Working with associations using IAM - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with associations using IAM

State Manager, a capability of Amazon Systems Manager, uses targets to choose which instances you configure your associations with. Originally, associations were created by specifying a document name (Name) and instance ID (InstanceId). This created an association between a document and an instance or managed node. Associations used to be identified by these parameters. These parameters are now deprecated, but they're still supported. The resources instance and managed-instance were added as resources to actions with Name and InstanceId.

Amazon Identity and Access Management (IAM) policy enforcement behavior depends on the type of resource specified. Resources for State Manager operations are only enforced based on the passed-in request. State Manager doesn't perform a deep check for the properties of resources in your account. A request is only validated against policy resources if the request parameter contains the specified policy resources. For example, if you specify an instance in the resource block, the policy is enforced if the request uses the InstanceId parameter. The Targets parameter for each resource in the account isn't checked for that InstanceId.

Following are some cases with confusing behavior:

  • DescribeAssociation, DeleteAssociation, and UpdateAssociation use instance, managed-instance, and document resources to specify the deprecated way of referring to associations. This includes all associations created with the deprecated InstanceId parameter.

  • CreateAssociation, CreateAssociationBatch, and UpdateAssociation use instance and managed-instance resources to specify the deprecated way of referring to associations. This includes all associations created with the deprecated InstanceId parameter. The document resource type is part of the deprecated way of referring to associations and is an actual property of an association. This means you can construct IAM policies with Allow or Deny permissions for both Create and Update actions based on document name.

For more information about using IAM policies with Systems Manager, see Identity and access management for Amazon Systems Manager or Actions, resources, and condition keys for Amazon Systems Manager in the Service Authorization Reference.