Controlling access to auto-approval runbook workflows

Change Manager availability change

Amazon Systems Manager Change Manager will no longer be open to new customers starting November 7, 2025. If you would like to use Change Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see Amazon Systems Manager Change Manager availability change.

In each change template created for your organization or account, you can specify whether change requests created from that template can run as auto-approved change requests, meaning that they run automatically without a review step (with the exception of change freeze events).

However, you might want to prevent certain users, groups, or Amazon Identity and Access Management (IAM) roles from running auto-approved change requests even if a change template allows it. You can do this through the use of the ssm:AutoApprove condition key for the StartChangeRequestExecution operation in an IAM policy assigned to the user, group, or IAM role.

You can add the following policy as an inline policy, where the condition is specified as false, to prevent users from running auto-approvable change requests.

For information about specifying inline policies, see Inline policies and Adding and removing IAM identity permissions in the IAM User Guide.

For more information about condition keys for Systems Manager policies, see Condition keys for Systems Manager.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Configuring roles and permissions for Change Manager

Working with Change Manager