• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). 

# Identity and access management for AWS Systems Manager
<a name="security-iam"></a>

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Systems Manager resources. IAM is an AWS service that you can use with no additional charge.

**Topics**
+ [Audience](#security_iam_audience)
+ [Authenticating with identities](#security_iam_authentication)
+ [Managing access using policies](#security_iam_access-manage)
+ [How AWS Systems Manager works with IAM](security_iam_service-with-iam.md)
+ [AWS Systems Manager identity-based policy examples](security_iam_id-based-policy-examples.md)
+ [AWS managed policies for AWS Systems Manager](security-iam-awsmanpol.md)
+ [Troubleshooting AWS Systems Manager identity and access](security_iam_troubleshoot.md)

## Audience
<a name="security_iam_audience"></a>

How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting AWS Systems Manager identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How AWS Systems Manager works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [AWS Systems Manager identity-based policy examples](security_iam_id-based-policy-examples.md))

## Authenticating with identities
<a name="security_iam_authentication"></a>

Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.

You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.

For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.

### AWS account root user
<a name="security_iam_authentication-rootuser"></a>

 When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. 

### IAM users and groups
<a name="security_iam_authentication-iamuser"></a>

An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.

An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.

### IAM roles
<a name="security_iam_authentication-iamrole"></a>

An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.

IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.

## Managing access using policies
<a name="security_iam_access-manage"></a>

You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.

Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.

By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.

### Identity-based policies
<a name="security_iam_access-manage-id-based-policies"></a>

Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.

Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.

For information about AWS managed policies for Systems Manager, see [AWS Systems Manager managed policies](security_iam_service-with-iam.md#managed-policies).

### Resource-based policies
<a name="security_iam_access-manage-resource-based-policies"></a>

Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.

Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.

### Policy condition keys
<a name="policy-condition-keys"></a>

The actions that users and roles can perform and the resources on which they can take those actions can be further restricted by specific *conditions*. 

In JSON policy documents, the `Condition` element (or `Condition` block) lets you specify conditions in which a statement is in effect. The `Condition` element is optional. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as `StringEquals` or `StringNotLike`, to match the condition in the policy with values in the request. 

If you specify multiple `Condition` elements in a statement, or multiple keys in a single `Condition` element, AWS evaluates them using a logical `AND` operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical `OR` operation. All of the conditions must be met before the statement's permissions are granted.

You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see [IAM policy elements: variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the *IAM User Guide*. 

AWS supports global condition keys and service-specific condition keys. For more information, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.

**Important**  
If you use Systems Manager Automation, we recommend you don't use the [aws:SourceIp](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip) condition key in your policies. The behavior of this condition key is dependent on multiple factors, including whether an IAM role for Automation runbook execution is supplied and the Automation actions used in the runbook. As a result, the condition key can produce unexpected behavior. For this reason, we recommend you don't use it.

Systems Manager supports a number of its own condition keys. For more information, see [Condition Keys for AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys) in the *Service Authorization Reference*. The actions and resources you can use a Systems Manager-specific condition key with are listed in [Resource types defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys) in the *Service Authorization Reference*.

If your policy must depend on a service principal name owned by the Systems Manager service, we recommend you check for its existence or non-existence using the `aws:PrincipalServiceNamesList` [multivalued condition key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys), rather than the `aws:PrincipalServiceName` condition key. The `aws:PrincipalServiceName` condition key contains only one entry from the list of service principal names and it may not always be the service principal name you expect. The following `Condition` block demonstrates checking for the existence of `ssm.amazonaws.com`. 

```
{
    "Condition": {
        "ForAnyValue:StringEquals": {
            "aws:PrincipalServiceNamesList": "ssm.amazonaws.com"
        }
    }
}
```

To view examples of Systems Manager identity-based policies, see [AWS Systems Manager identity-based policy examples](security_iam_id-based-policy-examples.md).

### Access control lists (ACLs)
<a name="security_iam_access-manage-acl"></a>

Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.

Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*.

### Other policy types
<a name="security_iam_access-manage-other-policies"></a>

AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.

### Multiple policy types
<a name="security_iam_access-manage-multiple-policies"></a>

When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.

# How AWS Systems Manager works with IAM
<a name="security_iam_service-with-iam"></a>

Before you use AWS Identity and Access Management (IAM) to manage access to AWS Systems Manager, you should understand what IAM features are available to use with Systems Manager. To get a high-level view of how Systems Manager and other AWS services work with IAM, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.

**Topics**
+ [Systems Manager identity-based policies](#security_iam_service-with-iam-id-based-policies)
+ [Systems Manager resource-based policies](#security_iam_service-with-iam-resource-based-policies)
+ [Authorization based on Systems Manager tags](#security_iam_service-with-iam-tags)
+ [Systems Manager IAM roles](#security_iam_service-with-iam-roles)

## Systems Manager identity-based policies
<a name="security_iam_service-with-iam-id-based-policies"></a>

With IAM identity-based policies, you can specify allowed or denied actions and resources and the conditions under which actions are allowed or denied. Systems Manager supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.

### Actions
<a name="security_iam_service-with-iam-id-based-policies-actions"></a>

Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.

The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.

Policy actions in Systems Manager use the following prefix before the action: `ssm:`. For example, to grant someone permission to create a Systems Manager parameter (SSM parameter) with the Systems Manager `PutParameter` API operation, you include the `ssm:PutParameter` action in their policy. Policy statements must include either an `Action` or `NotAction` element. Systems Manager defines its own set of actions that describe tasks that you can perform with this service.

To specify multiple actions in a single statement, separate them with commas as follows:

```
"Action": [
      "ssm:action1",
      "ssm:action2"
]
```

**Note**  
The following tools in AWS Systems Manager use different prefixes before actions.  
AWS AppConfig uses the prefix `appconfig:` before actions.
Incident Manager uses the prefix `ssm-incidents:` or `ssm-contacts:` before actions.
Systems Manager GUI Connect uses the prefix `ssm-guiconnect:` before actions.
Quick Setup uses the prefix `ssm-quicksetup:` before actions.

You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Describe`, include the following action:

```
"Action": "ssm:Describe*"
```



To see a list of Systems Manager actions, see [Actions Defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-actions-as-permissions) in the *Service Authorization Reference*.

### Resources
<a name="security_iam_service-with-iam-id-based-policies-resources"></a>

Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.

The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.

```
"Resource": "*"
```



For example, the Systems Manager maintenance window resource has the following ARN format.

```
arn:aws:ssm:region:account-id:maintenancewindow/window-id
```

To specify the mw-0c50858d01EXAMPLE maintenance windows in your statement in the US East (Ohio) Region, you would use an ARN similar to the following.

```
"Resource": "arn:aws:ssm:us-east-2:123456789012:maintenancewindow/mw-0c50858d01EXAMPLE"
```

To specify all maintenance windows that belong to a specific account, use the wildcard (\$1).

```
"Resource": "arn:aws:ssm:region:123456789012:maintenancewindow/*"
```

For `Parameter Store` API operations, you can provide or restrict access to all parameters in one level of a hierarchy by using hierarchical names and AWS Identity and Access Management (IAM) policies as follows.

```
"Resource": "arn:aws:ssm:region:123456789012:parameter/Dev/ERP/Oracle/*"
```

Some Systems Manager actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard (\$1).

```
"Resource": "*"
```

Some Systems Manager API operations accept multiple resources. To specify multiple resources in a single statement, separate their ARNs with commas as follows.

```
"Resource": [
      "resource1",
      "resource2"
```

**Note**  
Most AWS services treat a colon (:) or a forward slash (/) as the same character in ARNs. However, Systems Manager requires an exact match in resource patterns and rules. When creating event patterns, be sure to use the correct ARN characters so that they match the resource's ARN.

The table below describes the ARN formats for the resource types supported by Systems Manager.

**Note**  
Note the following exceptions to ARN formats.  
The following tools in AWS Systems Manager use different prefixes before actions.  
AWS AppConfig uses the prefix `appconfig:` before actions.
Incident Manager uses the prefix `ssm-incidents:` or `ssm-contacts:` before actions.
Systems Manager GUI Connect uses the prefix `ssm-guiconnect` before actions.
Documents and automation definition resources that are owned by Amazon, as well as public parameters that are provided by both Amazon and third-party sources, do not include account IDs in their ARN formats. For example:  
The SSM document `AWS-RunPatchBaseline`:  
`arn:aws:ssm:us-east-2::document/AWS-RunPatchBaseline` 
The automation runbook `AWS-ConfigureMaintenanceWindows`:   
`arn:aws:ssm:us-east-2::automation-definition/AWS-ConfigureMaintenanceWindows`
The public parameter `/aws/service/bottlerocket/aws-ecs-1-nvidia/x86_64/1.13.4/image_version`:   
`arn:aws:ssm:us-east-2::parameter/aws/service/bottlerocket/aws-ecs-1-nvidia/x86_64/1.13.4/image_version`
For more information about these three resource types, see the following topics:  
[Working with documents](documents-using.md)
[Run an automated operation powered by Systems Manager Automation](running-simple-automations.md)
[Working with public parameters in Parameter Store](parameter-store-public-parameters.md)
Quick Setup uses the prefix `ssm-quicksetup:` before actions.


| Resource type | ARN format | 
| --- | --- | 
| Application (AWS AppConfig) | arn:aws:appconfig:region:account-id:application/application-id | 
| Association | arn:aws:ssm:region:account-id:association/association-id | 
| Automation execution | arn:aws:ssm:region:account-id:automation-execution/automation-execution-id | 
| Automation definition (with version subresource) |  arn:aws:ssm:*region*:*account-id*:automation-definition/*automation-definition-id*:*version-id* **1**  | 
| Configuration profile (AWS AppConfig) | arn:aws:appconfig:region:account-id:application/application-id/configurationprofile/configurationprofile-id | 
| Contact (Incident Manager) |  arn:aws:ssm-contacts:*region*:*account-id*:contact/*contact-alias*  | 
| Deployment strategy (AWS AppConfig) | arn:aws:appconfig:region:account-id:deploymentstrategy/deploymentstrategy-id | 
| Document |  arn:aws:ssm:*region*:*account-id*:document/*document-name*  | 
| Environment (AWS AppConfig) | arn:aws:appconfig:region:account-id:application/application-id/environment/environment-id | 
| Incident |  arn:aws:ssm-incidents:*region*:*account-id*:incident-record/*response-plan-name*/*incident-id*  | 
| Maintenance window |  arn:aws:ssm:*region*:*account-id*:maintenancewindow/*window-id*  | 
| Managed node |  arn:aws:ssm:*region*:*account-id*:managed-instance/*managed-node-id*  | 
| Managed node inventory | arn:aws:ssm:region:account-id:managed-instance-inventory/managed-node-id | 
| OpsItem | arn:aws:ssm:region:account-id:opsitem/OpsItem-id | 
| Parameter |  A one-level parameter: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html) A parameter named with a hierarchical construction: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html)  | 
| Patch baseline |  arn:aws:ssm:*region*:*account-id*:patchbaseline/*patch-baseline-id*   | 
| Response plan |  arn:aws:ssm-incidents:*region*:*account-id*:response-plan/*response-plan-name*  | 
| Session |  arn:aws:ssm:*region*:*account-id*:session/*session-id* **3**  | 
|  All Systems Manager resources  |  arn:aws:ssm:\$1  | 
|  All Systems Manager resources owned by the specified AWS account in the specified AWS Region  |  arn:aws:ssm:*region*:*account-id*:\$1  | 

**Note**  
Automation definition resources are being deprecated. Please update your IAM policies to include an allow for `ssm:StartAutomationExecution` or `ssm:StartChangeRequestExecution` on `document` and `automation-execution` resources. To view best practices and examples for setting up IAM permissions, refer to our [Setting up identity based policies example](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup-identity-based-policies.html) user guide. 

