Sample policy for Fleet Manager administrator access Sample policy for Fleet Manager read-only access

Step 1: Create an IAM policy with Fleet Manager permissions

To use Fleet Manager, a capability of Amazon Systems Manager, your Amazon Identity and Access Management (IAM) user or role must have the required permissions. You can create an IAM policy that provides access to all Fleet Manager features, or modify your policy to grant access to the features you choose.

The sample policies below provide the required permissions for all Fleet Manager features and the permissions needed for subsets of features.

For more information about creating and editing IAM policies, see Creating IAM Policies in the IAM User Guide.

Topics

Sample policy for Fleet Manager administrator access
Sample policy for Fleet Manager read-only access

Sample policy for Fleet Manager administrator access

The following policy provides permissions to all Fleet Manager features. This means a user can create and delete local users and groups, modify group membership for any local group, and modify Windows Server registry keys or values. Replace each example resource placeholder with your own information.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"EC2",
         "Effect":"Allow",
         "Action":[
            "ec2:CreateTags",
            "ec2:DeleteTags",
            "ec2:DescribeInstances",
            "ec2:DescribeTags"
         ],
         "Resource":"*"
      },
      {
         "Sid":"General",
         "Effect":"Allow",
         "Action":[
            "ssm:AddTagsToResource",
            "ssm:DescribeInstanceAssociationsStatus",
            "ssm:DescribeInstancePatches",
            "ssm:DescribeInstancePatchStates",
            "ssm:DescribeInstanceProperties",
            "ssm:GetCommandInvocation",
            "ssm:GetServiceSetting",                
            "ssm:GetInventorySchema",
            "ssm:ListComplianceItems",
            "ssm:ListInventoryEntries",
            "ssm:ListTagsForResource",
            "ssm:ListCommandInvocations",
            "ssm:ListAssociations",
            "ssm:RemoveTagsFromResource"
         ],
         "Resource":"*"
      },
      {
            "Sid":"DefaultHostManagement",
            "Effect": "Allow",
            "Action": [
                "ssm:ResetServiceSetting",
                "ssm:UpdateServiceSetting"
            ],
            "Resource": "arn:aws-cn:ssm:region:account-id:servicesetting/ssm/managed-instance/default-ec2-instance-management-role"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws-cn:iam::account-id:role/service-role/AWSSystemsManagerDefaultEC2InstanceManagementRole",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "ssm.amazonaws.com.cn"
                    ]
                }
            }
      },
      {
         "Sid":"SendCommand",
         "Effect":"Allow",
         "Action":[
            "ssm:GetDocument",
            "ssm:SendCommand",
            "ssm:StartSession"
         ],
         "Resource":[
            "arn:aws-cn:ec2:*:account-id:instance/*",
            "arn:aws-cn:ssm:*:account-id:managed-instance/*",
            "arn:aws-cn:ssm:*:account-id:document/SSM-SessionManagerRunShell",
            "arn:aws-cn:ssm:*:*:document/AWS-PasswordReset",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-AddUsersToGroups",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CopyFileSystemItem",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateDirectory",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateGroup",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateUser",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateUserInteractive",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-CreateWindowsRegistryKey",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteFileSystemItem",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteGroup",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteUser",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryKey",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryValue",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetDiskInformation",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileContent",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileSystemContent",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetGroups",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetProcessDetails",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetUsers",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsEvents",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-MountVolume",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-MoveFileSystemItem",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-RemoveUsersFromGroups",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-RenameFileSystemItem",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-SetWindowsRegistryValue",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-StartProcess",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-TerminateProcess"
         ],
         "Condition":{
            "BoolIfExists":{
               "ssm:SessionDocumentAccessCheck":"true"
            }
         }
      },
      {
         "Sid":"TerminateSession",
         "Effect":"Allow",
         "Action":[
            "ssm:TerminateSession"
         ],
         "Resource":"*",
         "Condition":{
            "StringLike":{
               "ssm:resourceTag/aws:ssmmessages:session-id":[
                  "${aws:userid}"
               ]
            }
         }
      },
      {
         "Sid":"KMS",
         "Effect":"Allow",
         "Action":[
            "kms:GenerateDataKey"
         ],
         "Resource":[
            "arn:aws-cn:kms:region:account-id:key/key-ID"
         ]
      }
   ]
}

Sample policy for Fleet Manager read-only access

The following policy provides permissions to read-only Fleet Manager features. Replace each example resource placeholder with your own information.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"EC2",
         "Effect":"Allow",
         "Action":[
            "ec2:DescribeInstances",
            "ec2:DescribeTags"
         ],
         "Resource":"*"
      },
      {
         "Sid":"General",
         "Effect":"Allow",
         "Action":[
            "ssm:DescribeInstanceAssociationsStatus",
            "ssm:DescribeInstancePatches",
            "ssm:DescribeInstancePatchStates",
            "ssm:DescribeInstanceProperties",
            "ssm:GetCommandInvocation",
            "ssm:GetServiceSetting",
            "ssm:GetInventorySchema",
            "ssm:ListComplianceItems",
            "ssm:ListInventoryEntries",
            "ssm:ListTagsForResource",
            "ssm:ListCommandInvocations",
            "ssm:ListAssociations"
         ],
         "Resource":"*"
      },
      {
         "Sid":"SendCommand",
         "Effect":"Allow",
         "Action":[
            "ssm:GetDocument",
            "ssm:SendCommand",
            "ssm:StartSession"
         ],
         "Resource":[
            "arn:aws-cn:ec2:*:account-id:instance/*",
            "arn:aws-cn:ssm:*:account-id:managed-instance/*",
            "arn:aws-cn:ssm:*:account-id:document/SSM-SessionManagerRunShell",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetDiskInformation",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileContent",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetFileSystemContent",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetGroups",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetProcessDetails",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetUsers",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsEvents",
            "arn:aws-cn:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent"
         ],
         "Condition":{
            "BoolIfExists":{
               "ssm:SessionDocumentAccessCheck":"true"
            }
         }
      },
      {
         "Sid":"TerminateSession",
         "Effect":"Allow",
         "Action":[
            "ssm:TerminateSession"
         ],
         "Resource":"*",
         "Condition":{
            "StringLike":{
               "ssm:resourceTag/aws:ssmmessages:session-id":[
                  "${aws:userid}"
               ]
            }
         }
      },
      {
         "Sid":"KMS",
         "Effect":"Allow",
         "Action":[
            "kms:GenerateDataKey"
         ],
         "Resource":[
            "arn:aws-cn:kms:region:account-id:key/key-ID"
         ]
      }
   ]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Getting started with Fleet Manager

Step 2: Verify your instances and edge devices can be managed by Systems Manager