Start a default shell session by specifying the default session document in IAM policies - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Start a default shell session by specifying the default session document in IAM policies

When you configure Session Manager for your Amazon Web Services account or when you change session preferences in the Systems Manager console, the system creates an SSM session document called SSM-SessionManagerRunShell. This is the default session document. Session Manager uses this document to store your session preferences, which include information like the following:

  • A location where you want to save session data, such an Amazon Simple Storage Service (Amazon S3) bucket or a Amazon CloudWatch Logs log group.

  • An Amazon Key Management Service (Amazon KMS) key ID for encrypting session data.

  • Whether Run As support is allowed for your sessions.

Here is an example of the information contained in the SSM-SessionManagerRunShell session preferences document.

{ "schemaVersion": "1.0", "description": "Document to hold regional settings for Session Manager", "sessionType": "Standard_Stream", "inputs": { "s3BucketName": "MyS3TestBucket", "s3KeyPrefix": "BucketPrefix", "s3EncryptionEnabled": true, "cloudWatchLogGroupName": "MyCWLogGroup", "cloudWatchEncryptionEnabled": false, "kmsKeyId": "1a2b3c4d", "runAsEnabled": true, "runAsDefaultUser": "RunAsUser" } }

By default, Session Manager uses the default session document when a user starts a session from the Amazon Web Services Management Console. This applies to either Fleet Manager or Session Manager in the Systems Manager console, or EC2 Connect in the Amazon EC2 console. Session Manager also uses the default session document when a user starts a session by using an Amazon CLI command like the following example:

aws ssm start-session \ --target i-02573cafcfEXAMPLE

If you want users or groups to access the default shell session, we recommend you also specify the default session document in the IAM policy, as shown in the following example.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnableSSMSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws-cn:ec2:us-west-2:123456789012:instance/i-02573cafcfEXAMPLE", "arn:aws-cn:ssm:us-west-2:123456789012:document/SSM-SessionManagerRunShell" ] } ] }