**1** For automation definitions, Systems Manager supports a second-level resource, *version ID*. In AWS, these second-level resources are known as *subresources*. Specifying a version subresource for an automation definition resource allows you to provide access to certain versions of an automation definition. For example, you might want to ensure that only the latest version of an automation definition is used in your node management.

**2** To organize and manage parameters, you can create names for parameters with a hierarchical construction. With hierarchical construction, a parameter name can include a path that you define by using forward slashes. You can name a parameter resource with a maximum of fifteen levels. We suggest that you create hierarchies that reflect an existing hierarchical structure in your environment. For more information, see [Creating Parameter Store parameters in Systems Manager](sysman-paramstore-su-create.md).

**3** In most cases, the session ID is constructed using the ID of the account user who started the session, plus an alphanumeric suffix. For example:

```
arn:aws:us-east-2:111122223333:session/JohnDoe-1a2b3c4sEXAMPLE
```

However, if the user ID isn't available, the ARN is constructed this way instead:

```
arn:aws:us-east-2:111122223333:session/session-1a2b3c4sEXAMPLE
```

For more information about the format of ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *Amazon Web Services General Reference*.

For a list of Systems Manager resource types and their ARNs, see [Resources Defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-resources-for-iam-policies) in the *Service Authorization Reference*. To learn with which actions you can specify the ARN of each resource, see [Actions Defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-actions-as-permissions).<a name="policy-conditions"></a>

### Condition keys for Systems Manager
<a name="security_iam_service-with-iam-id-based-policies-conditionkeys"></a>

Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.

The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.



To see a list of Systems Manager condition keys, see [Condition Keys for AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys) in the *Service Authorization Reference*. To learn with which actions and resources you can use a condition key, see [Actions Defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-actions-as-permissions).

For information about using the `ssm:resourceTag/*` condition key, see the following topics:
+ [Restricting access to root-level commands through SSM Agent](ssm-agent-restrict-root-level-commands.md)
+ [Restricting Run Command access based on tags](run-command-setting-up.md#tag-based-access) 
+ [Restrict session access based on instance tags](getting-started-restrict-access-examples.md#restrict-access-example-instance-tags)

For information about using the `ssm:Recursive`, `ssm:Policies`, and `ssm:Overwrite` condition keys, see [Preventing access to Parameter Store API operations](parameter-store-policy-conditions.md).

### Examples
<a name="security_iam_service-with-iam-id-based-policies-examples"></a>



To view examples of Systems Manager identity-based policies, see [AWS Systems Manager identity-based policy examples](security_iam_id-based-policy-examples.md).

## Systems Manager resource-based policies
<a name="security_iam_service-with-iam-resource-based-policies"></a>

Other AWS services, such as Amazon Simple Storage Service (Amazon S3), support resource-based permissions policies. For example, you can attach a permissions policy to an S3 bucket to manage access permissions to that bucket. 

Systems Manager doesn't support resource-based policies.

## Authorization based on Systems Manager tags
<a name="security_iam_service-with-iam-tags"></a>

You can attach tags to Systems Manager resources or pass tags in a request to Systems Manager. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `ssm:resourceTag/key-name`, `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. You can add tags to the following resource types when you create or update them:
+ Document
+ Managed node
+ Maintenance window
+ Parameter
+ Patch baseline
+ OpsItem

To view an example identity-based policy for limiting access to a resource based on the tags on that resource, see [Viewing Systems Manager documents based on tags](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-view-documents-tags).

## Systems Manager IAM roles
<a name="security_iam_service-with-iam-roles"></a>

An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions.

### Using temporary credentials with Systems Manager
<a name="security_iam_service-with-iam-roles-tempcreds"></a>

You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS Security Token Service (AWS STS) API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html).

Systems Manager supports using temporary credentials. 

### Service-linked roles
<a name="security_iam_service-with-iam-roles-service-linked"></a>

[Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles are listed in your IAM account and are owned by the service. An administrator can view but not edit the permissions for service-linked roles.

Systems Manager supports service-linked roles. For details about creating or managing Systems Manager service-linked roles, see [Using service-linked roles for Systems Manager](using-service-linked-roles.md).

### Service roles
<a name="security_iam_service-with-iam-roles-service"></a>

This feature allows a service to assume a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles are displayed in your IAM account and are owned by the account. This means that an administrator can change the permissions for this role. However, doing so might break the functionality of the service.

Systems Manager supports service roles. 

### Choosing an IAM role in Systems Manager
<a name="security_iam_service-with-iam-roles-choose"></a>

For Systems Manager to interact with your managed nodes, you must choose a role to allow Systems Manager to access nodes on your behalf. If you have previously created a service role or service-linked role, then Systems Manager provides you with a list of roles to choose from. It's important to choose a role that allows access to start and stop managed nodes. 

To access EC2 instances, you must configure instance permissions. For information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md). 

To access non-EC2 nodes in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types), the role your AWS account needs is an IAM service role. For information, see [Create the IAM service role required for Systems Manager in hybrid and multicloud environments](hybrid-multicloud-service-role.md).

An Automation workflow can be initiated under the context of a service role (or assume role). This allows the service to perform actions on your behalf. If you don't specify an assume role, Automation uses the context of the user who invoked the execution. However, certain situations require that you specify a service role for Automation. For more information, see [Configuring a service role (assume role) access for automations](automation-setup.md#automation-setup-configure-role).

### AWS Systems Manager managed policies
<a name="managed-policies"></a>

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS *managed policies* grant necessary permissions for common use cases so you can avoid having to investigate which permissions are needed. (You can also create your own custom IAM policies to allow permissions for Systems Manager actions and resources.) 

For more information about managed policies for Systems Manager, see [AWS managed policies for AWS Systems Manager](security-iam-awsmanpol.md)

For general information about managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

# AWS Systems Manager identity-based policy examples
<a name="security_iam_id-based-policy-examples"></a>

By default, AWS Identity and Access Management (IAM) entities (users and roles) don't have permission to create or modify AWS Systems Manager resources. They also can't perform tasks using the Systems Manager console, AWS Command Line Interface (AWS CLI), or AWS API. An administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the users or groups that require those permissions.

The following is an example of a permissions policy that allows a user to delete documents with names that begin with **MyDocument-** in the US East (Ohio) (us-east-2) AWS Region.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "ssm:DeleteDocument"
      ],
      "Resource" : [
        "arn:aws:ssm:us-east-1:111122223333:document/MyDocument-*"
      ]
    }
  ]
}
```

------

To learn how to create an IAM identity-based policy using these example JSON Policy documents, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*.

**Topics**
+ [Policy best practices](#security_iam_service-with-iam-policy-best-practices)
+ [Example: Permission to using the Systems Manager console](#security_iam_id-based-policy-examples-console)
+ [Example: Permission to allow users to view their own permissions](#security_iam_id-based-policy-examples-view-own-permissions)
+ [Example: Permission to read and describe individual parameters](#security_iam_id-based-policy-examples-view-one-parameter)
+ [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md)
+ [Customer managed policy examples](#customer-managed-policies)
+ [Viewing Systems Manager documents based on tags](#security_iam_id-based-policy-examples-view-documents-tags)

## Policy best practices
<a name="security_iam_service-with-iam-policy-best-practices"></a>

Identity-based policies determine whether someone can create, access, or delete Systems Manager resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.

For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.

## Example: Permission to using the Systems Manager console
<a name="security_iam_id-based-policy-examples-console"></a>

To access the Systems Manager console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Systems Manager resources and other resources in your AWS account. 

If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for IAM entities (users or roles) with that policy.

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.

To ensure that users and roles can still use the Systems Manager console, also attach the [AmazonSSMFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMFullAccess.html) or [AmazonSSMReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMReadOnlyAccess.html) AWS managed policy to the entities. For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

## Example: Permission to allow users to view their own permissions
<a name="security_iam_id-based-policy-examples-view-own-permissions"></a>

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ViewOwnUserInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:GetUser"
            ],
            "Resource": ["arn:aws:iam::*:user/${aws:username}"]
        },
        {
            "Sid": "NavigateInConsole",
            "Effect": "Allow",
            "Action": [
                "iam:GetGroupPolicy",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListGroupPolicies",
                "iam:ListPolicyVersions",
                "iam:ListPolicies",
                "iam:ListUsers"
            ],
            "Resource": "*"
        }
    ]
}
```

## Example: Permission to read and describe individual parameters
<a name="security_iam_id-based-policy-examples-view-one-parameter"></a>

**Example Read and describe one parameter**  
You can grant access to a parameter by attaching the following policy to an identity.    
****  

```
{
"Version":"2012-10-17",		 	 	 
"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "ssm:GetParameter",
      "ssm:DescribeParameters"
      ],
    "Resource": "arn:aws:ssm:us-east-1:111122223333:parameter/parameter-name"
  }
]
}
```

# Cross-service confused deputy prevention
<a name="cross-service-confused-deputy-prevention"></a>

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account. 

We recommend using the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource policies to limit the permissions that AWS Systems Manager gives another service to the resource. If the `aws:SourceArn` value does not contain the account ID, such as an Amazon Resource Name (ARN) for an S3 bucket, you must use both global condition context keys to limit permissions. If you use both global condition context keys and the `aws:SourceArn` value contains the account ID, the `aws:SourceAccount` value and the account in the `aws:SourceArn` value must use the same account ID when used in the same policy statement. Use `aws:SourceArn` if you want only one resource to be associated with the cross-service access. Use `aws:SourceAccount` if you want to allow any resource in that account to be associated with the cross-service use.

The following sections provide example policies for AWS Systems Manager tools.

## Hybrid activation policy example
<a name="cross-service-confused-deputy-prevention-hybrid"></a>

For service roles used in a [hybrid activation](activations.md), the value of `aws:SourceArn` must be the ARN of the AWS account. Be sure to specify the AWS Region in the ARN where you created your hybrid activation. If you don't know the full ARN of the resource or if you're specifying multiple resources, use the `aws:SourceArn` global context condition key with wildcards (`*`) for the unknown portions of the ARN. For example, `arn:aws:ssm:*:region:123456789012:*`.

The following example demonstrates using the `aws:SourceArn` and `aws:SourceAccount` global condition context keys for Automation to prevent the confused deputy problem in the US East (Ohio) Region (us-east-2).

