Task 1: Create a custom policy for your maintenance window service role using the console Task 2: Create a custom service role for maintenance windows using the console Task 3: Grant permissions to specified users to register maintenance window tasks using the console Task 4: Prevent specified users from registering maintenance window tasks using the console

Control access to maintenance windows using the console

The following procedures describe how to use the Amazon Systems Manager console to create the required permissions and roles for maintenance windows.

Topics

Task 1: Create a custom policy for your maintenance window service role using the console
Task 2: Create a custom service role for maintenance windows using the console
Task 3: Grant permissions to specified users to register maintenance window tasks using the console
Task 4: Prevent specified users from registering maintenance window tasks using the console

Task 1: Create a custom policy for your maintenance window service role using the console

Maintenance window tasks require an IAM role to provide the permissions required to run on the target resources. The permissions are provided through an IAM policy attached to the role. The types of tasks you run and your other operational requirements determine the contents of this policy. We provide a base policy you can adapt to your needs. Depending on the tasks and types of tasks your maintenance windows run, you might not need all the permissions in this policy, and you might need to include additional permissions. You attach this policy to the role that you create later in Task 2: Create a custom service role for maintenance windows using the console.

To create a custom policy using the console

Open the IAM console at https://console.amazonaws.cn/iam/.
In the navigation pane, choose Policies, and then choose Create policy.
In the Policy editor area, choose JSON.

Replace the default contents with the following:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand",
                "ssm:CancelCommand",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations",
                "ssm:GetCommandInvocation",
                "ssm:GetAutomationExecution",
                "ssm:StartAutomationExecution",
                "ssm:ListTagsForResource",
                "ssm:GetParameters"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "states:DescribeExecution",
                "states:StartExecution"
            ],
            "Resource": [
                "arn:aws-cn:states:*:*:execution:*:*",
                "arn:aws-cn:states:*:*:stateMachine:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws-cn:lambda:*:*:function:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroups",
                "resource-groups:ListGroupResources"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tag:GetResources"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "ssm.amazonaws.com.cn"
                    ]
                }
            }
        }
    ]
}

Modify the JSON content as needed for the maintenance tasks that you run in your account. The changes you make are specific to your planned operations.

For example:
- You can provide Amazon Resource Names (ARNs) for specific functions and state machines instead of using wildcard (*) qualifiers.
- If you don’t plan to run Amazon Step Functions tasks, you can remove the states permissions and (ARNs).
- If you don’t plan to run Amazon Lambda tasks, you can remove the lambda permissions and ARNs.
- If you don't plan to run Automation tasks, you can remove the ssm:GetAutomationExecution and ssm:StartAutomationExecution permissions.
- Add additional permissions that might be needed for the tasks to run. For example, some Automation actions work with Amazon CloudFormation stacks. Therefore, the permissions cloudformation:CreateStack, cloudformation:DescribeStacks, and cloudformation:DeleteStack are required.
  
  For another example, the Automation runbook AWS-CopySnapshot requires permissions to create an Amazon Elastic Block Store (Amazon EBS) snapshot. Therefore, the service role needs the permission ec2:CreateSnapshot.
  
  For information about the role permissions needed by Automation runbooks, see the runbook descriptions in the Amazon Systems Manager Automation runbook reference.
After completing the policy revisions, choose Next.
For Policy name, enter a name that identifies this as the policy attached to the service role you create. For example: my-maintenance-window-role-policy.
(Optional) In the Add tags area, add one or more tag-key value pairs to organize, track, or control access for this policy.
Choose Create policy.

Make a note of the name you specified for the policy. You refer to it in the next procedure, Task 2: Create a custom service role for maintenance windows using the console.

Task 2: Create a custom service role for maintenance windows using the console

The policy you created in the previous task is attached to the maintenance window service role you create in this task. When users register a maintenance window task, they specify this IAM role as part of the task configuration. The permissions in this role allow Systems Manager to run tasks in maintenance windows on your behalf.

Important

Previously, the Systems Manager console provided you with the ability to choose the Amazon managed IAM service-linked role AWSServiceRoleForAmazonSSM to use as the maintenance role for your tasks. Using this role and its associated policy, AmazonSSMServiceRolePolicy, for maintenance window tasks is no longer recommended. If you're using this role for maintenance window tasks now, we encourage you to stop using it. Instead, create your own IAM role that enables communication between Systems Manager and other Amazon Web Services services when your maintenance window tasks run.

Use the following procedure to create a custom service role for Maintenance Windows, so that Systems Manager can run Maintenance Windows tasks on your behalf. You attach the policy you created in the previous task to the custom service role you create.

To create a custom service role for maintenance windows using the console

Open the IAM console at https://console.amazonaws.cn/iam/.
In the navigation pane, choose Roles, and then choose Create role.
For Select trusted entity, make the following choices:
1. For Trusted entity type, choose Amazon service.
2. For Use case, choose Systems Manager
3. Choose Systems Manager.
Choose Next.
In the Permissions policies area, in the search box, enter the name of the policy you created in Task 1: Create a custom policy for your maintenance window service role using the console, select the box next to its name, and then choose Next.
For Role name, enter a name that identifies this role as a Maintenance Windows role. For example: my-maintenance-window-role.
(Optional) Change the default role description to reflect the purpose of this role. For example: Performs maintenance window tasks on your behalf.

