Step 3: Control user session access to managed nodes - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Step 3: Control user session access to managed nodes

Amazon Systems Manager Session Manager allows you to centrally grant and revoke user access to managed nodes. Using Amazon Identity and Access Management (IAM) policies, you control which managed nodes specific users or groups can connect to, and you control what Session Manager API operations they can perform on the managed nodes they're given access to.

About Session ID ARN formats

IAM policies for Session Manager access use variables for user names as part of session IDs. Session IDs in turn are used in session Amazon Resource Names (ARNs) to control access. Session ARNs have the following format:

arn:aws-cn:ssm:region-id:account-id:session/session-id

For example:

arn:aws-cn:ssm:us-east-2:123456789012:session/JohnDoe-1a2b3c4d5eEXAMPLE

You can use a pair of default IAM policies supplied by Amazon, one for end users and one for administrators, to supply permissions for Session Manager activities. Or you can create custom IAM policies for different permissions requirements you might have.

For more information about using variables in IAM policies, see IAM Policy Elements: Variables.

For information about how to create policies and attach them to IAM users or groups, see Creating IAM Policies and Adding and Removing IAM Policies in the IAM User Guide.