------
#### [ JSON ]

****  

```
{
   "Version":"2012-10-17",		 	 	 
   "Statement":[
      {
         "Sid":"",
         "Effect":"Allow",
         "Principal":{
            "Service":"ssm.amazonaws.com"
         },
         "Action":"sts:AssumeRole",
         "Condition":{
            "StringEquals":{
               "aws:SourceAccount":"123456789012"
            },
            "ArnEquals":{
               "aws:SourceArn":"arn:aws:ssm:us-east-1:123456789012:*"
            }
         }
      }
   ]
}
```

------

## Resource data sync policy example
<a name="cross-service-confused-deputy-prevention-rds"></a>

Systems Manager Inventory, Explorer, and Compliance enable you to create a resource data sync to centralize storage of your operations data (OpsData) in a central Amazon Simple Storage Service bucket. If you want to encrypt a resource data sync by using AWS Key Management Service (AWS KMS), then you must either create a new key that includes the following policy, or you must update an existing key and add this policy to it. The `aws:SourceArn` and `aws:SourceAccount` condition keys in this policy prevent the confused deputy problem. Here is an example policy.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Id": "ssm-access-policy",
    "Statement": [
        {
            "Sid": "ssm-access-policy-statement",
            "Action": [
                "kms:GenerateDataKey"
            ],
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com"
            },
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/KMS_key_id",
            "Condition": {
                "StringLike": {
                    "aws:SourceAccount": "123456789012"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:ssm:*:123456789012:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM"
                }
            }
        }
    ]
}
```

------

**Note**  
The ARN in the policy example enables the system to encrypt OpsData from all sources except AWS Security Hub CSPM. If you need to encrypt Security Hub CSPM data, for example if you use Explorer to collect Security Hub CSPM data, then you must attach an additional policy that specifies the following ARN:  
`"aws:SourceArn": "arn:aws:ssm:*:account-id:role/aws-service-role/opsdatasync.ssm.amazonaws.com/AWSServiceRoleForSystemsManagerOpsDataSync"` 

## Customer managed policy examples
<a name="customer-managed-policies"></a>

You can create standalone policies that you administer in your own AWS account. We refer to these as *customer managed policies*. You can attach these policies to multiple principal entities in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy. For more information, see [Customer managed policy examples](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) in the *[IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/)*.

The following examples of user policies grant permissions for various Systems Manager actions. Use them to limit the Systems Manager access for your IAM entities (users and roles). These policies work when performing actions in the Systems Manager API, AWS SDKs, or the AWS CLI. For users who use the console, you need to grant additional permissions specific to the console. For more information, see [Example: Permission to using the Systems Manager console](#security_iam_id-based-policy-examples-console).

**Note**  
All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs. The account ID shouldn't be specified in the Amazon Resource Name (ARN) for AWS public documents (documents that begin with `AWS-*`).

 **Examples** 
+  [Example 1: Allow a user to perform Systems Manager operations in a single Region](#identity-based-policies-example-1) 
+  [Example 2: Allow a user to list documents for a single Region](#identity-based-policies-example-2) 

### Example 1: Allow a user to perform Systems Manager operations in a single Region
<a name="identity-based-policies-example-1"></a>

The following example grants permissions to perform Systems Manager operations only in the US East (Ohio) Region (us-east-2).

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:*"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:111122223333:*"
            ]
        }
    ]
}
```

------

### Example 2: Allow a user to list documents for a single Region
<a name="identity-based-policies-example-2"></a>

The following example grants permissions to list all document names that begin with **Update** in the US East (Ohio) Region (us-east-2).

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:ListDocuments"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:111122223333:document/Update*"
            ]
        }
    ]
}
```

------

### Example 3: Allow a user to use a specific SSM document to run commands on specific nodes
<a name="identity-based-policies-example-3"></a>

The following example IAM policy allows a user to do the following in the US East (Ohio) Region (us-east-2):
+ List Systems Manager documents (SSM documents) and document versions.
+ View details about documents.
+ Send a command using the document specified in the policy. The name of the document is determined by the following entry.

  ```
  arn:aws:ssm:us-east-2:aws-account-ID:document/Systems-Manager-document-name
  ```
+ Send a command to three nodes. The nodes are determined by the following entries in the second `Resource` section.

  ```
  "arn:aws:ec2:us-east-2:aws-account-ID:instance/i-02573cafcfEXAMPLE",
  "arn:aws:ec2:us-east-2:aws-account-ID:instance/i-0471e04240EXAMPLE",
  "arn:aws:ec2:us-east-2:aws-account-ID:instance/i-07782c72faEXAMPLE"
  ```
+ View details about a command after it has been sent.
+ Start and stop workflows in Automation, a tool in AWS Systems Manager.
+ Get information about Automation workflows.

If you want to give a user permission to use this document to send commands on any node for which the user has access, you could specify an entry similar to the following in the `Resource` section and remove the other node entries. The following example uses the US East (Ohio) Region (us-east-2).

```
"arn:aws:ec2:us-east-2:*:instance/*"
```

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "ssm:ListDocuments",
                "ssm:ListDocumentVersions",
                "ssm:DescribeDocument",
                "ssm:GetDocument",
                "ssm:DescribeInstanceInformation",
                "ssm:DescribeDocumentParameters",
                "ssm:DescribeInstanceProperties"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ssm:SendCommand",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:instance/i-02573cafcfEXAMPLE",
                "arn:aws:ec2:us-east-1:111122223333:instance/i-0471e04240EXAMPLE",
                "arn:aws:ec2:us-east-1:111122223333:instance/i-07782c72faEXAMPLE",
                
                "arn:aws:ssm:us-east-1:111122223333:document/Systems-Manager-document-name"
            ]
        },
        {
            "Action": [
                "ssm:CancelCommand",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ec2:DescribeInstanceStatus",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ssm:StartAutomationExecution",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ssm:us-east-1:111122223333:document/*",
                "arn:aws:ssm:us-east-1:111122223333:automation-execution/*"
            ]
        },
        {
            "Action": "ssm:DescribeAutomationExecutions",
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": [
                "ssm:StopAutomationExecution",
                "ssm:GetAutomationExecution"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ]
}
```

------

## Viewing Systems Manager documents based on tags
<a name="security_iam_id-based-policy-examples-view-documents-tags"></a>

You can use conditions in your identity-based policy to control access to Systems Manager resources based on tags. This example shows how you might create a policy that allows viewing an SSM document. However, permission is granted only if the document tag `Owner` has the value of that user's user name. This policy also grants the permissions necessary to complete this action on the console.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ListDocumentsInConsole",
            "Effect": "Allow",
            "Action": "ssm:ListDocuments",
            "Resource": "*"
        },
        {
            "Sid": "ViewDocumentIfOwner",
            "Effect": "Allow",
            "Action": "ssm:GetDocument",
            "Resource": "arn:aws:ssm:*:*:document/*",
            "Condition": {
                "StringEquals": {"ssm:ResourceTag/Owner": "${aws:username}"}
            }
        }
    ]
}
```

------

You can attach this policy to the users in your account. If a user named `richard-roe` attempts to view an Systems Manager document, the document must be tagged `Owner=richard-roe` or `owner=richard-roe`. Otherwise they're denied access. The condition tag key `Owner` matches both `Owner` and `owner` because condition key names aren't case-sensitive. For more information, see [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.

# AWS managed policies for AWS Systems Manager
<a name="security-iam-awsmanpol"></a>





An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.









**Topics**
+ [AWS managed policy: AmazonSSMServiceRolePolicy](#security-iam-awsmanpol-AmazonSSMServiceRolePolicy)
+ [AWS managed policy: AmazonSSMAutomationRole](#security-iam-awsmanpol-AmazonSSMAutomationRole)
+ [AWS managed policy: AmazonSSMReadOnlyAccess](#security-iam-awsmanpol-AmazonSSMReadOnlyAccess)
+ [AWS managed policy: AWSSystemsManagerOpsDataSyncServiceRolePolicy](#security-iam-awsmanpol-AWSSystemsManagerOpsDataSyncServiceRolePolicy)
+ [AWS managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy](#security-iam-awsmanpol-AmazonSSMManagedEC2InstanceDefaultPolicy)
+ [AWS managed policy: SSMQuickSetupRolePolicy](#security-iam-awsmanpol-SSMQuickSetupRolePolicy)
+ [AWS managed policy: AWSQuickSetupDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupDeploymentRolePolicy)
+ [AWS managed policy: AWSQuickSetupPatchPolicyDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyDeploymentRolePolicy)
+ [AWS managed policy: AWSQuickSetupPatchPolicyBaselineAccess](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyBaselineAccess)
+ [AWS managed policy: `AWSSystemsManagerEnableExplorerExecutionPolicy`](#security-iam-awsmanpol-AWSSystemsManagerEnableExplorerExecutionPolicy)
+ [AWS managed policy: `AWSSystemsManagerEnableConfigRecordingExecutionPolicy`](#security-iam-awsmanpol-AWSSystemsManagerEnableConfigRecordingExecutionPolicy)
+ [AWS managed policy: AWSQuickSetupDevOpsGuruPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupDevOpsGuruPermissionsBoundary)
+ [AWS managed policy: AWSQuickSetupDistributorPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupDistributorPermissionsBoundary)
+ [AWS managed policy: AWSQuickSetupSSMHostMgmtPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupSSMHostMgmtPermissionsBoundary)
+ [AWS managed policy: AWSQuickSetupPatchPolicyPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyPermissionsBoundary)
+ [AWS managed policy: AWSQuickSetupSchedulerPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupSchedulerPermissionsBoundary)
+ [AWS managed policy: AWSQuickSetupCFGCPacksPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupCFGCPacksPermissionsBoundary)
+ [AWS managed policy: AWSQuickSetupStartStopInstancesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartStopInstancesExecutionPolicy)
+ [AWS managed policy: AWSQuickSetupStartSSMAssociationsExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartSSMAssociationsExecutionPolicy)
+ [AWS managed policy: AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy)
+ [AWS managed policy: AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy)
+ [AWS managed policy: AWS-SSM-RemediationAutomation-AdministrationRolePolicy](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-AdministrationRolePolicy)
+ [AWS managed policy: AWS-SSM-RemediationAutomation-ExecutionRolePolicy](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-ExecutionRolePolicy)
+ [AWS managed policy: AWSQuickSetupSSMManageResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupSSMManageResourcesExecutionPolicy)
+ [AWS managed policy: AWSQuickSetupSSMLifecycleManagementExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupSSMLifecycleManagementExecutionPolicy)
+ [AWS managed policy: AWSQuickSetupSSMDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentRolePolicy)
+ [AWS managed policy: AWSQuickSetupSSMDeploymentS3BucketRolePolicy](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentS3BucketRolePolicy)
+ [AWS managed policy: AWSQuickSetupEnableDHMCExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupEnableDHMCExecutionPolicy)
+ [AWS managed policy: AWSQuickSetupEnableAREXExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupEnableAREXExecutionPolicy)
+ [AWS managed policy: AWSQuickSetupManagedInstanceProfileExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManagedInstanceProfileExecutionPolicy)
+ [AWS managed policy: AWSQuickSetupManageJITNAResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy)
+ [AWS managed policy: AWSQuickSetupJITNADeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupJITNADeploymentRolePolicy)
+ [AWS managed policy: AWSSystemsManagerJustInTimeAccessServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy)
+ [AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenPolicy)
+ [AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenSessionPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenSessionPolicy)
+ [AWS managed policy: AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy)
+ [AWS managed policy: AWSSystemsManagerNotificationsServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerNotificationsServicePolicy)
+ [AWS managed policy: AWS-SSM-Automation-DiagnosisBucketPolicy](#security-iam-awsmanpol-AWS-SSM-Automation-DiagnosisBucketPolicy)
+ [AWS managed policy: AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy)
+ [AWS managed policy: AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy)
+ [Systems Manager updates to AWS managed policies](#security-iam-awsmanpol-updates)
+ [Additional managed policies for Systems Manager](#policies-list)

## AWS managed policy: AmazonSSMServiceRolePolicy
<a name="security-iam-awsmanpol-AmazonSSMServiceRolePolicy"></a>

This policy provides access to a number of AWS resources that are managed by AWS Systems Manager or used in Systems Manager operations.

You can't attach `AmazonSSMServiceRolePolicy` to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows AWS Systems Manager to perform actions on your behalf. For more information, see [Using roles to collect inventory and view OpsData](using-service-linked-roles-service-action-1.md).

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to start and step executions for both Run Command and Automation; and to retrieve information about Run Command and Automation operations; to retrieve information about Parameter Store parameters Change Calendar calendars; to update and retrieve information about Systems Manager service settings for OpsCenterresources; and to read information about tags that have have applied to resources.
+ `cloudformation` – Allows principals to retrieve information about stackset operations and stackset instances, and to delete stacksets on the resource `arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*`. Allows principals to delete stack instances that are associated with the following resources:

  ```
  arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*
  arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:*
  arn:aws:cloudformation:*:*:type/resource/*
  ```
+ `cloudwatch` – Allows principals to retrieve information about Amazon CloudWatch alarms.
+ `compute-optimizer` – Allows principals to retrieve the enrollment (opt in) status of an account to the AWS Compute Optimizer service, and to retrieve recommendations for Amazon EC2 instances that meet a specific set of stated requirements.
+ `config` – Allows principals to retrieve information remediation configurations and configuration recorders in AWS Config, and to determine whether specified AWS Config rules and AWS resources are compliant.
+ `events` – Allows principals retrieve information about EventBridge rules; to create EventBridge rules and targets exclusively for the the Systems Manager service (`ssm.amazonaws.com`); and to delete rules and targets for the resource `arn:aws:events:*:*:rule/SSMExplorerManagedRule`.
+ `ec2` – Allows principals to retrieve information about Amazon EC2 instances..
+ `iam` – Allows principals to pass roles permissions for the Systems Manager service (`ssm.amazonaws.com`).
+ `lambda` – Allows principals to invoke Lambda functions that are configured specifically for use by Systems Manager.
+ `resource-explorer-2` – Allows principals to retrieve data about EC2 instances to determine whether or not each instance is currently managed by Systems Manager.

  The action `resource-explorer-2:CreateManagedView` is allowed for the `arn:aws:resource-explorer-2:*:*:managed-view/AWSManagedViewForSSM*` resource.
+ `resource-groups` – Allows principals to retrieve list resource groups and their members from AWS Resource Groups of resources that belong to a resource group.
+ `securityhub` – Allows principals to retrieve information about AWS Security Hub CSPM hub resources in the current account.
+ `states` – Allows principals to start and retrieve information for AWS Step Functions that are configured specifically for use by Systems Manager.
+ `support` – Allows principals to retrieve information about checks and cases in AWS Trusted Advisor.
+ `tag` – Allows principals to retrieve information about all the tagged or previously tagged resources that are located in a specified AWS Region for an account.

To view more details about the policy, including the latest version of the JSON policy document, see [AmazonSSMServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMServiceRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AmazonSSMAutomationRole
<a name="security-iam-awsmanpol-AmazonSSMAutomationRole"></a>

You can attach the `AmazonSSMAutomationRole` policy to your IAM identities. This policy provides permissions for the AWS Systems Manager Automation service to run activities defined within Automation runbooks.

**Permissions details**

This policy includes the following permissions.
+ `lambda` – Allows principals to invoke Lambda functions with names that begin with "Automation". This is required for Automation runbooks to execute Lambda functions as part of their workflow.
+ `ec2` – Allows principals to perform various Amazon EC2 operations including creating, copying, and deregistering images; managing snapshots; starting, running, stopping, and terminating instances; managing instance status; and creating, deleting, and describing tags. These permissions enable Automation runbooks to manage Amazon EC2 resources during execution.
+ `cloudformation` – Allows principals to create, describe, update, and delete CloudFormation stacks. This enables Automation runbooks to manage infrastructure as code through CloudFormation.
+ `ssm` – Allows principals to use all Systems Manager actions. This comprehensive access is required for Automation runbooks to interact with all Systems Manager capabilities.
+ `sns` – Allows principals to publish messages to Amazon SNS topics with names that begin with "Automation". This enables Automation runbooks to send notifications during execution.
+ `ssmmessages` – Allows principals to open data channels to Systems Manager sessions. This enables Automation runbooks to establish communication channels for session-based operations.

To view more details about the policy, including the latest version of the JSON policy document, see [AmazonSSMAutomationRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMAutomationRole.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AmazonSSMReadOnlyAccess
<a name="security-iam-awsmanpol-AmazonSSMReadOnlyAccess"></a>

You can attach the `AmazonSSMReadOnlyAccess` policy to your IAM identities. This policy grants read-only access to AWS Systems Manager API operations including `Describe*`, `Get*`, and `List*`. 

To view more details about the policy, including the latest version of the JSON policy document, see [AmazonSSMReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSSystemsManagerOpsDataSyncServiceRolePolicy
<a name="security-iam-awsmanpol-AWSSystemsManagerOpsDataSyncServiceRolePolicy"></a>

You can't attach `AWSSystemsManagerOpsDataSyncServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to create OpsData and OpsItems for Explorer](using-service-linked-roles-service-action-3.md).

 `AWSSystemsManagerOpsDataSyncServiceRolePolicy` allows the `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role to create and update OpsItems and OpsData from AWS Security Hub CSPM findings. 

The policy allows Systems Manager to complete the following actions on all related resources (`"Resource": "*"`), except where indicated:
+ `ssm:GetOpsItem` [1]
+ `ssm:UpdateOpsItem` [1]
+ `ssm:CreateOpsItem`
+ `ssm:AddTagsToResource` [2]
+ `ssm:UpdateServiceSetting` [3]
+ `ssm:GetServiceSetting` [3]
+ `securityhub:GetFindings`
+ `securityhub:GetFindings`
+ `securityhub:BatchUpdateFindings` [4]

[1] The `ssm:GetOpsItem` and `ssm:UpdateOpsItem` actions are allowed permissions by the following condition for the Systems Manager service only.

```
"Condition": {
    "StringEquals": {
        "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true"
    }
}
```

[2] The `ssm:AddTagsToResource` action is allowed permissions for the following resource only.

```
arn:aws:ssm:*:*:opsitem/*
```

[3] The `ssm:UpdateServiceSetting` and `ssm:GetServiceSetting` actions are allowed permissions for the following resources only.

```
arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*
arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*
```

[4] The `securityhub:BatchUpdateFindings` are denied permissions by the following condition for the Systems Manager service only.