For Step 1: Select trusted entities, verify that the following policy is displayed in the Trusted policy box.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ssm.amazonaws.com.cn"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

For Step 2: Add permissions, verify that policy you created in Task 1: Create a custom policy for your maintenance window service role using the console is present.
(Optional) In Step 3: Add tags, add one or more tag-key value pairs to organize, track, or control access for this role.
Choose Create role. The system returns you to the Roles page.
Choose the name of the IAM role you just created.
Copy or make a note of the role name and the ARN value in the Summary area. Users in your account specify this information when they create maintenance windows.

Task 3: Grant permissions to specified users to register maintenance window tasks using the console

Providing users with permissions to access the custom service role for maintenance windows lets them use it with their maintenance windows tasks. This is in addition to permissions that you’ve already given them to work with the Systems Manager API commands for the Maintenance Windows capability. This IAM role conveys the permissions need to run a maintenance window task. As a result, a user can't register tasks with a maintenance window using your custom service role without the ability to pass these IAM permissions.

When you register a task with a maintenance window, you specify a service role to run the actual task operations. This is the role that the service assumes when it runs tasks on your behalf. Before that, to register the task itself, assign the IAM PassRole policy to an IAM entity (such as a user or group). This allows the IAM entity to specify, as part of registering those tasks with the maintenance window, the role that should be used when running tasks. For information, see Grant a user permissions to pass a role to an Amazon Web Services service in the IAM User Guide.

To configure permissions to allow users to register maintenance window tasks

If an IAM entity (user, role, or group) is set up with administrator permissions, then the IAM user or role has access to Maintenance Windows. For IAM entities without administrator permissions, an administrator must grant the following permissions to the IAM entity. These are the minimum permissions required to register tasks with a maintenance window:

The AmazonSSMFullAccess managed policy, or a policy that provides comparable permissions.
The following iam:PassRole and iam:ListRolespermissions.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws-cn:iam::account-id:role/my-maintenance-window-role"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws-cn:iam::account-id:role/"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws-cn:iam::account-id:role/aws-service-role/ssm.amazonaws.com.cn/"
        }
    ]
}
```
my-maintenance-window-role represents the name of the custom maintenance window service role you created earlier.

account-id represents the ID of your Amazon Web Services account. Adding this permission for the resource arn:aws-cn:iam::account-id:role/ allows a user to view and choose from customer roles in the console when they create a maintenance window task. Adding this permission for arn:aws-cn:iam::account-id:role/aws-service-role/ssm.amazonaws.com.cn/ allows a user to choose the Systems Manager service-linked role in the console when they create a maintenance window task.

To provide access, add permissions to your users, groups, or roles:
- Users managed in IAM through an identity provider:
  
  Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
- IAM users:
  - Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
  - (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.

To configure permissions for groups that are allowed to register maintenance window tasks using the console

Open the IAM console at https://console.amazonaws.cn/iam/.
In the navigation pane, choose User groups.
In the list of groups, select the name of the group you want to assign the iam:PassRole permission to, or first create a new group if necessary
On the Permissions tab, choose Add permissions, Create inline policy.
In the Policy editor area, choose JSON, and replace the default contents of the box with the following.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws-cn:iam::account-id:role/my-maintenance-window-role"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws-cn:iam::account-id:role/"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws-cn:iam::account-id:role/aws-service-role/ssm.amazonaws.com.cn/"
        }
    ]
}
```
my-maintenance-window-role represents the name of the custom maintenance window role you created earlier.

account-id represents the ID of your Amazon Web Services account. Adding this permission for the resource arn:aws-cn:iam::account-id:role/ allows a user to view and choose from customer roles in the console when they create a maintenance window task. Adding this permission for arn:aws-cn:iam::account-id:role/aws-service-role/ssm.amazonaws.com.cn/ allows a user to choose the Systems Manager service-linked role in the console when they create a maintenance window task.
Choose Next.
On the Review and create page, enter a name in the Policy name box to identify this PassRole policy, such as my-group-iam-passrole-policy, and then choose Create policy.

Task 4: Prevent specified users from registering maintenance window tasks using the console

You can deny the ssm:RegisterTaskWithMaintenanceWindow permission for the users in your Amazon Web Services account who you don't want to register tasks with maintenance windows. This provides an extra layer of prevention for users who shouldn’t register maintenance window tasks.

To configure permissions for groups that aren't allowed to register maintenance window tasks using the console

Open the IAM console at https://console.amazonaws.cn/iam/.
In the navigation pane, choose User groups.
In the list of groups, select the name of the group you want to deny the ssm:RegisterTaskWithMaintenanceWindow permission from, or first create a new group if necessary.
On the Permissions tab, choose Add permissions, Create inline policy.

In the Policy editor area, choose JSON, and then replace the default contents of the box with the following.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ssm:RegisterTaskWithMaintenanceWindow",
            "Resource": "*"
        }
    ]
}

Choose Next.
On the Review and create page, for Policy name, enter a name to identify this policy, such as my-groups-deny-mw-tasks-policy, and then choose Create policy.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Setting up

Control access using the Amazon CLI