Adding Session Manager permissions to an existing IAM role - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Adding Session Manager permissions to an existing IAM role

Use the following procedure to add Session Manager permissions to an existing Amazon Identity and Access Management (IAM) role. By adding permissions to an existing role, you can enhance the security of your computing environment without having to use the Amazon AmazonSSMManagedInstanceCore policy for instance permissions.

Note

Note the following information:

  • This procedure assumes that your existing role already includes other Systems Manager ssm permissions for actions you want to allow access to. This policy alone isn't enough to use Session Manager.

  • The following policy example includes an s3:GetEncryptionConfiguration action. This action is required if you chose the Enforce S3 log encryption option in Session Manager logging preferences.

To add Session Manager permissions to an existing role (console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles.

  3. Select the name of the role that you are adding the permissions to.

  4. Choose the Permissions tab.

  5. Choose Add permissions, and then select Create inline policy.

  6. Choose the JSON tab.

  7. Replace the default policy content with the following content. Replace key-name with the Amazon Resource Name (ARN) of the Amazon Key Management Service key (Amazon KMS key) that you want to use.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "key-name"
        }
    ]
}

    For information about using a KMS key to encrypt session data, see Turn on KMS key encryption of session data (console).

    If you won't use Amazon KMS encryption for your session data, you can remove the following content from the policy.

    ,
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "key-name"
        }

  8. Choose Next: Tags.

  9. (Optional) Add tags by choosing Add tag, and entering the preferred tags for the policy.

  10. Choose Next: Review.

  11. On the Review policy page, for Name, enter a name for the inline policy, such as SessionManagerPermissions.

  12. (Optional) For Description, enter a description for the policy.

    Choose Create policy.

For information about the ssmmessages actions, see Reference: ec2messages, ssmmessages, and other API operations.