AWS Systems Manager for SAP uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Systems Manager for SAP. Service-linked roles are predefined by Systems Manager for SAP and include all of the permissions that the service requires to call other AWS services, including Amazon EC2, Systems Manager, IAM, Amazon CloudWatch, Amazon EventBridge, AWS Resource Groups, and AWS Service Catalog.
A service-linked role makes setting up Systems Manager for SAP easier because you don’t have to manually add the necessary permissions. Systems Manager for SAP defines the permissions of its service-linked roles, and unless you make changes to the configuration, only Systems Manager for SAP can assume its roles. Configurable permissions include the trust policy and the permissions policy. You can't attach the permissions policy to any other IAM entity.
For information about other services that support service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. Follow the Yes link to view the service-linked role documentation for that service, if applicable.
Service-linked role permissions for
Systems Manager for SAP
Systems Manager for SAP uses the service-linked role named AWSServiceRoleForAWSSSMForSAP and associates it with the AWSSSMForSAPServiceLinkedRolePolicy IAM policy – Provides AWS Systems Manager for SAP the permissions required to manage and integrate SAP applications on AWS.
The policy enables Systems Manager for SAP to perform actions specified in the policy. These actions are from the following AWS services – Amazon EC2, Systems Manager, IAM, Amazon CloudWatch, Amazon EventBridge, AWS Resource Groups, and AWS Service Catalog.
Permissions details
This policy includes the following permissions.
-
cloudwatch– Allows publication of Systems Manager for SAP metric data to Amazon CloudWatch. -
ec2– Allows description, start and stop of instances, and creation, deletion, and description of tags on EC2 instances that are withSSMForSAPManaged:True. The permission also enables creation and deletion of tags on EBS volumes attached to the EC2 instances tagged withSSMForSAPManaged:True. -
eventbridge– Allows Amazon EventBridge to create, update, and delete rules, and add or remove targets to the rules. -
iam– Allows creation of roles and instance profiles. -
resource-groups– Allows AWS Resource Groups to create and delete groups. -
servicecatalog– Allows AWS Service Catalog to create, update, and delete applications, and attribute groups. The permission also enables association/disassociation of attribute groups to applications. -
ssm– Allows SSM to describe documents, run commands, and return command details.
The AWSSSMForSAPServiceLinkedRolePolicy service-linked role trusts the following services to assume the role:
-
ssm-sap.amazonaws.com
The following is the full policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ssm:GetCommandInvocation",
"ssm:DescribeInstanceInformation"
],
"Resource": "*"
},
{
"Sid": "DescribeInstanceStatus",
"Effect": "Allow",
"Action": "ec2:DescribeInstanceStatus",
"Resource": "*"
},
{
"Sid": "TargetRuleActions",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:PutTargets",
"events:DescribeRule",
"events:PutRule",
"events:RemoveTargets"
],
"Resource": [
"arn:*:events:*:*:rule/SSMSAPManagedRule*",
"arn:*:events:*:*:event-bus/default"
]
},
{
"Sid": "DocumentActions",
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument",
"ssm:SendCommand"
],
"Resource": [
"arn:*:ssm:*:*:document/AWSSystemsManagerSAP-*",
"arn:*:ssm:*:*:document/AWSSSMSAP*",
"arn:*:ssm:*:*:document/AWSSAP*"
]
},
{
"Sid": "CustomerSendCommand",
"Effect": "Allow",
"Action": "ssm:SendCommand",
"Resource": "arn:*:ec2:*:*:instance/*",
"Condition": {
"StringEqualsIgnoreCase": {
"ssm:resourceTag/SSMForSAPManaged": "True"
}
