Step 1: Create an IAM policy with Fleet Manager permissions - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 1: Create an IAM policy with Fleet Manager permissions

To use Fleet Manager, a capability of Amazon Systems Manager, your Amazon Identity and Access Management (IAM) user or role must have the required permissions. You can create an IAM policy that provides access to all Fleet Manager features, or modify your policy to grant access to the features you choose.

The sample policies below provide the required permissions for all Fleet Manager features and the permissions needed for subsets of features.

For more information about creating and editing IAM policies, see Creating IAM Policies in the IAM User Guide.

Sample policy for Fleet Manager administrator access

The following policy provides permissions to all Fleet Manager features. This means a user can create and delete local users and groups, modify group membership for any local group, and modify Windows Server registry keys or values. Replace each example resource placeholder with your own information.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteTags", "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:AddTagsToResource", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations", "ssm:RemoveTagsFromResource" ], "Resource":"*" }, { "Sid":"DefaultHostManagement", "Effect": "Allow", "Action": [ "ssm:ResetServiceSetting", "ssm:UpdateServiceSetting" ], "Resource": "arn:aws-cn:ssm:region:account-id:servicesetting/ssm/managed-instance/default-ec2-instance-management-role" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws-cn:iam::account-id:role/service-role/AWSSystemsManagerDefaultEC2InstanceManagementRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com.cn" ] } } }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws-cn:ec2:*:account-id:instance/*", "arn:aws-cn:ssm:*:account-id:managed-instance/*", "arn:aws-cn:ssm:*:account-id:document/SSM-SessionManagerRunShell", "arn:aws-cn:ssm:*:*:document/AWS-PasswordReset", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-AddUsersToGroups", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CopyFileSystemItem", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateDirectory", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateGroup", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateUser", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateUserInteractive", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateWindowsRegistryKey", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteFileSystemItem", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteGroup", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteUser", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryKey", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryValue", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetDiskInformation", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetProcessDetails", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-MountVolume", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-MoveFileSystemItem", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-RemoveUsersFromGroups", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-RenameFileSystemItem", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-SetWindowsRegistryValue", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-StartProcess", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-TerminateProcess" ], "Condition":{ "BoolIfExists":{ "ssm:SessionDocumentAccessCheck":"true" } } }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws-cn:kms:region:account-id:key/key-name" ] } ] }

Sample policy for Fleet Manager read-only access

The following policy provides permissions to read-only Fleet Manager features. Replace each example resource placeholder with your own information.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations" ], "Resource":"*" }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws-cn:ec2:*:account-id:instance/*", "arn:aws-cn:ssm:*:account-id:managed-instance/*", "arn:aws-cn:ssm:*:account-id:document/SSM-SessionManagerRunShell", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetDiskInformation", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetProcessDetails", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent" ], "Condition":{ "BoolIfExists":{ "ssm:SessionDocumentAccessCheck":"true" } } }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws-cn:kms:region:account-id:key/key-name" ] } ] }