Step 3: Control session access to managed nodes - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 3: Control session access to managed nodes

You grant or revoke Session Manager access to managed nodes by using Amazon Identity and Access Management (IAM) policies. You can create a policy and attach it to an IAM user or group that specifies which managed nodes the user or group can connect to. You can also specify the Session Manager API operations the user or groups can perform on those managed nodes.

To help you get started with IAM permission policies for Session Manager, we've created sample policies for an end user and an administrator user. You can use these policies with only minor changes. Or, use them as a guide to create custom IAM policies. For more information, see Sample IAM policies for Session Manager. For information about how to create IAM policies and attach them to users or groups, see Creating IAM Policies and Adding and Removing IAM Policies in the IAM User Guide.

About session ID ARN formats

When you create an IAM policy for Session Manager access, you specify a session ID as part of the Amazon Resource Name (ARN). The session ID includes the user name as a variable. To help illustrate this, here's the format of a Session Manager ARN and an example:


For example:


For more information about using variables in IAM policies, see IAM Policy Elements: Variables.