}
},
{
"Sid": "InstanceTagActions",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:*:ec2:*:*:instance/*",
"Condition": {
"Null": {
"aws:RequestTag/awsApplication": "false"
},
"StringEqualsIgnoreCase": {
"ec2:ResourceTag/SSMForSAPManaged": "True"
}
}
},
{
"Sid": "DescribeTag",
"Effect": "Allow",
"Action": "ec2:DescribeTags",
"Resource": "*"
},
{
"Sid": "GetApplication",
"Effect": "Allow",
"Action": "servicecatalog:GetApplication",
"Resource": "arn:*:servicecatalog:*:*:*"
},
{
"Sid": "UpdateOrDeleteApplication",
"Effect": "Allow",
"Action": [
"servicecatalog:DeleteApplication",
"servicecatalog:UpdateApplication"
],
"Resource": "arn:*:servicecatalog:*:*:*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SSMForSAPCreated": "True"
}
}
},
{
"Sid": "CreateApplication",
"Effect": "Allow",
"Action": [
"servicecatalog:TagResource",
"servicecatalog:CreateApplication"
],
"Resource": "arn:*:servicecatalog:*:*:*",
"Condition": {
"StringEquals": {
"aws:RequestTag/SSMForSAPCreated": "True"
}
}
},
{
"Sid": "CreateServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/servicecatalog-appregistry.amazonaws.com/AWSServiceRoleForAWSServiceCatalogAppRegistry",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "servicecatalog-appregistry.amazonaws.com"
}
}
},
{
"Sid": "PutMetricData",
"Effect": "Allow",
"Action": "cloudwatch:PutMetricData",
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": [
"AWS/Usage",
"AWS/SSMForSAP"
]
}
}
},
{
"Sid": "CreateAttributeGroup",
"Effect": "Allow",
"Action": "servicecatalog:CreateAttributeGroup",
"Resource": "arn:*:servicecatalog:*:*:/attribute-groups/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/SSMForSAPCreated": "True"
}
}
},
{
"Sid": "GetAttributeGroup",
"Effect": "Allow",
"Action": "servicecatalog:GetAttributeGroup",
"Resource": "arn:*:servicecatalog:*:*:/attribute-groups/*"
},
{
"Sid": "DeleteAttributeGroup",
"Effect": "Allow",
"Action": "servicecatalog:DeleteAttributeGroup",
"Resource": "arn:*:servicecatalog:*:*:/attribute-groups/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SSMForSAPCreated": "True"
}
}
},
{
"Sid": "AttributeGroupActions",
"Effect": "Allow",
"Action": [
"servicecatalog:AssociateAttributeGroup",
"servicecatalog:DisassociateAttributeGroup"
],
"Resource": "arn:*:servicecatalog:*:*:*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SSMForSAPCreated": "True"
}
}
},
{
"Sid": "ListAssociatedAttributeGroups",
"Effect": "Allow",
"Action": "servicecatalog:ListAssociatedAttributeGroups",
"Resource": "arn:*:servicecatalog:*:*:*"
},
{
"Sid": "CreateGroup",
"Effect": "Allow",
"Action": [
"resource-groups:CreateGroup",
"resource-groups:Tag"
],
"Resource": "arn:*:resource-groups:*:*:group/SystemsManagerForSAP-*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SSMForSAPCreated": "True"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"SSMForSAPCreated"
]
}
}
},
{
"Sid": "GetGroup",
"Effect": "Allow",
"Action": "resource-groups:GetGroup",
"Resource": "arn:*:resource-groups:*:*:group/SystemsManagerForSAP-*"
},
{
"Sid": "DeleteGroup",
"Effect": "Allow",
"Action": "resource-groups:DeleteGroup",
"Resource": "arn:*:resource-groups:*:*:group/SystemsManagerForSAP-*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SSMForSAPCreated": "True"
}
}
},
{
"Sid": "CreateAppTagResourceGroup",
"Effect": "Allow",
"Action": [
"resource-groups:CreateGroup"
],
"Resource": "arn:*:resource-groups:*:*:group/AWS_AppRegistry_AppTag_*",
"Condition": {
"StringEquals": {
"aws:RequestTag/EnableAWSServiceCatalogAppRegistry": "true"
}
}
},
{
"Sid": "TagAppTagResourceGroup",
"Effect": "Allow",
"Action": [
"resource-groups:Tag"
],
"Resource": "arn:*:resource-groups:*:*:group/AWS_AppRegistry_AppTag_*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/EnableAWSServiceCatalogAppRegistry": "true"