```
{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED"
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Confidence": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Criticality": false
				}
			}
		},		
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Note.Text": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Note.UpdatedBy": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/RelatedFindings": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/Types": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/UserDefinedFields.key": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/UserDefinedFields.value": false
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": "securityhub:BatchUpdateFindings",
			"Resource": "*",
			"Condition": {
				"Null": {
					"securityhub:ASFFSyntaxPath/VerificationState": false
				}
			}
```

To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerOpsDataSyncServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerOpsDataSyncServiceRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy
<a name="security-iam-awsmanpol-AmazonSSMManagedEC2InstanceDefaultPolicy"></a>

You should only attach `AmazonSSMManagedEC2InstanceDefaultPolicy` to IAM roles for Amazon EC2 instances that you want to have permission to use Systems Manager functionality. You shouldn't attached this role to other IAM entities, such as IAM users and IAM groups, or to IAM roles that serve other purposes. For more information, see [Managing EC2 instances automatically with Default Host Management Configuration](fleet-manager-default-host-management-configuration.md).

This policy grants permissions that allow SSM Agent on your Amazon EC2 instance to communicate with the Systems Manager service in the cloud in order to perform a variety of tasks. It also grants permissions for the two services that provide authorization tokens to ensure that operations are performed on the correct instance.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to retrieve Documents, execute commands using Run Command, establish sessions using Session Manager, collect an inventory of the instance, and scan for patches and patch compliance using Patch Manager.
+ `ssmmessages` – Allows principals to access, for each instance, a personalized authorization token that was created by the *[Amazon Message Gateway Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmessagegatewayservice.html)*. Systems Manager validates the personalized authorization token against the Amazon Resource Name (ARN) of the instance that was provided in the API operation. This access is necessary to ensure that SSM Agent performs the API operations on the correct instance. 
+ `ec2messages` – Allows principals to access, for each instance, a personalized authorization token that was created by the *[Amazon Message Delivery Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmessagegatewayservice.html)*. Systems Manager validates the personalized authorization token against the Amazon Resource Name (ARN) of the instance that was provided in the API operation. This access is necessary to ensure that SSM Agent performs the API operations on the correct instance.

For related information about the `ssmmessages` and `ec2messages` endpoints, including the differences between the two, see [Agent-related API operations (`ssmmessages` and `ec2messages` endpoints)](systems-manager-setting-up-messageAPIs.md#message-services).

To view more details about the policy, including the latest version of the JSON policy document, see [AmazonSSMManagedEC2InstanceDefaultPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedEC2InstanceDefaultPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: SSMQuickSetupRolePolicy
<a name="security-iam-awsmanpol-SSMQuickSetupRolePolicy"></a>

You can't attach SSMQuickSetupRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to maintain Quick Setup-provisioned resource health and consistency](using-service-linked-roles-service-action-5.md).

This policy grants read-only permissions that allow Systems Manager to check configuration health, ensure consistent use of parameters and provisioned resources, and remediate resources when drift is detected. It also grants administrative permissions for creating a service-linked role. 

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to read information Resource Data Syncs and SSM Documents in Systems Manager, including in delegated administrator accounts. This is required so Quick Setup can determine the state that configured resources are intended to be in. 
+ `organizations` – Allows principals to read information about the member accounts that belong to an organization as configured in AWS Organizations. This is required so Quick Setup can identify all accounts in an organization where resource health checks are to be performed. 
+ `cloudformation` – Allows principals to read information from CloudFormation. This is required so Quick Setup can gather data about the CloudFormation stacks used to manage the state of resources and CloudFormation stackset operations. 

To view more details about the policy, including the latest version of the JSON policy document, see [SSMQuickSetupRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SSMQuickSetupRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupDeploymentRolePolicy
<a name="security-iam-awsmanpol-AWSQuickSetupDeploymentRolePolicy"></a>

The managed policy `AWSQuickSetupDeploymentRolePolicy` supports multiple Quick Setup configuration types. These configuration types create IAM roles and automations that configure frequently used Amazon Web Services services and features with recommended best practices.

You can attach `AWSQuickSetupDeploymentRolePolicy` to your IAM entities.

This policy grants administrative permissions needed to create resources associated with the following Quick Setup configurations:
+ [Set up Amazon EC2 host management using Quick Setup](quick-setup-host-management.md)
+ [Create an AWS Config configuration recorder using Quick Setup](quick-setup-config.md)
+ [Deploy AWS Config conformance pack using Quick Setup](quick-setup-cpack.md)
+ [Set up DevOps Guru using Quick Setup](quick-setup-devops.md)
+ [Deploy Distributor packages using Quick Setup](quick-setup-distributor.md)
+ [Stop and start EC2 instances automatically on a schedule using Quick Setup](quick-setup-scheduler.md)

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to read, create, update, and delete SSM documents with names beginning with "AWSQuickSetup-" or "AWSOperationsPack-" when called via CloudFormation; to read specific AWS owned documents including "AWSQuickSetupType-ManageInstanceProfile", "AWSQuickSetupType-ConfigureDevOpsGuru", and "AWSQuickSetupType-DeployConformancePack"; to create, update, and delete associations for Quick Setup documents and AWS owned documents when called via CloudFormation; and to clean up legacy resources tagged with `QuickSetupID`. This enables Quick Setup to deploy and manage automation workflows and associations.
+ `cloudformation` – Allows principals to read information about CloudFormation stacks and stack sets; and to create, update, and delete CloudFormation stacks and change sets for resources with names beginning with "StackSet-AWS-QuickSetup-". This enables Quick Setup to manage infrastructure deployments across accounts and regions.
+ `config` – Allows principals to read information about AWS Config conformance packs and their status; and to create and delete conformance packs with names beginning with "AWS-QuickSetup-" when called via CloudFormation. This enables Quick Setup to deploy compliance monitoring configurations.
+ `events` – Allows principals to manage EventBridge rules and targets for resources with names containing "QuickSetup-". This enables Quick Setup to create scheduled automation workflows.
+ `iam` – Allows principals to create service-linked roles for AWS Config and Systems Manager; to create, manage, and delete IAM roles with names beginning with "AWS-QuickSetup-" or "AWSOperationsPack-" when called via CloudFormation; to pass these roles to Systems Manager and EventBridge services; to attach specific AWS managed policies to these roles; and to set permissions boundaries using specific Quick Setup managed policies. This enables Quick Setup to create the necessary service roles for its operations.
+ `resource-groups` – Allows principals to retrieve resource group queries. This enables Quick Setup to target specific sets of resources for configuration management.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupDeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupDeploymentRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupPatchPolicyDeploymentRolePolicy
<a name="security-iam-awsmanpol-AWSQuickSetupPatchPolicyDeploymentRolePolicy"></a>

The managed policy `AWSQuickSetupPatchPolicyDeploymentRolePolicy` supports the [Configure patching for instances in an organization using a Quick Setup patch policy](quick-setup-patch-manager.md) Quick Setup type. This configuration type helps automate patching of applications and nodes in a single account or across your organization. 

You can attach `AWSQuickSetupPatchPolicyDeploymentRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

This policy grants administrative permissions that allow Quick Setup to create resources associated with a patch policy configuration.

**Permissions details**

This policy includes the following permissions.
+ `iam` – Allows principals to manage and delete IAM roles required for Automation configuration tasks; and to manage Automation role policies.
+ `cloudformation` – Allows principals to read CloudFormation stack information; and to control CloudFormation stacks that were created by Quick Setup using CloudFormation stack sets.
+ `ssm` – Allows principals to create, update, read, and delete Automation runbooks required for configuration tasks; and to create, update, and delete State Manager associations.
+ `resource-groups` – Allows principals to retrieve resource queries that are associated with resource groups targeted by Quick Setup configurations.
+ `s3` – Allows principals to list Amazon S3 buckets; and to manage the buckets for storing patch policy access logs.
+ `lambda` – Allows principals to manage AWS Lambda remediation functions that maintain configurations in the correct state.
+ `logs` – Allows principals to describe and manage log groups for Lambda configuration resources.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupPatchPolicyDeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupPatchPolicyDeploymentRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupPatchPolicyBaselineAccess
<a name="security-iam-awsmanpol-AWSQuickSetupPatchPolicyBaselineAccess"></a>

The managed policy `AWSQuickSetupPatchPolicyBaselineAccess` supports the [Configure patching for instances in an organization using a Quick Setup patch policy](quick-setup-patch-manager.md) Quick Setup type. This configuration type helps automate patching of applications and nodes in a single account or across your organization. 

You can attach `AWSQuickSetupPatchPolicyBaselineAccess` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

This policy provides read-only permissions to access patch baselines that have been configured by an administrator in the current AWS account or organization using Quick Setup. The patch baselines are stored in an Amazon S3 bucket and can be used for patching instances in a single account or across an entire organization.

**Permissions details**

This policy includes the following permission.
+ `s3` – Allows principals to read patch baseline overrides stored in Amazon S3 buckets.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupPatchPolicyBaselineAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupPatchPolicyBaselineAccess.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: `AWSSystemsManagerEnableExplorerExecutionPolicy`
<a name="security-iam-awsmanpol-AWSSystemsManagerEnableExplorerExecutionPolicy"></a>

The managed policy `AWSSystemsManagerEnableExplorerExecutionPolicy` supports enabling Explorer, a tool in AWS Systems Manager.

You can attach `AWSSystemsManagerEnableExplorerExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

This policy grants administrative permissions for enabling Explorer. This includes permissions to update related Systems Manager service settings, and to create a service-linked role for Systems Manager.

**Permissions details**

This policy includes the following permissions.
+ `config` – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `iam` – Allows principals to help enable Explorer.
+ `ssm` – Allows principals to start an Automation workflow that enables Explorer.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerEnableExplorerExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerEnableExplorerExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: `AWSSystemsManagerEnableConfigRecordingExecutionPolicy`
<a name="security-iam-awsmanpol-AWSSystemsManagerEnableConfigRecordingExecutionPolicy"></a>

The managed policy `AWSSystemsManagerEnableConfigRecordingExecutionPolicy` supports the [Create an AWS Config configuration recorder using Quick Setup](quick-setup-config.md) Quick Setup configuration type. This configuration type enables Quick Setup to track and record changes to the AWS resource types you choose for AWS Config. It also enables Quick Setup to configure delivery and notifications options for the recorded data. 

You can attach `AWSSystemsManagerEnableConfigRecordingExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

This policy grants administrative permissions that allow Quick Setup to enable and configure AWS Config configuration recording.

**Permissions details**

This policy includes the following permissions.
+ `s3` – Allows principals to create and configure Amazon S3 buckets for delivery of configuration recordings.
+ `sns` – Allows principals to list and create Amazon SNS topics.
+ `config` – Allows principals to configure and start the configuration recorder; and to help enable Explorer.
+ `iam` – Allows principals to create, get, and pass a service-linked role for AWS Config; and to create a service-linked role for Systems Manager; and to help enable Explorer.
+ `ssm` – Allows principals to start an Automation workflow that enables Explorer.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerEnableConfigRecordingExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerEnableConfigRecordingExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupDevOpsGuruPermissionsBoundary
<a name="security-iam-awsmanpol-AWSQuickSetupDevOpsGuruPermissionsBoundary"></a>

**Note**  
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.

The managed policy `AWSQuickSetupDevOpsGuruPermissionsBoundary` supports the [Set up DevOps Guru using Quick Setup](quick-setup-devops.md) type. The configuration type enables the machine learning-powered Amazon DevOps Guru. The DevOps Guru service can help improve an application’s operational performance and availability. 

When you create an `AWSQuickSetupDevOpsGuruPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable and configure Amazon DevOps Guru.

**Permissions details**

This policy includes the following permissions.
+ `iam` – Allows principals to create service-linked roles for DevOps Guru and Systems Manager; and to list roles that help enable Explorer.
+ `cloudformation` – Allows principals to list and describe CloudFormation stacks.
+ `sns` – Allows principals to list and create Amazon SNS topics.
+ `devops-guru` – Allows principals to configure DevOps Guru; and to add a notification channel.
+ `config` – – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `ssm` – Allows principals to start an Automation workflow that enables Explorer; and to read and update Explorer service settings. 
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupDevOpsGuruPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupDevOpsGuruPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupDistributorPermissionsBoundary
<a name="security-iam-awsmanpol-AWSQuickSetupDistributorPermissionsBoundary"></a>

**Note**  
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.

The managed policy `AWSQuickSetupDistributorPermissionsBoundary` supports the [Deploy Distributor packages using Quick Setup](quick-setup-distributor.md) Quick Setup configuration type. The configuration type helps enable the distribution of software packages, such as agents, to your Amazon Elastic Compute Cloud (Amazon EC2) instances, using Distributor, a tool in AWS Systems Manager. 

When you create an `AWSQuickSetupDistributorPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable the distribution of software packages, such as agents, to your Amazon EC2 instances using Distributor.

**Permissions details**

This policy includes the following permissions.
+ `iam` – Allows principals to get and pass the Distributor automation role; to create, read, update, and delete the default instance role; to pass the default instance role to Amazon EC2 and Systems Manager; to attach instance management policies to instance roles; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about IAM roles and instance profiles; and to create the default instance profile.
+ `ec2` – Allows principals to associate the default instance profile with EC2 instances; and to help enable Explorer.
+ `ssm` – Allows principals to start automation workflows that which configure instances and install packages; and to help start the automation workflow that enables Explorer; and to read and update Explorer service settings.
+ `config` – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupDistributorPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupDistributorPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupSSMHostMgmtPermissionsBoundary
<a name="security-iam-awsmanpol-AWSQuickSetupSSMHostMgmtPermissionsBoundary"></a>

**Note**  
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.

The managed policy `AWSQuickSetupSSMHostMgmtPermissionsBoundary` supports the [Set up Amazon EC2 host management using Quick Setup](quick-setup-host-management.md) Quick Setup configuration type. This configuration type configures IAM roles and enables commonly used Systems Manager tools to securely manage your Amazon EC2 instances.

When you create an `AWSQuickSetupSSMHostMgmtPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable and configure Systems Manager tools needed for securely managing EC2 instances.

**Permissions details**

This policy includes the following permissions.
+ `iam` – Allows principals to get and pass the service role to Automation. Allows principals to create, read, update, and delete the default instance role; to pass the default instance role to Amazon EC2 and Systems Manager; to attach instance management policies to instance roles; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about IAM roles and instance profiles; and to create the default instance profile.
+ `ec2` – Allows principals to associate and disassociate the default instance profile with EC2 instances.
+ `ssm` – Allows principals to start Automation workflows that enable Explorer; to read and update Explorer service settings; to configure instances; and to enable Systems Manager tools on instances.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMHostMgmtPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMHostMgmtPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupPatchPolicyPermissionsBoundary
<a name="security-iam-awsmanpol-AWSQuickSetupPatchPolicyPermissionsBoundary"></a>

**Note**  
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.

The managed policy `AWSQuickSetupPatchPolicyPermissionsBoundary` supports the [Configure patching for instances in an organization using a Quick Setup patch policy](quick-setup-patch-manager.md) Quick Setup type. This configuration type helps automate patching of applications and nodes in a single account or across your organization. 

When you create an `AWSQuickSetupPatchPolicyPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable and configure patch policies in Patch Manager, a tool in AWS Systems Manager.

**Permissions details**

This policy includes the following permissions.
+ `iam` – Allows principals to get the Patch Manager Automation role; to pass Automation roles to Patch Manager patching operations; to create the default instance role, `AmazonSSMRoleForInstancesQuickSetup`; to pass the default instance role to Amazon EC2 and Systems Manager; to attach selected AWS managed policies to the instance role; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about instance profiles and roles; to create a default instance profile; and to tag roles that have permissions to read patch baseline overrides.
+ `ssm` – Allows principals to update the instance role this is managed by Systems Manager; to manage associations created by Patch Manager patch policies created in Quick Setup; to tag instances targeted by a patch policy configuration; to read information about instances and patching status; to start Automation workflows that configure, enable and remediate instance patching; to start automation workflows that enable Explorer; to help enable Explorer; and to read and update Explorer service settings.
+ `ec2` – Allows principals to associate and disassociate the default instance profile with EC2 instances; to tag instances targeted by a patch policy configuration; to tag instances targeted by a patch policy configuration; and to help enable Explorer.
+ `s3` – Allows principals to create and configure S3 buckets to store patch baseline overrides.
+ `lambda` – Allows principals to invoke AWS Lambda functions that configure patching and to perform clean-up operations after a Quick Setup patch policy configuration is deleted.
+ `logs` – Allows principals to configure logging for Patch Manager Quick Setup AWS Lambda functions.
+ `config` – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupPatchPolicyPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupPatchPolicyPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupSchedulerPermissionsBoundary
<a name="security-iam-awsmanpol-AWSQuickSetupSchedulerPermissionsBoundary"></a>

**Note**  
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.

The managed policy `AWSQuickSetupSchedulerPermissionsBoundary` supports the [Stop and start EC2 instances automatically on a schedule using Quick Setup](quick-setup-scheduler.md) Quick Setup configuration type. This configuration type lets you stop and start your EC2 instances and other resources at the times you specify. 

When you create an `AWSQuickSetupSchedulerPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to enable and configure scheduled operations on EC2 instances and other resources.

**Permissions details**

This policy includes the following permissions.
+ `iam` – Allows principals to retrieve and pass roles for instance management automation actions; to manage, pass, and attach default instance roles for EC2 instance management; to create default instance profiles; to add default instance roles to instance profiles; to create a service-linked role for Systems Manager; to read information about IAM roles and instance profiles; to associate a default instance profile with EC2 instances; and to start Automation workflows to configure instances and enable Systems Manager tools on them.
+ `ssm` – Allows principals to start Automation workflows that enable Explorer; and to read and update Explorer service settings.
+ ec2 – Allows principals to locate targeted instances and to start and stop them on a schedule.
+ `config` – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to AWS Trusted Advisor checks for an account.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSchedulerPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSchedulerPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupCFGCPacksPermissionsBoundary
<a name="security-iam-awsmanpol-AWSQuickSetupCFGCPacksPermissionsBoundary"></a>

**Note**  
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.

The managed policy `AWSQuickSetupCFGCPacksPermissionsBoundary`supports the [Deploy AWS Config conformance pack using Quick Setup](quick-setup-cpack.md) Quick Setup configuration type. This configuration type deploys AWS Config conformance packs. Conformance packs are collections of AWS Config rules and remediation actions that can be deployed as a single entity.

When you create an `AWSQuickSetupCFGCPacksPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.

This policy grants administrative permissions that allow Quick Setup to deploy AWS Config conformance packs.

**Permissions details**

This policy includes the following permissions.
+ `iam` – Allows principals to create, get, and pass a service-linked role for AWS Config. 
+ `sns` – Allows principals to list platform applications in Amazon SNS. 
+ `config` – Allows principals to deploy AWS Config conformance packs; to get the status of conformance packs; and to get information about configuration recorders.
+ `ssm` – Allows principals to get information about SSM documents and Automation workflows; to get information about resource tags; and to get information about and update service settings.
+ `compute-optimizer` – Allows principals to get the opt-in status of an account.
+ `support` – Allows principals to get information about AWS Trusted Advisor checks.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupCFGCPacksPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupCFGCPacksConfigurationPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupStartStopInstancesExecutionPolicy
<a name="security-iam-awsmanpol-AWSQuickSetupStartStopInstancesExecutionPolicy"></a>

You can attach `AWSQuickSetupStartStopInstancesExecutionPolicy` to your IAM entities. This policy provides permissions for Quick Setup to manage the starting and stopping of Amazon EC2 instances using Systems Manager automation.

**Permissions details**

This policy includes the following permissions.
+ `ec2` – Allows principals to describe Amazon EC2 instances, their status, regions, and tags. Also allows starting and stopping specific Amazon EC2 instances.
+ `ssm` – Allows principals to get calendar state from Quick Setup change calendars, start associations, and execute automation documents for instance scheduling.
+ `iam` – Allows principals to pass Quick Setup IAM roles to Systems Manager for automation execution, with conditions that restrict the service to ssm.amazonaws.com and specific resource ARNs.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupStartStopInstancesExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupStartStopInstancesExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupStartSSMAssociationsExecutionPolicy
<a name="security-iam-awsmanpol-AWSQuickSetupStartSSMAssociationsExecutionPolicy"></a>

This policy grants permissions that allow Quick Setup to run the `AWSQuickSetupType-Scheduler-ChangeCalendarState` Automation runbook. This runbook is used to manage change calendar states for scheduled operations in Quick Setup configurations.

You can attach `AWSQuickSetupStartSSMAssociationsExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to start automation executions specifically for the `AWSQuickSetupType-Scheduler-ChangeCalendarState` document. This is required for Quick Setup to manage change calendar states for scheduled operations.
+ `iam` – Allows principals to pass roles with names that begin with "AWS-QuickSetup-" to the Systems Manager service. This permission is restricted to use with specific SSM documents related to change calendar management. This is required for Quick Setup to pass the appropriate execution role to the automation process.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupStartSSMAssociationsExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupStartSSMAssociationsExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy
<a name="security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy"></a>

The policy `AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy` provides permissions for diagnosing issues with nodes that interact with Systems Manager services by starting Automation workflows in accounts and Regions where nodes are managed.

You can attach `AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform diagnosis actions on your behalf.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to run specific Automation runbooks that diagnose node issues, access the execution status for workflows, and retrieve automation execution details. The policy grants permissions to describe automation executions, describe automation step executions, get automation execution details, and start automation executions for diagnosis-related documents.
+ `kms` – Allows principals to use customer-specified AWS Key Management Service keys for decryption and data key generation when accessing encrypted objects in Amazon S3 buckets used for diagnosis operations. These permissions are restricted to keys tagged with `SystemsManagerManaged` and used via Amazon S3 service with specific encryption context requirements.
+ `sts` – Allows principals to assume diagnosis execution roles to run Automation runbooks in the same account. This permission is restricted to roles with the `AWS-SSM-DiagnosisExecutionRole` naming pattern and includes a condition to ensure the resource account matches the principal account.
+ `iam` – Allows principals to pass the diagnosis administration role to Systems Manager to run Automation runbooks. This permission is restricted to roles with the `AWS-SSM-DiagnosisAdminRole` naming pattern and can only be passed to the Systems Manager service.
+ `s3` – Allows principals to access, read, write, and delete objects in Amazon S3 buckets used for diagnosis operations. These permissions are restricted to buckets with the `do-not-delete-ssm-diagnosis-` naming pattern and include conditions to ensure operations are performed within the same account.

To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy
<a name="security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy"></a>

The managed policy `AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy` provides administrative permission for running Automation runbooks in a targeted AWS account and Region to diagnose issues with managed nodes that interact with Systems Manager services.

You can attach `AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

**Permissions details**

This policy includes the following permissions.
+ `ec2` – Allows principals to describe Amazon EC2 and Amazon VPC resources and their configurations to diagnose issues with Systems Manager services. This includes permissions to describe VPCs, VPC attributes, VPC endpoints, subnets, security groups, instances, instance status, network ACLs, and internet gateways.
+ `ssm` – Allows principals to run diagnosis-specific Automation runbooks and access the automation workflow status and execution metadata. This includes permissions to describe automation step executions, describe instance information, describe automation executions, describe activations, get automation execution details, get service settings, and start automation executions for specific AWS unmanaged EC2 diagnosis documents.
+ `kms` – Allows principals to use customer-specified AWS Key Management Service keys for decryption and data key generation when accessing encrypted objects in Amazon S3 buckets used for diagnosis operations. These permissions are restricted to keys tagged with `SystemsManagerManaged` and used via Amazon S3 service with specific encryption context requirements for diagnosis buckets.
+ `iam` – Allows principals to pass the diagnosis execution role to Systems Manager to run Automation documents. This permission is restricted to roles with the `AWS-SSM-DiagnosisExecutionRole` naming pattern and can only be passed to the Systems Manager service.

To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWS-SSM-RemediationAutomation-AdministrationRolePolicy
<a name="security-iam-awsmanpol-AWS-SSM-RemediationAutomation-AdministrationRolePolicy"></a>

The policy `AWS-SSM-RemediationAutomation-AdministrationRolePolicy` provides permissions for remediating issues with Systems Manager services by executing activities defined within Automation documents, primarily used for running the Automation documents. This policy enables starting Automation workflows in accounts and Regions where nodes are managed to address connectivity and configuration issues.

You can attach `AWS-SSM-RemediationAutomation-AdministrationRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform remediation actions on your behalf.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to run specific Automation runbooks that remediate node issues, access the execution status for workflows, and retrieve automation execution details. The policy grants permissions to describe automation executions, describe automation step executions, get automation execution details, and start automation executions for remediation-related documents.
+ `kms` – Allows principals to use customer-specified AWS Key Management Service keys for decryption and data key generation when accessing encrypted objects in Amazon S3 buckets used for remediation operations. These permissions are restricted to keys tagged with `SystemsManagerManaged` and used via Amazon S3 service with specific encryption context requirements.
+ `sts` – Allows principals to assume remediation execution roles to run Automation runbooks in the same account. This permission is restricted to roles with the `AWS-SSM-RemediationExecutionRole` naming pattern and includes a condition to ensure the resource account matches the principal account.
+ `iam` – Allows principals to pass the remediation administration role to Systems Manager to run Automation runbooks. This permission is restricted to roles with the `AWS-SSM-RemediationAdminRole` naming pattern and can only be passed to the Systems Manager service.
+ `s3` – Allows principals to access, read, write, and delete objects in Amazon S3 buckets used for remediation operations. These permissions are restricted to buckets with the `do-not-delete-ssm-diagnosis-` naming pattern and include conditions to ensure operations are performed within the same account.

To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-RemediationAutomation-AdministrationRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-RemediationAutomation-AdministrationRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWS-SSM-RemediationAutomation-ExecutionRolePolicy
<a name="security-iam-awsmanpol-AWS-SSM-RemediationAutomation-ExecutionRolePolicy"></a>

The managed policy `AWS-SSM-RemediationAutomation-ExecutionRolePolicy` provides permissions for running Automation runbooks in a specific target account and Region to remediate networking and connectivity issues with managed nodes that interact with Systems Manager services. This policy enables remediation activities defined within Automation documents, primarily used for running the Automation documents to address connectivity and configuration issues.

You can attach the policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform remediation actions on your behalf. 

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to retrieve information about Automation executions and their step executions, and to start specific remediation Automation runbooks including `AWS-OrchestrateUnmanagedEC2Actions` and `AWS-RemediateSSMAgent` documents. The policy grants permissions to describe automation executions, describe automation step executions, get automation execution details, and start automation executions for remediation-related documents.
+ `ec2` – Allows principals to describe and modify Amazon VPC networking resources to remediate connectivity issues. This includes:
  + Describing Amazon VPC attributes, subnets, Amazon VPC endpoints, and security groups.
  + Creating Amazon VPC endpoints for Systems Manager services (`ssm`, `ssmmessages`, and `ec2messages`) with required tags.
  + Modifying Amazon VPC attributes to enable DNS support and hostnames.
  + Creating and managing security groups with specific tags for Amazon VPC endpoint access.
  + Authorizing and revoking security group rules for HTTPS access with appropriate tags.
  + Creating tags on Amazon VPC endpoints, security groups, and security group rules during resource creation.
+ `kms` – Allows principals to use customer-specified AWS Key Management Service keys for decryption and data key generation when accessing encrypted objects in Amazon S3 buckets used for remediation operations. These permissions are restricted to keys tagged with `SystemsManagerManaged` and used via Amazon S3 service with specific encryption context requirements.
+ `iam` – Allows principals to pass the remediation execution role to Systems Manager to run Automation runbooks. This permission is restricted to roles with the `AWS-SSM-RemediationExecutionRole` naming pattern and can only be passed to the Systems Manager service.

To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-RemediationAutomation-ExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-RemediationAutomation-ExecutionRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupSSMManageResourcesExecutionPolicy
<a name="security-iam-awsmanpol-AWSQuickSetupSSMManageResourcesExecutionPolicy"></a>

This policy grants permissions that allow Quick Setup to run the `AWSQuickSetupType-SSM-SetupResources` Automation runbook. This runbook creates IAM roles for Quick Setup associations, which in turn are created by a `AWSQuickSetupType-SSM` deployment. It also grants permissions to clean up an associated Amazon S3 bucket on during a Quick Setup delete operation.

You can attach the policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

**Permissions details**

This policy includes the following permissions.
+ `iam` – Allows principals to list and manage IAM roles for use with Quick Setup Systems Manager Explorer operations; to view, attach, and detach IAM policies for use with Quick Setup and Systems Manager Explorer These permissions are required so Quick Setup can create the roles needed for some of its configuration operations.
+ `s3` – Allows principals to retrieve information about objects in, and to delete objects from Amazon S3 buckets, in the principal account, that are used specifically in Quick Setup configuration operations. This is required so that S3 objects that are no longer needed after configuration can be removed.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMManageResourcesExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMManageResourcesExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupSSMLifecycleManagementExecutionPolicy
<a name="security-iam-awsmanpol-AWSQuickSetupSSMLifecycleManagementExecutionPolicy"></a>

The `AWSQuickSetupSSMLifecycleManagementExecutionPolicy` policy grants administrative permissions that allow Quick Setup to run the a CloudFormation custom resource on lifecycle events during Quick Setup deployment in Systems Manager.

You can attach this policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to get information about automation executions and start automation executions for setting up certain Quick Setup operations.
+ `iam` – Allows principals to pass roles from IAM for setting up certain Quick Setup resources.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMLifecycleManagementExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMLifecycleManagementExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupSSMDeploymentRolePolicy
<a name="security-iam-awsmanpol-AWSQuickSetupSSMDeploymentRolePolicy"></a>

The managed policy `AWSQuickSetupSSMDeploymentRolePolicy` grants administrative permissions that allow Quick Setup to create resources that are used during the Systems Manager onboarding process. 

Though you can manually attach this policy to your IAM entities, this is not recommended. Quick Setup creates entities that attach this policy to a service role that allows Systems Manager to perform actions on your behalf.

This policy is not related to the [`SSMQuickSetupRolePolicy` policy](using-service-linked-roles-service-action-5.md), which is used to provide permissions for the `AWSServiceRoleForSSMQuickSetup` service-linked role.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to manage associations for certain resources that are created using AWS CloudFormation templates and a specific set of SSM documents; to manage roles and role policies using for diagnosing and remediating managed nodes through CloudFormation templates; and to attach and delete policies for Quick Setup lifecycle events
+ `iam` – Allows principals to tag roles and pass roles permissions for the Systems Manager service and Lambda service, and to pass role permissions for diagnosis operations.
+ `lambda` – Allows principals to tag and manage functions for the Quick Setup lifecycle in the principal account using CloudFormation templates.
+ `cloudformation` – Allows principals to read information from CloudFormation. This is required so Quick Setup can gather data about the CloudFormation stacks used to manage the state of resources and CloudFormation stackset operations. 

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMDeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMDeploymentRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupSSMDeploymentS3BucketRolePolicy
<a name="security-iam-awsmanpol-AWSQuickSetupSSMDeploymentS3BucketRolePolicy"></a>

The `AWSQuickSetupSSMDeploymentS3BucketRolePolicy` policy grants permissions for listing all S3 buckets in an account; and for managing and retrieving information about specific buckets in the principal account that are managed through CloudFormation templates.

You can attach `AWSQuickSetupSSMDeploymentS3BucketRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

**Permissions details**

This policy includes the following permissions.
+ `s3` – Allows principals list all S3 buckets in an account; and to manage and retrieve information about specific buckets in the principal account that are managed through CloudFormation templates.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMDeploymentS3BucketRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMDeploymentS3BucketRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupEnableDHMCExecutionPolicy
<a name="security-iam-awsmanpol-AWSQuickSetupEnableDHMCExecutionPolicy"></a>

This policy grants administrative permissions that allow principals to run the `AWSQuickSetupType-EnableDHMC` Automation runbook, which enables Default Host Management Configuration. The Default Host Management Configuration setting allows Systems Manager to automatically manage Amazon EC2 instances as *managed instances*. A managed instance is an EC2 instance that is configured for use with Systems Manager. This policy also grants permissions for creating IAM roles that are specified in Systems Manager service settings as the default roles for SSM Agent.

You can attach `AWSQuickSetupEnableDHMCExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to update and get information about Systems Manager service settings.
+ `iam` – Allows principals to create and retrieve information about IAM roles for Quick Setup operations.

To view more details about the policy, including the latest version of the JSON policy document, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupEnableDHMCExecutionPolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupEnableDHMCExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupEnableAREXExecutionPolicy
<a name="security-iam-awsmanpol-AWSQuickSetupEnableAREXExecutionPolicy"></a>

This policy grants administrative permissions that allow Systems Manager to run the `AWSQuickSetupType-EnableAREX` Automation runbook, which enables AWS Resource Explorer for use with Systems Manager. Resource Explorer makes it possible to view resources in your account with a search experience similar to an Internet search engine. The policy also grants permissions for managing Resource Explorer indexes and views.

You can attach `AWSQuickSetupEnableAREXExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

**Permissions details**

This policy includes the following permissions.
+ `iam` – Allows principals to to create a service-linked role in the AWS Identity and Access Management (IAM) service.
+ `resource-explorer-2` – Allows principals to retrieve information about Resource Explorer views and indexes; to create Resource Explorer views and indexes; to change the index type for indexes displayed in Quick Setup.

To view more details about the policy, including the latest version of the JSON policy document, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupEnableAREXExecutionPolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupEnableAREXExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupManagedInstanceProfileExecutionPolicy
<a name="security-iam-awsmanpol-AWSQuickSetupManagedInstanceProfileExecutionPolicy"></a>

This policy grants administrative permissions that allow Systems Manager to create a default IAM instance profile for the Quick Setup tool, and to attach it to Amazon EC2 instances that don't already have an instance profile attached. The policy also grants Systems Manager the ability to attach permissions to existing instance profiles. This is done to ensure that the permissions required for Systems Manager to communicate with SSM Agent on EC2 instances are in place.

You can attach `AWSQuickSetupManagedInstanceProfileExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to start automation workflows associated with Quick Setup processes.
+ `ec2` – Allows principals to attach IAM instance profiles to EC2 instances that are managed by Quick Setup.
+ `iam` – Allows principals to create, update, and retrieve information about roles from IAM that are used in Quick Setup processes; to create IAM instance profiles; to attach the `AmazonSSMManagedInstanceCore` managed policy to IAM instance profiles.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupManagedInstanceProfileExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupManagedInstanceProfileExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupManageJITNAResourcesExecutionPolicy
<a name="security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy"></a>

The managed policy `AWSQuickSetupManageJITNAResourcesExecutionPolicy` enables Quick Setup, a tool in Systems Manager, to set up just-in-time node access.

You can attach `AWSQuickSetupManageJITNAResourcesExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

This policy grants administrative permissions that allow Systems Manager to create resources associated with just-in-time node access.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to get and update the service setting that specifies the identity provider for just-in-time node access.
+ `iam` – Allows principals to create, tag, and get roles, attach role policies for just-in-time node access managed policies, and create service-linked roles for just-in-time node access and notifications.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupManageJITNAResourcesExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupManageJITNAResourcesExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSQuickSetupJITNADeploymentRolePolicy
<a name="security-iam-awsmanpol-AWSQuickSetupJITNADeploymentRolePolicy"></a>

The managed policy `AWSQuickSetupJITNADeploymentRolePolicy` allows Quick Setup to deploy the configuration type required to set up just-in-time node access.

You can attach `AWSQuickSetupJITNADeploymentRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 

