Amazon managed policies for Amazon Systems Manager - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon Systems Manager

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: AmazonSSMServiceRolePolicy

You can't attach AmazonSSMServiceRolePolicy to your Amazon Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows Amazon Systems Manager to perform actions on your behalf. For more information, see Using roles to collect inventory and view OpsData.

AmazonSSMServiceRolePolicy allows Systems Manager to complete the following actions on all related resources ("Resource": "*"), except where indicated:

  • ssm:CancelCommand

  • ssm:GetCommandInvocation

  • ssm:ListCommandInvocations

  • ssm:ListCommands

  • ssm:SendCommand

  • ssm:GetAutomationExecution

  • ssm:GetParameters

  • ssm:StartAutomationExecution

  • ssm:StopAutomationExecution

  • ssm:ListTagsForResource

  • ssm:GetCalendarState

  • ssm:UpdateServiceSetting [1]

  • ssm:GetServiceSetting [1]

  • ec2:DescribeInstanceAttribute

  • ec2:DescribeInstanceStatus

  • ec2:DescribeInstances

  • lambda:InvokeFunction [2]

  • states:DescribeExecution [3]

  • states:StartExecution [3]

  • resource-groups:ListGroups

  • resource-groups:ListGroupResources

  • resource-groups:GetGroupQuery

  • tag:GetResources

  • config:SelectResourceConfig

  • config:DescribeComplianceByConfigRule

  • config:DescribeComplianceByResource

  • config:DescribeRemediationConfigurations

  • config:DescribeConfigurationRecorders

  • cloudwatch:DescribeAlarms

  • compute-optimizer:GetEC2InstanceRecommendations

  • compute-optimizer:GetEnrollmentStatus

  • support:DescribeTrustedAdvisorChecks

  • support:DescribeTrustedAdvisorCheckSummaries

  • support:DescribeTrustedAdvisorCheckResult

  • support:DescribeCases

  • iam:PassRole [4]

  • cloudformation:DescribeStacks

  • cloudformation:ListStackResources

  • cloudformation:ListStackInstances [5]

  • cloudformation:DescribeStackSetOperation [5]

  • cloudformation:DeleteStackSet [5]

  • cloudformation:DeleteStackInstances [6]

  • events:PutRule [7]

  • events:PutTargets [7]

  • events:RemoveTargets [8]

  • events:DeleteRule [8]

  • events:DescribeRule

  • securityhub:DescribeHub

[1] The ssm:UpdateServiceSetting and ssm:GetServiceSetting actions are allowed permissions for the following resources only.

arn:aws-cn:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws-cn:ssm:*:*:servicesetting/ssm/opsdata/*

[2] The lambda:InvokeFunction action is allowed permissions for the following resources only.

arn:aws-cn:lambda:*:*:function:SSM* arn:aws-cn:lambda:*:*:function:*:SSM*

[3] The states: actions are allowed permissions on the following resources only.

arn:aws-cn:states:*:*:stateMachine:SSM* arn:aws-cn:states:*:*:execution:SSM*

[4] The iam:PassRole action is allowed permissions by the following condition for the Systems Manager service only.

"Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com.cn" ] } }

[5] The cloudformation:ListStackInstances, cloudformation:DescribeStackSetOperation, and cloudformation:DeleteStackSet actions are allowed permissions on the following resource only.

arn:aws-cn:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*

[6] The cloudformation:DeleteStackInstances action is allowed permissions on the following resources only.

arn:aws-cn:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:* arn:aws-cn:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:* arn:aws-cn:cloudformation:*:*:type/resource/*

[7] The events:PutRule and events:PutTargets actions are allowed permissions by the following condition for the Systems Manager service only.

"Condition": { "StringEquals": { "events:ManagedBy": "ssm.amazonaws.com.cn" } }

[8] The events:RemoveTargets and events:DeleteRule actions are allowed permissions on the following resource only.

arn:aws-cn:events:*:*:rule/SSMExplorerManagedRule

To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMServiceRolePolicy in the Amazon Managed Policy Reference Guide.

