Data perimeters in Amazon Systems Manager - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Systems Manager Change Manager is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see Amazon Systems Manager Change Manager availability change.

Data perimeters in Amazon Systems Manager

A data perimeter is a set of preventive guardrails in your Amazon environment that help ensure your data can only be accessed by trusted identities from expected networks and resources. When you implement data perimeter controls, you might need to include exceptions for Amazon service-owned resources that Systems Manager accesses on your behalf.

Example scenario: SSM document categories S3 bucket

Systems Manager accesses an Amazon managed S3 bucket to retrieve document category information for Amazon Systems Manager Documents. This bucket contains metadata about document categories that help organize and classify SSM Documents in the console.

Resource ARN pattern

arn:aws-cn:s3:::ssm-document-categories-region

Regional examples:

  • arn:aws:s3:::ssm-document-categories-us-east-1

  • arn:aws:s3:::ssm-document-categories-us-west-2

  • arn:aws:s3:::ssm-document-categories-eu-west-1

  • arn:aws:s3:::ssm-document-categories-ap-northeast-1

When accessed

This resource is accessed when you view SSM Documents in the Systems Manager console or when using APIs that retrieve document metadata and categories.

Data stored

The bucket contains JSON files with document category definitions and metadata. This data is read-only and does not contain customer-specific information.

Identity used

Systems Manager accesses this resource using Amazon service credentials on behalf of your requests.

Required permissions

s3:GetObject on the bucket contents.

Data perimeter policy considerations

When implementing data perimeter controls using Service Control Policies (SCPs) or VPC endpoint policies with conditions like aws:ResourceOrgID, you need to create exceptions for the Amazon service-owned resources that Systems Manager requires.

For example, if you're using an SCP with aws:ResourceOrgID to restrict access to resources outside your organization, you would need to add an exception for the SSM Document categories bucket.

The policy would need to access to resources outside your organization but include an exception for the appropriate S3 buckets, allowing Systems Manager to continue functioning properly.

Similarly, if you're using VPC endpoint policies to restrict S3 access, you would need to ensure that the SSM document categories buckets are accessible through your VPC endpoints.

More information

For more information about data perimeters in Amazon, see the following topics: