Data perimeters in Amazon Systems Manager - Amazon Systems Manager
Amazon service-owned resources accessed by Systems ManagerData perimeter policy considerations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Data perimeters in Amazon Systems Manager

A data perimeter is a set of preventive guardrails in your Amazon environment that help ensure your data can only be accessed by trusted identities from expected networks and resources. When you implement data perimeter controls, you might need to include exceptions for Amazon service-owned resources that Systems Manager accesses on your behalf.

For more information about data perimeters, see Data perimeters on Amazon.

Amazon service-owned resources accessed by Systems Manager

Systems Manager accesses the Amazon service-owned resources listed below to provide functionality.

SSM document categories S3 bucket

Systems Manager accesses an Amazon managed S3 bucket to retrieve document category information for Amazon Systems Manager Documents. This bucket contains metadata about document categories that help organize and classify SSM Documents in the console.

Resource ARN pattern

arn:aws-cn:s3:::ssm-document-categories-region

Regional examples:

  • arn:aws:s3:::ssm-document-categories-us-east-1

  • arn:aws:s3:::ssm-document-categories-us-west-2

  • arn:aws:s3:::ssm-document-categories-eu-west-1

  • arn:aws:s3:::ssm-document-categories-ap-northeast-1

When accessed

This resource is accessed when you view SSM Documents in the Systems Manager console or when using APIs that retrieve document metadata and categories.

Data stored

The bucket contains JSON files with document category definitions and metadata. This data is read-only and does not contain customer-specific information.

Identity used

Systems Manager accesses this resource using Amazon service credentials on behalf of your requests.

Required permissions

s3:GetObject on the bucket contents.

Data perimeter policy considerations

When implementing data perimeter controls using Service Control Policies (SCPs) or VPC endpoint policies with conditions like aws:ResourceOrgID, you need to create exceptions for the Amazon service-owned resources that Systems Manager requires.

For example, if you're using an SCP with aws:ResourceOrgID to restrict access to resources outside your organization, you would need to add an exception for the SSM Document categories bucket:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictToOrgResources",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:ResourceOrgID": "o-example1234567"
        },
        "ForAllValues:StringNotLike": {
          "aws:ResourceArn": [
            "arn:aws:s3:::ssm-document-categories*"
          ]
        }
      }
    }
  ]
}

This policy denies access to resources outside your organization, but includes an exception for any S3 bucket that matches the ssm-document-categories* pattern, allowing Systems Manager to continue functioning properly.

Similarly, if you're using VPC endpoint policies to restrict S3 access, you would need to ensure that the SSM document categories buckets are accessible through your VPC endpoints.