Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Sample IAM
policies for Session Manager
Use the samples in this section to help you create Amazon Identity and Access Management (IAM) policies
that provide the most commonly needed permissions for Session Manager access.
Quickstart end user
policies for Session Manager
Use the following examples to create IAM end user policies for Session Manager.
You can create a policy that allows users to start sessions from only the
Session Manager console and Amazon Command Line Interface (Amazon CLI), from only the Amazon Elastic Compute Cloud (Amazon EC2)
console, or from all three.
These policies provide end users the ability to start a session to a
particular managed node and the ability to end only their own sessions.
Refer to Additional sample
IAM policies for Session Manager for examples
of customizations you might want to make to the policy.
In the following sample policies, replace each example
resource placeholder with your own information.
Choose from the following tabs to view the sample policy
for the range of session access you want to provide.
- Session Manager and Fleet Manager
-
Use this sample policy to give users the ability to start and
resume sessions from only the Session Manager and Fleet Manager consoles.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws-cn:ec2:region:account-id:instance/instance-id",
"arn:aws-cn:ssm:region:account-id:document/SSM-SessionManagerRunShell" 
]
},
{
"Effect": "Allow",
"Action": ["ssmmessages:OpenDataChannel"],
"Resource": ["arn:aws-cn:ssm:*:*:session/${aws:userid}-*"]
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws-cn:ssm:*:*:session/${aws:userid}-*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey" 
],
"Resource": "key-name"
}
]
}
- Amazon EC2
-
Use this sample policy to give users the ability to start and
resume sessions from only the Amazon EC2 console. This policy doesn't
provide all the permissions needed to start sessions from the
Session Manager console and the Amazon CLI.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:SendCommand" 
],
"Resource": [
"arn:aws-cn:ec2:region:account-id:instance/instance-id",
"arn:aws-cn:ssm:region:account-id:document/SSM-SessionManagerRunShell"
]
},
{
"Effect": "Allow",
"Action": ["ssmmessages:OpenDataChannel"],
"Resource": ["arn:aws-cn:ssm:*:*:session/${aws:userid}-*"]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws-cn:ssm:*:*:session/${aws:username}-*"
]
}
]
}
- Amazon CLI
-
Use this sample policy to give users the ability to start and
resume sessions from the Amazon CLI.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:SendCommand"
],
"Resource": [
"arn:aws-cn:ec2:region:account-id:instance/instance-id",
"arn:aws-cn:ssm:region:account-id:document/SSM-SessionManagerRunShell"
]
},
{
"Effect": "Allow",
"Action": ["ssmmessages:OpenDataChannel"],
"Resource": ["arn:aws-cn:ssm:*:*:session/${aws:userid}-*"]
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws-cn:ssm:*:*:session/${aws:userid}-*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": "key-name"
}
]
}
1
SSM-SessionManagerRunShell is the default name of the
SSM document that Session Manager creates to store your session configuration
preferences. You can create a custom Session document and specify it in this
policy instead. You can also specify the Amazon-provided document
AWS-StartSSHSession for users who are starting sessions
using SSH. For information about configuration steps needed to support
sessions using SSH, see (Optional) Allow and control permissions for SSH connections through Session Manager.
2 The
kms:GenerateDataKey permission enables the creation of a
data encryption key that will be used to encrypt session data. If you will
use Amazon Key Management Service (Amazon KMS) encryption for your session data, replace
key-name with the Amazon Resource Name (ARN)
of the KMS key you want to use, in the format
arn:aws-cn:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-12345EXAMPLE.
If you won't use KMS key encryption for your session data, remove the
following content from the policy.
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": "key-name"
}
For information about using Amazon KMS for encrypting session data, see Turn on KMS key
encryption of session data (console).
3 The
permission for SendCommand is needed for cases where a user attempts
to start a session from the Amazon EC2 console, but the SSM Agent must be updated
to the minimum required version for Session Manager first. Run Command is used to send
a command to the instance to update the agent.
Quickstart administrator
policy for Session Manager
Use the following examples to create IAM administrator policies for
Session Manager.
These policies provide administrators the ability to start a session to
managed nodes that are tagged with
Key=Finance,Value=WebServers, permission to create, update, and
delete preferences, and permission to end only their own sessions. Refer to
Additional sample
IAM policies for Session Manager for examples
of customizations you might want to make to the policy.
You can create a policy that allows administrators to perform these tasks
from only the Session Manager console and Amazon CLI, from only the Amazon EC2 console, or
from all three.
In the following sample policies, replace each example
resource placeholder with your own information.
Choose from the following tabs to view the sample policy
for the access scenario you want to support.
- Session Manager and CLI
-
Use this sample policy to give administrators the ability to
perform session-related tasks from only the Session Manager console and
the Amazon CLI. This policy doesn't provide all the permissions
needed to perform session-related tasks from the Amazon EC2
console.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws-cn:ec2:region:account-id:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/Finance": [
"WebServers"
]
}
}
},
{
"Effect": "Allow",
"Action": ["ssmmessages:OpenDataChannel"],
"Resource": ["arn:aws-cn:ssm:*:*:session/${aws:userid}-*"]
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:CreateDocument",
"ssm:UpdateDocument",
"ssm:GetDocument",
"ssm:StartSession"
],
"Resource": "arn:aws-cn:ssm:region:account-id:document/SSM-SessionManagerRunShell"
},
{
"Effect": "Allow",
"Action": ["ssmmessages:OpenDataChannel"],
"Resource": ["arn:aws-cn:ssm:*:*:session/${aws:userid}-*"]
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws-cn:ssm:*:*:session/${aws:userid}-*"
]
}
]
}
- Amazon EC2
-
Use this sample policy to give administrators the ability to
perform session-related tasks from only the Amazon EC2 console. This
policy doesn't provide all the permissions needed to perform
session-related tasks from the Session Manager console and the
Amazon CLI.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:SendCommand"
],
"Resource": [
"arn:aws-cn:ec2:region:account-id:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/tag-key": [
"tag-value"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws-cn:ssm:region:account-id:document/SSM-SessionManagerRunShell"
]
},
{
"Effect": "Allow",
"Action": ["ssmmessages:OpenDataChannel"],
"Resource": ["arn:aws-cn:ssm:*:*:session/${aws:userid}-*"]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws-cn:ssm:*:*:session/${aws:userid}-*"
]
}
]
}
- Session Manager, CLI, and Amazon EC2
-
Use this sample policy to give administrators the ability to
perform session-related tasks from the Session Manager console, the
Amazon CLI, and the Amazon EC2 console.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:SendCommand"
],
"Resource": [
"arn:aws-cn:ec2:region:account-id:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/tag-key": [
"tag-value"
]
}
}
},
{
"Effect": "Allow",
"Action": ["ssmmessages:OpenDataChannel"],
"Resource": ["arn:aws-cn:ssm:*:*:session/${aws:userid}-*"]
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceInformation",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:CreateDocument",
"ssm:UpdateDocument",
"ssm:GetDocument",
"ssm:StartSession"
],
"Resource": "arn:aws-cn:ssm:region:account-id:document/SSM-SessionManagerRunShell"
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws-cn:ssm:*:*:session/${aws:userid}-*"
]
}
]
}
1 The
permission for SendCommand is needed for cases where a user attempts
to start a session from the Amazon EC2 console, but a command must be sent to
update SSM Agent first.