Amazon managed policy: AmazonSSMReadOnlyAccess

You can attach the AmazonSSMReadOnlyAccess policy to your IAM identities. This policy grants read-only access to Amazon Systems Manager API operations including Describe*, Get*, and List*.

To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMReadOnlyAccess in the Amazon Managed Policy Reference Guide.

Amazon managed policy: AWSSystemsManagerOpsDataSyncServiceRolePolicy

You can't attach AWSSystemsManagerOpsDataSyncServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see Using roles to create OpsData and OpsItems for Explorer.

AWSSystemsManagerOpsDataSyncServiceRolePolicy allows the AWSServiceRoleForSystemsManagerOpsDataSync service-linked role to create and update OpsItems and OpsData from Amazon Security Hub findings.

The policy allows Systems Manager to complete the following actions on all related resources ("Resource": "*"), except where indicated:

  • ssm:GetOpsItem [1]

  • ssm:UpdateOpsItem [1]

  • ssm:CreateOpsItem

  • ssm:AddTagsToResource [2]

  • ssm:UpdateServiceSetting [3]

  • ssm:GetServiceSetting [3]

  • securityhub:GetFindings

  • securityhub:GetFindings

  • securityhub:BatchUpdateFindings [4]

[1] The ssm:GetOpsItem and ssm:UpdateOpsItem actions are allowed permissions by the following condition for the Systems Manager service only.

"Condition": { "StringEquals": { "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true" } }

[2] The ssm:AddTagsToResource action is allowed permissions for the following resource only.

arn:aws-cn:ssm:*:*:opsitem/*

[3] The ssm:UpdateServiceSetting and ssm:GetServiceSetting actions are allowed permissions for the following resources only.

arn:aws-cn:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws-cn:ssm:*:*:servicesetting/ssm/opsdata/*

[4] The securityhub:BatchUpdateFindings are denied permissions by the following condition for the Systems Manager service only.

{ "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Confidence": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Criticality": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Note.Text": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Note.UpdatedBy": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/RelatedFindings": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Types": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/UserDefinedFields.key": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/UserDefinedFields.value": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/VerificationState": false } }

To view more details about the policy, including the latest version of the JSON policy document, see AWSSystemsManagerOpsDataSyncServiceRolePolicy in the Amazon Managed Policy Reference Guide.

Amazon managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy

You should only attach AmazonSSMManagedEC2InstanceDefaultPolicy to IAM roles for Amazon EC2 instances that you want to have permission to use Systems Manager functionality. You shouldn't attached this role to other IAM entities, such as IAM users and IAM groups, or to IAM roles that serve other purposes. For more information, see Using the Default Host Management Configuration setting.

This policy grants permissions that allow the SSM Agent on your Amazon EC2 instance to retrieve Documents, execute commands using Run Command, establish sessions using Session Manager, collect an inventory of the instance, and scan for patches and patch compliance using Patch Manager.

Systems Manager uses a personalized authorization token for each instance to ensure that SSM Agent performs the API operations on the correct instance. Systems Manager validates the personalized authorization token against the Amazon Resource Name (ARN) of the instance, provided in the API operation.

The AmazonSSMManagedEC2InstanceDefaultPolicy role permissions policy allows Systems Manager to complete the following actions on all related resources:

  • ssm:DescribeAssociation

  • ssm:GetDeployablePatchSnapshotForInstance

  • ssm:GetDocument

  • ssm:DescribeDocument

  • ssm:GetManifest

  • ssm:ListAssociations

  • ssm:ListInstanceAssociations

  • ssm:PutInventory

  • ssm:PutComplianceItems

  • ssm:PutConfigurePackageResult

  • ssm:UpdateAssociationStatus

  • ssm:UpdateInstanceAssociationStatus

  • ssm:UpdateInstanceInformation

  • ssmmessages:CreateControlChannel

  • ssmmessages:CreateDataChannel

  • ssmmessages:OpenControlChannel

  • ssmmessages:OpenDataChannel

  • ec2messages:AcknowledgeMessage

  • ec2messages:DeleteMessage

  • ec2messages:FailMessage

  • ec2messages:GetEndpoint

  • ec2messages:GetMessages

  • ec2messages:SendReply

To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMManagedEC2InstanceDefaultPolicy in the Amazon Managed Policy Reference Guide.

