Controlling access to Fleet Manager
To use Fleet Manager, a tool in Amazon Systems Manager, your Amazon Identity and Access Management (IAM) user or role must have the required permissions. You can create an IAM policy that provides access to all Fleet Manager features, or modify your policy to grant access to the features you choose. You then grant these permissions to users, or identities, in your account.
- Task 1: Create IAM policies to define access permissions
-
Follow one of the methods provided in the followig topic in the IAM User Guide to create an IAM to provide identities (users, roles, or user groupss) with access to Fleet Manager:
You can use one of the sample policies we provide below, or modify them according to the permissions you want to grant. We provide sample policies for full Fleet Manager access and read-only access.
- Task 2: Attach the IAM policies to users to grant permissions
-
After you have created the IAM policy or policies that define access permissions to Fleet Manager, use one of the following procedures in the IAM User Guide to grant these permissions to identities in your account:
Topics
Sample policy for Fleet Manager administrator access
The following policy provides permissions to all Fleet Manager features. This means
a user can create and delete local users and groups, modify group membership for
any local group, and modify Windows Server registry keys or values. Replace each
example resource placeholder
with your own
information.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteTags", "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:AddTagsToResource", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations", "ssm:RemoveTagsFromResource" ], "Resource":"*" }, { "Sid":"DefaultHostManagement", "Effect": "Allow", "Action": [ "ssm:ResetServiceSetting", "ssm:UpdateServiceSetting" ], "Resource": "arn:aws-cn:ssm:
region
:account-id
:servicesetting/ssm/managed-instance/default-ec2-instance-management-role" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws-cn:iam::account-id
:role/service-role/AWSSystemsManagerDefaultEC2InstanceManagementRole
", "Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com.cn" ] } } }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws-cn:ec2:*:account-id
:instance/*", "arn:aws-cn:ssm:*:account-id
:managed-instance/*", "arn:aws-cn:ssm:*:account-id
:document/SSM-SessionManagerRunShell", "arn:aws-cn:ssm:*:*:document/AWS-PasswordReset", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-AddUsersToGroups", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CopyFileSystemItem", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateDirectory", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateGroup", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateUser", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateUserInteractive", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateWindowsRegistryKey", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteFileSystemItem", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteGroup", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteUser", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryKey", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryValue", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetDiskInformation", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetProcessDetails", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-MountVolume", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-MoveFileSystemItem", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-RemoveUsersFromGroups", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-RenameFileSystemItem", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-SetWindowsRegistryValue", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-StartProcess", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-TerminateProcess" ] }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition": { "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws-cn:kms:region
:account-id
:key/key-ID
" ] } ] }
Sample policy for Fleet Manager read-only access
The following policy provides permissions to read-only Fleet Manager features.
Replace each example resource placeholder
with
your own information.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations" ], "Resource":"*" }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws-cn:ec2:*:
account-id
:instance/*", "arn:aws-cn:ssm:*:account-id
:managed-instance/*", "arn:aws-cn:ssm:*:account-id
:document/SSM-SessionManagerRunShell", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetDiskInformation", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetProcessDetails", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent" ] }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition": { "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws-cn:kms:region
:account-id
:key/key-ID
" ] } ] }