Step 7: (Optional) Create Systems Manager service roles - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Step 7: (Optional) Create Systems Manager service roles

This topic explains the difference between a service role and a service-linked role for Amazon Systems Manager. It also explains when you need to create or use either type of role.

Service role –– A service role is a type of Amazon Identity and Access Management (IAM) role that grants permissions to an Amazon Web Service so that the service can access Amazon resources. Only a few Systems Manager scenarios require a service role. When you create a service role for Systems Manager, you choose the permissions to grant so that it can access or interact with other Amazon resources.

Service-linked role – A service-linked role is predefined by Systems Manager and includes all the permissions that the service requires to call other Amazon Web Services on your behalf.

You can use the Systems Manager service-linked role AWSServiceRoleforAmazonSSM for the following:

  • The Systems Manager Inventory capability uses the service-linked role AWSServiceRoleforAmazonSSM to collect inventory metadata from tags and resource groups.

  • The Explorer capability uses the service-linked role AWSServiceRoleforAmazonSSM to enable viewing OpsData and OpsItems from multiple accounts. This service-linked role also allows Explorer to create a managed rule when you enable Security Hub as a data source from Explorer or OpsCenter.

For more information about this and other service-linked roles, see Using service-linked roles for Systems Manager.

Create a service role

You can create the following service roles as part of Systems Manager setup, or you can create them later.

Service role for Automation

Automation previously required that you specify a service role so that the service had permission to perform actions on your behalf. Automation no longer requires this role because the service now operates by using the context of the user who invoked the execution.

However, the following situations still require that you specify a service role for Automation:

  • When you want to restrict a user's permissions on a resource, but you want the user to run an Automation workflow that requires elevated permissions. In this scenario, you can create a service role with elevated permissions and allow the user to run the workflow.

  • Operations that you expect to run longer than 12 hours require a service role.

If you need to create a service role and an instance profile role for Automation, you can use one of the following methods.

Service role for maintenance window tasks

To run tasks on your managed instances, the Maintenance Windows service must have permission to access those resources. This permission should be granted using a custom service role that you create.

For more information, see the following topics in the Maintenance Windows section of this user guide:

Service role for Amazon SNS notifications

Amazon Simple Notification Service (Amazon SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients. In Systems Manager, you can configure Amazon SNS to send notifications about the status of commands that you send using the Run Command capability, or the status of tasks run in maintenance windows.

You create a service role for Amazon SNS as part of the process of configuring the service for use with Systems Manager. After you complete this configuration, you choose whether to receive notifications for particular Run Command commands or maintenance windows tasks at the time you create each one.

For more information, see Monitoring Systems Manager status changes using Amazon SNS notifications.

Service role for a Systems Manager hybrid environment

If you plan to use Systems Manager to manage on-premises servers and virtual machines (VMs) in a hybrid environment, create an Amazon Identity and Access Management (IAM role for those resources to communicate with the Systems Manager service.

For more information, see Create an IAM service role for a hybrid environment.

Continue to Step 8: (Optional) Set up integrations with other Amazon Web Services.