Systems Manager updates to Amazon managed policies

In the following table, view details about updates to Amazon managed policies for Systems Manager since this service began tracking these changes on March 12, 2021. For information about other managed policies for the Systems Manager service, see Additional managed policies for Systems Manager later in this topic. For automatic alerts about changes to this page, subscribe to the RSS feed on the Systems Manager Document history page.

Change Description Date

AWSSystemsManagerOpsDataSyncServiceRolePolicy – Update to an existing policy.

OpsCenter updated the policy to improve the security of the service code within the service-linked role for Explorer to manage OpsData-related operations. June 28, 2023

AmazonSSMManagedEC2InstanceDefaultPolicy – New policy.

Systems Manager added a new policy to allow Systems Manager functionality on Amazon EC2 instances without the use of an IAM instance profile.

August 18, 2022

AmazonSSMServiceRolePolicy – Update to an existing policy.

Systems Manager added new permissions to allow Explorer to create a managed rule when you turn on Security Hub from Explorer or OpsCenter. New permissions were added to check that config and the compute-optimizer meet the necessary requirements before allowing OpsData.

April 27, 2021

AWSSystemsManagerOpsDataSyncServiceRolePolicy – New policy.

Systems Manager added a new policy to create and update OpsItems and OpsData from Security Hub findings in Explorer and OpsCenter.

April 27, 2021

AmazonSSMServiceRolePolicy – Update to an existing policy.

Systems Manager added new permissions to allow viewing aggregate OpsData and OpsItems details from multiple accounts and Amazon Web Services Regions in Explorer.

March 24, 2021

Systems Manager started tracking changes

Systems Manager started tracking changes for its Amazon managed policies.

March 12, 2021

Additional managed policies for Systems Manager

In addition to the managed policies described earlier in this topic, the following policies are also supported by Systems Manager.

  • AmazonSSMAutomationApproverAccess – Amazon managed policy that allows access to view automation executions and send approval decisions to automation that is waiting for approval.

  • AmazonSSMAutomationRole – Amazon managed policy that provides permissions for the Systems Manager Automation service to run activities defined within Automation runbooks. Assign this policy to administrators and trusted power users.

  • AmazonSSMDirectoryServiceAccess – Amazon managed policy that that allows SSM Agent to access Amazon Directory Service on behalf of the user for requests to join the domain by the managed node.

  • AmazonSSMFullAccess – Amazon managed policy that grants full access to the Systems Manager API and documents.

  • AmazonSSMMaintenanceWindowRole – Amazon managed policy that provides maintenance windows with permissions to the Systems Manager API.

  • AmazonSSMManagedInstanceCore – Amazon managed policy that allows a node to use Systems Manager service core functionality.

  • AmazonSSMPatchAssociation – Amazon managed policy that provides access to child instances for patch association operations.

  • AmazonSSMReadOnlyAccess – Amazon managed policy that grants access to Systems Manager read-only API operations, such as Get* and List*.

  • AWSSSMOpsInsightsServiceRolePolicy – Amazon managed policy that provides permissions for creating and updating operational insight OpsItems in Systems Manager. Used to provide permissions through the service-linked role AWSServiceRoleForAmazonSSM_OpsInsights.

  • AWSSystemsManagerAccountDiscoveryServicePolicy – Amazon managed policy that grants Systems Manager permission to discover Amazon Web Services account information.

  • AWSSystemsManagerChangeManagementServicePolicy – Amazon managed policy that provides access to Amazon resources managed or used by the Systems Manager change management framework and used by the service-linked role AWSServiceRoleForSystemsManagerChangeManagement.

  • AmazonEC2RoleforSSM – This policy is no longer supported and should not be used. In its place, use the AmazonSSMManagedInstanceCore policy to allow Systems Manager service core functionality on EC2 instances. For information, see Configure instance permissions for Systems Manager.