager delegated administrator account to create and manage OpsItems in member accounts.  However, if you configure OpsCenter for a single account, you can only view or edit OpsItems in the account where OpsItems were created. You can't share or transfer OpsItems across Amazon Web Services accounts. For this reason, we recommend that you configure permissions for OpsCenter in the Amazon Web Services account that is used to run your Amazon workloads. You can then create users or groups in that account. In this way, multiple operations engineers or IT professionals can create, view, and edit OpsItems in the same Amazon Web Services account.

Explorer and OpsCenter use the following API operations. You can use all features of Explorer and OpsCenter if your user, group, or role has access to these actions. You can also create more restrictive access, as described later in this section.

If you prefer, you can specify read-only permission by adding the following inline policy to your account, group, or role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetOpsItem",
        "ssm:GetOpsSummary",
        "ssm:DescribeOpsItems",
        "ssm:GetServiceSetting",
        "ssm:ListResourceDataSync"
      ],
      "Resource": "*"
    }
  ]
}

For more information about creating and editing IAM policies, see Creating IAM Policies in the IAM User Guide. For information about how to assign this policy to an IAM group, see Attaching a Policy to an IAM Group.

Create a permission using the following and add it to your users, groups, or roles:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetOpsItem",
        "ssm:UpdateOpsItem",
        "ssm:DescribeOpsItems",
        "ssm:CreateOpsItem",
        "ssm:CreateResourceDataSync",
        "ssm:DeleteResourceDataSync",
        "ssm:ListResourceDataSync",
        "ssm:UpdateResourceDataSync"

      ],
      "Resource": "*"
    }
  ]
}

Depending on the identity application that you are using in your organization,
 you can select any of the following options to configure user access.

To provide access, add permissions to your users, groups, or roles:

Restricting access to OpsItems by using tags

You can also restrict access to OpsItems by using an inline IAM policy that specifies tags. Here is an example that specifies a tag key of Department and a tag value of Finance. With this policy, the user can only call the GetOpsItem API operation to view OpsItems that were previously tagged with Key=Department and Value=Finance. Users can't view any other OpsItems.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetOpsItem"
             ],
      "Resource": "*"
      ,
      "Condition": { "StringEquals": { "ssm:resourceTag/Department": "Finance" } }
    }
  ]
}

Here is an example that specifies API operations for viewing and updating OpsItems. This policy also specifies two sets of tag key-value pairs: Department-Finance and Project-Unity.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "ssm:GetOpsItem",
            "ssm:UpdateOpsItem"
         ],
         "Resource":"*",
         "Condition":{
            "StringEquals":{
               "ssm:resourceTag/Department":"Finance",
               "ssm:resourceTag/Project":"Unity"
            }
         }
      }
   ]
}

For information about adding tags to an OpsItem, see Create OpsItems manually.