Getting started with Quick Setup - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting started with Quick Setup

Use the information in this topic to help you prepare to use Quick Setup.

Configure the home Amazon Web Services Region

To get started with Quick Setup, a capability of Amazon Systems Manager, you must choose a home Amazon Web Services Region and then onboard with Quick Setup. The home Region is where Quick Setup creates the Amazon resources that are used to deploy your configurations. The home Region can't be changed after you select it.

  1. Open the Amazon Systems Manager console at

  2. In the navigation pane, choose Quick Setup.


    If the Amazon Systems Manager home page opens first, choose the menu icon ( 
    The menu icon
  ) to open the navigation pane, and then choose Quick Setup in the navigation pane.

  3. For Choose a home Region,choose the Amazon Web Services Region where you want Quick Setup to create the Amazon resources used to deploy your configurations.

  4. Choose Get started.

To start using Quick Setup, choose a service or feature in the list of available configuration types. A configuration type in Quick Setup is specific to an Amazon Web Service or feature. When you choose a configuration type, you choose the options that you want to configure for that service or feature. By default, configuration types help you set up the service or feature to use recommended best practices.

After setting up a configuration, you can view details about it and its deployment status across organizational units (OUs) and Regions. You can also view State Manager association status for the configuration. State Manager is a capability of Amazon Systems Manager. In the Configuration details pane, you can view a summary of the Quick Setup configuration. This summary includes details from all accounts and any detected configuration drift.

IAM roles and permissions for Quick Setup onboarding

During onboarding, Quick Setup creates the following Amazon Identity and Access Management (IAM) roles on your behalf:

  • AWS-QuickSetup-StackSet-Local-ExecutionRole – Grants Amazon CloudFormation permissions to use any template.

  • AWS-QuickSetup-StackSet-Local-AdministrationRole – Grants permissions to Amazon CloudFormation to assume AWS-QuickSetup-StackSet-Local-ExecutionRole.

If you're onboarding a management account—the account that you use to create an organization in Amazon Organizations—Quick Setup also creates the following roles on your behalf:

  • AWS-QuickSetup-SSM-RoleForEnablingExplorer – Grants permissions to the AWS-EnableExplorer automation runbook. The AWS-EnableExplorer runbook configures Explorer, a capability of Systems Manager, to display information for multiple Amazon Web Services accounts and Amazon Web Services Regions.

  • AWSServiceRoleForAmazonSSM – A service-linked role that grants access to Amazon resources managed and used by Systems Manager.

  • AWSServiceRoleForAmazonSSM_AccountDiscovery – A service-linked role that grants permissions to Systems Manager to call Amazon Web Services to discover Amazon Web Services account information when synchronizing data. For more information, see About the AWSServiceRoleForAmazonSSM_AccountDiscovery role.

When onboarding a management account, Quick Setup enables trusted access between Amazon Organizations and CloudFormation to deploy Quick Setup configurations across your organization. To enable trusted access, your management account must have administrator permissions. After onboarding, you no longer need administrator permissions. For more information, see Enable trusted access with Organizations.

For information about Amazon Organizations account types, see Amazon Organizations terminology and concepts in the Amazon Organizations User Guide.


Quick Setup uses Amazon CloudFormation StackSets to deploy your configurations across Amazon Web Services accounts and Regions. If the number of target accounts multiplied by the number of Regions exceeds 10,000, the configuration fails to deploy. We recommend reviewing your use case and creating configurations that use fewer targets to accommodate the growth of your organization. Stack instances aren't deployed to your organization's management account. For more information, see Considerations when creating a stack set with service-managed permissions.

If your user, group, or role has access to the API operations listed in the following table, you can use all features of Quick Setup. There are two tabs of API operations, the first tab is permissions required by all accounts and the second tab contains the additional permissions you need for the management account of your organization.

Non-management account
"iam:CreateRole", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:GetRole", "iam:ListRoles", "iam:PassRole" "ssm:ListAssociations", "ssm:ListDocuments", "ssm:GetDocument", "ssm:DescribeAssociation", "ssm:DescribeAutomationExecutions", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStacks", "cloudformation:DescribeStackResources", "cloudformation:ListStackSetOperations", "cloudformation:ListStackSets", "cloudformation:ListStacks", "cloudformation:ListStackInstances", "cloudformation:ListStackSetOperationResults", "cloudformation:TagResource", "cloudformation:CreateStack", "cloudformation:DeleteStackSet", "cloudformation:UpdateStackSet", "cloudformation:CreateStackSet", "cloudformation:DeleteStackInstances", "cloudformation:CreateStackInstances"
Management account
"ssm:createResourceDataSync", "ssm:listResourceDataSync", "ssm:getOpsSummary", "ssm:createAssociation", "ssm:createDocument", "ssm:startAssociationsOnce", "ssm:startAutomationExecution", "ssm:updateAssociation", "ssm:listAssociations", "ssm:listDocuments", "ssm:getDocument", "ssm:describeAssociation", "ssm:describeAutomationExecutions", "organizations:ListRoots", "organizations:DescribeOrganization", "organizations:ListOrganizationalUnitsForParent" "organizations:EnableAWSServiceAccess", "cloudformation:describe*"