}
}
},
{
"Sid": "GetAppTagResourceGroupConfig",
"Effect": "Allow",
"Action": [
"resource-groups:GetGroupConfiguration"
],
"Resource": [
"arn:*:resource-groups:*:*:group/AWS_AppRegistry_AppTag_*"
]
},
{
"Sid": "StartStopInstances",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:*:ec2:*:*:instance/*",
"Condition": {
"StringEqualsIgnoreCase": {
"ec2:resourceTag/SSMForSAPManaged": "True"
}
}
},
{
"Sid": "SsmSapResourceGroup",
"Effect": "Allow",
"Action": [
"resource-groups:Tag",
"resource-groups:CreateGroup"
],
"Resource": "arn:aws:resource-groups:*:*:group/SystemsManagerForSAP-*",
"Condition": {
"StringEquals": {
"aws:RequestTag/SSMForSAPCreated": "True"
},
"ArnLike": {
"aws:RequestTag/awsApplication": "arn:aws:resource-groups:*:*:group/*/*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"SSMForSAPCreated",
"awsApplication"
]
}
}
},
{
"Sid": "ManageSsmSapTagsOnEc2Instances",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SSMForSAPManaged": "True"
},
"ForAllValues:StringLike": {
"aws:TagKeys": [
"SystemsManagerForSAP-*"
]
}
}
},
{
"Sid": "ManageSsmSapTagsOnEbsVolumes",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": [
"SystemsManagerForSAP-*"
]
}
}
},
{
"Sid": "ManageAppTagsOnEbsVolumes",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"ArnLike": {
"aws:RequestTag/awsApplication": "arn:aws:resource-groups:*:*:group/*/*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"awsApplication"
]
}
}
}
]
}To view the update history of this policy, see Systems Manager for SAP updates to AWS managed policies.
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.
Creating a service-linked role for Systems Manager for SAP
AWS Systems Manager for SAP uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Systems Manager for SAP. Service-linked roles are predefined by Systems Manager for SAP and include all of the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up Systems Manager for SAP easier because you don’t have to manually add the necessary permissions. Systems Manager for SAP defines the permissions of its service-linked roles, and unless you make changes to the configuration, only Systems Manager for SAP can assume its roles. Configurable permissions include the trust policy and the permissions policy. You can't attach the permissions policy to any other IAM entity.
If you delete this service-linked role, Systems Manager for SAP automatically creates this service-linked role for you when you resume using Systems Manager for SAP.
Editing a service-linked role for Systems Manager for SAP
Systems Manager for SAP does not allow you to edit the AWSServiceRoleForAWSSSMForSAP service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using the Systems Manager for SAP console, CLI, or API.
Deleting a service-linked role for Systems Manager for SAP
To manually delete the service-linked role using IAM
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAWSSSMForSAP service-linked role. For more information, see Deleting a Service-Linked Role in the IAM User Guide.
When deleting Systems Manager for SAP resources used by the AWSServiceRoleForAWSSSMForSAP SLR, you cannot have any running assessments (tasks for generating recommendations). No background assessments can be running, either. If assessments are running, the SLR deletion fails in the IAM console. If the SLR deletion fails, you can retry the deletion after all background tasks have completed. You don’t need to clean up any created resources before you delete the SLR.
Supported Regions for Systems Manager for SAP service-linked
roles
Systems Manager for SAP supports using service-linked roles in all of the regions where the service is available. For more information, see Service endpoints for Systems Manager for SAP.
