Add Session Manager permissions to an existing IAM role
Use the following procedure to add Session Manager permissions to an existing
Amazon Identity and Access Management (IAM) role. By adding permissions to an existing role, you can
enhance the security of your computing environment without having to use the
Amazon AmazonSSMManagedInstanceCore
policy for instance
permissions.
Note
Note the following information:
-
This procedure assumes that your existing role already includes other Systems Manager
ssm
permissions for actions you want to allow access to. This policy alone isn't enough to use Session Manager. -
The following policy example includes an
s3:GetEncryptionConfiguration
action. This action is required if you chose the Enforce S3 log encryption option in Session Manager logging preferences.
To add Session Manager permissions to an existing role (console)
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Roles.
-
Select the name of the role that you are adding the permissions to.
-
Choose the Permissions tab.
-
Choose Add permissions, and then select Create inline policy.
-
Choose the JSON tab.
-
Replace the default policy content with the following content. Replace
key-name
with the Amazon Resource Name (ARN) of the Amazon Key Management Service key (Amazon KMS key) that you want to use.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetEncryptionConfiguration" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "
key-name
" } ] }For information about using a KMS key to encrypt session data, see Turn on KMS key encryption of session data (console).
If you won't use Amazon KMS encryption for your session data, you can remove the following content from the policy.
, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "
key-name
" } -
Choose Next: Tags.
-
(Optional) Add tags by choosing Add tag, and entering the preferred tags for the policy.
-
Choose Next: Review.
-
On the Review policy page, for Name, enter a name for the inline policy, such as
SessionManagerPermissions
. -
(Optional) For Description, enter a description for the policy.
Choose Create policy.
For information about the ssmmessages
actions, see Reference: ec2messages,
ssmmessages, and other API operations.