Step 3: Control user access to packages

Using Amazon Identity and Access Management (IAM) policies, you can control who can create, deploy, and manage packages. You also control which Run Command and State Manager API operations they can perform on managed nodes. Like Distributor, both Run Command and State Manager, are capabilities of Amazon Systems Manager.

ARN Format

User-defined packages are associated with document Amazon Resource Names (ARNs) and have the following format.


arn:aws-cn:ssm:region:account-id:document/document-name

The following is an example.


arn:aws:ssm:us-west-1:123456789012:document/ExampleDocumentName

You can use a pair of Amazon supplied default IAM policies, one for end users and one for administrators, to grant permissions for Distributor activities. Or you can create custom IAM policies appropriate for your permissions requirements.

For more information about using variables in IAM policies, see IAM Policy Elements: Variables.

For information about how to create policies and attach them to users or groups, see Creating IAM Policies and Adding and Removing IAM Policies in the IAM User Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Step 2: Verify or create an IAM instance profile with Distributor permissions

Step 4: Create or choose an Amazon S3 bucket