This policy grants administrative permissions that allow Systems Manager to create resources associated with just-in-time node access.

**Permissions details**

This policy includes the following permissions.
+ `cloudformation` – Allows principals to create, update, delete, and read CloudFormation stacks.
+ `ssm` – Allows principals to create, delete, update, and read State Manager associations that are called by CloudFormation.
+ `iam` – Allows principals create, delete, read and tag IAM roles that are called by CloudFormation.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupJITNADeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupJITNADeploymentRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSSystemsManagerJustInTimeAccessServicePolicy
<a name="security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy"></a>

The managed policy `AWSSystemsManagerJustInTimeAccessServicePolicy` provides access to AWS resources managed or used by the AWS Systems Manager just-in-time access framework. This policy update adds automation execution tagging permissions to enable customers to scope down operator permissions to specific tags.

You can't attach `AWSSystemsManagerJustInTimeAccessServicePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to enable just-in-time node access](using-service-linked-roles-service-action-8.md).

This policy grants administrative permissions that allows access to resources associated with just-in-time node access.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to create and manage OpsItems, add tags to OpsItems and automation executions, get and update OpsItems, retrieve and describe documents, describe OpsItems and sessions, list documents and tags for managed instances.
+ `ssm-guiconnect` – Allows principals to list connections.
+ `identitystore` – Allows principals to get user and group IDs, describe users, and list group membership.
+ `sso-directory` – Allows principals to describe users and determine if a user is a member of a group.
+ `sso` – Allows principals to describe registered Regions and list instances and directory associations.
+ `cloudwatch` – Allows principals to put metric data for the `AWS/SSM/JustInTimeAccess` namespace.
+ `ec2` – Allows principals to describe tags.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessServicePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenPolicy
<a name="security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenPolicy"></a>

The managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy` provides permissions for users to establish secure connections to Amazon EC2 instances and managed instances through Session Manager and Systems Manager GUI Connect RDP connections as part of just-in-time node access workflows.

You can attach `AWSSystemsManagerJustInTimeAccessTokenPolicy` to your IAM entities.

This policy grants contributor permissions that allow users to start and manage secure sessions, establish RDP connections, and perform necessary cryptographic operations for just-in-time node access.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to start Session Manager sessions on Amazon EC2 instances and managed instances using the SSM-SessionManagerRunShell document. Also allows terminating and resuming sessions, retrieving command invocation details, and sending commands to instances for SSO user setup when called through Systems Manager GUI Connect. Additionally allows starting port forwarding sessions for RDP connections when called through Systems Manager GUI Connect.
+ `ssmmessages` – Allows principals to open data channels for secure communication during Session Manager sessions.
+ `ssm-guiconnect` – Allows principals to start, get details about, and cancel Systems Manager GUI Connect RDP connections to instances.
+ `kms` – Allows principals to generate data keys for Session Manager encryption and create grants for RDP connections. These permissions are restricted to AWS KMS keys tagged with `SystemsManagerJustInTimeNodeAccessManaged=true`. Grant creation is further restricted to be used only through the Systems Manager GUI Connect service.
+ `sso` – Allows principals to list directory associations when called through Systems Manager GUI Connect. This is required for RDP SSO user setup.
+ `identitystore` – Allows principals to describe users in the identity store when called through Systems Manager GUI Connect. This is required for RDP SSO user setup.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessTokenPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessTokenPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenSessionPolicy
<a name="security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenSessionPolicy"></a>

The managed policy `AWSSystemsManagerJustInTimeAccessTokenSessionPolicy` allows Systems Manager to apply scoped down permissions to a just-in-time node access token. 

You can attach `AWSSystemsManagerJustInTimeAccessTokenSessionPolicy` to your IAM entities.

This policy grants administrative permissions that allow Systems Manager to scope down permissions for just-in-time node access tokens.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to start Session Manager sessions using the `SSM-SessionManagerRunShell` document. Also when called first via `ssm-guiconnect`, start sessions using the `AWS-StartPortForwardingSession` document, list command invocations, and send commands using the `AWSSSO-CreateSSOUser` document.
+ `ssm-guiconnect` – Allows principals to cancel, get, and start connections on all resources.
+ `kms` – Allows principals to create grants and generate data keys for keys tagged with `SystemsManagerJustInTimeNodeAccessManaged` when called via `ssm-guiconnect` through an AWS service.
+ `sso` – Allows principals to list directory associations when called via `ssm-guiconnect`.
+ `identitystore` – Allows principals to describe a user when called via `ssm-guiconnect`.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessTokenSessionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessTokenSessionPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy
<a name="security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy"></a>

The managed policy `AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy` allows Systems Manager to share deny-access policies from the delegated administrator account to member accounts, and replicate the policies across multiple AWS Regions.

You can attach `AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy` to your IAM entities.

This policy provides the administrative permissions necessary for Systems Manager to share and create deny-access policies. This ensures that deny-access policies are applied to all accounts in an AWS Organizations organization and Regions configured for just-in-time node access.

**Permissions details**

This policy includes the following permissions.
+ `ssm` – Allows principals to manage SSM documents and resource policies.
+ `ssm-quicksetup` – Allows principals to read Quick Setup configuration managers.
+ `organizations` – Allows principals to list details about an AWS Organizations organization and delegated administrators.
+ `ram` – Allows principals to create, tag, and describe resource shares.
+ `iam` – Allows principals to describe a service role.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWSSystemsManagerNotificationsServicePolicy
<a name="security-iam-awsmanpol-AWSSystemsManagerNotificationsServicePolicy"></a>

The managed policy `AWSSystemsManagerNotificationsServicePolicy` allows Systems Manager to send email notifications for just-in-time node access requests to access request approvers.

You can't attach `AWSSystemsManagerJustInTimeAccessServicePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to send just-in-time node access request notifications](using-service-linked-roles-service-action-9.md).

This policy grants administrative permissions that allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers.

**Permissions details**

This policy includes the following permissions.
+ `identitystore` – Allows principals to list and describe users and group membership.
+ `sso` – Allows principals to list instances, directories, and describe registered Regions.
+ `sso-directory` – Allows principals to describe users and list members in a group.
+ `iam` – Allows principals to get information about roles.

To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerNotificationsServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerNotificationsServicePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWS-SSM-Automation-DiagnosisBucketPolicy
<a name="security-iam-awsmanpol-AWS-SSM-Automation-DiagnosisBucketPolicy"></a>

The managed policy `AWS-SSM-Automation-DiagnosisBucketPolicy` provides permissions for diagnosing issues with nodes that interact with AWS Systems Manager services, by allowing access to S3 buckets that are used for diagnosis and remediation of issues.

You can attach the `AWS-SSM-Automation-DiagnosisBucketPolicy` policy to your IAM identities. Systems Manager also attaches this policy to an IAM role that allows Systems Manager to perform diagnosis actions on your behalf.

**Permissions details**

This policy includes the following permissions.
+ `s3` – Allows principals to access and write objects to an Amazon S3 bucket.

To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-Automation-DiagnosisBucketPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-Automation-DiagnosisBucketPolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
<a name="security-iam-awsmanpol-AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy"></a>

The managed policy `AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy` provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions.

You can attach `AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy` to your IAM identities. Systems Manager also attaches this policy to an IAM role that allows Systems Manager to perform diagnosis actions on your behalf.

**Permissions details**

This policy includes the following permissions.
+ `organizations` – Allows principals to list a root of the organization, and get member accounts to determine target accounts.
+ `sts` – Allows principals to assume remediation execution roles to run SSM Automation documents across accounts and Regions, within the same organization.

To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy.html) in the *AWS Managed Policy Reference Guide*.

## AWS managed policy: AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy
<a name="security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy"></a>

The managed policy `AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy` provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions.

You can attach the `AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy` policy to your IAM identities. Systems Manager also attaches this policy to an IAM role that allows Systems Manager to perform diagnosis actions on your behalf.

**Permissions details**

This policy includes the following permissions.
+ `organizations` – Allows principals to list a root of the organization, and get member accounts to determine target accounts.
+ `sts` – Allows principals to assume diagnosis execution roles to run SSM Automation documents across accounts and Regions, within the same organization.

To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy.html) in the *AWS Managed Policy Reference Guide*.





## Systems Manager updates to AWS managed policies
<a name="security-iam-awsmanpol-updates"></a>



In the following table, view details about updates to AWS managed policies for Systems Manager since this service began tracking these changes on March 12, 2021. For information about other managed policies for the Systems Manager service, see [Additional managed policies for Systems Manager](#policies-list) later in this topic. For automatic alerts about changes to this page, subscribe to the RSS feed on the Systems Manager [Document history](systems-manager-release-history.md) page.




| Change | Description | Date | 
| --- | --- | --- | 
|  [AmazonSSMAutomationRole](#security-iam-awsmanpol-AmazonSSMAutomationRole) – Update to an existing policy  |  Systems Manager added the `cloudformation:TagResource` and `cloudformation:UntagResource` permissions. These permissions allow Automation runbooks that create CloudFormation stacks to add and remove tags from resources.  | March 20, 2026 | 
|  [AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy) – Updated managed policy  |  Systems Manager updated the managed policy to add additional EC2 and SSM permissions for enhanced diagnosis capabilities. The policy now includes permissions to describe EC2 instance status and network ACLs, as well as SSM activations and service settings, providing more comprehensive diagnostic information for troubleshooting managed node issues.  | December 19, 2025 | 
|  [AWSQuickSetupDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupDeploymentRolePolicy) – Updated managed policy  |  Systems Manager updated the managed policy `AWSQuickSetupDeploymentRolePolicy` to add support for two additional SSM documents: `AWSQuickSetupType-ConfigureDevOpsGuru` and `AWSQuickSetupType-DeployConformancePack`. These additions enable Quick Setup to deploy DevOps Guru configurations and conformance packs through the policy.  | December 15, 2025 | 
|  [AWSSystemsManagerJustInTimeAccessTokenPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenPolicy) – Update to an existing policy  |  Systems Manager updated the managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy`. The statement (`SID`) `TerminateAndResumeSession` has been renamed to `TerminateAndResumeSessionAndOpenDataChannel` and now includes the `ssmmessages:OpenDataChannel` action, combining session management and data channel permissions into a single statement.  | September 25, 2025 | 
| Updated managed policies: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/security-iam-awsmanpol.html) | Systems Manager updated three managed policies to add support for starting Automation executions on additional Systems Manager resources, including specific Automation runbooks and SSM Command documents. | September 12, 2025 | 
|  [AWSQuickSetupStartStopInstancesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartStopInstancesExecutionPolicy) – Updated managed policy  |  Systems Manager updated the managed policy to refine permissions for Quick Setup scheduler configuration. The policy now provides more specific permissions for starting and stopping Amazon EC2 instances, accessing change calendars, and executing automation documents with enhanced security conditions.  | September 12, 2025 | 
|  [AWSQuickSetupStartSSMAssociationsExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartSSMAssociationsExecutionPolicy) – Updated managed policy  |  Systems Manager updated the managed policy to change the automation document from `AWSQuickSetupType-StartSSMAssociations` to `AWSQuickSetupType-Scheduler-ChangeCalendarState`. This update changes the policy's purpose from starting SSM associations to managing change calendar states for scheduled operations.  | September 12, 2025 | 
|  [AmazonSSMAutomationRole](#security-iam-awsmanpol-AmazonSSMAutomationRole) – Update to an existing policy  |  Systems Manager added new permissions to allow Automation runbooks to establish communication channels for session-based operations. Added the `ssmmessages:OpenDataChannel` permission for the resource `arn:*:ssm:*:*:session/*`.  | September 11, 2025 | 
|  [AWSSystemsManagerJustInTimeAccessServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy) – Updated managed policy  |  Systems Manager updated the managed policy to add automation execution tagging permissions. The service needs to tag automation executions with `SystemsManagerJustInTimeNodeAccessManaged=true` tag to enable customers to scope down operator permissions to specific tags.  | August 25, 2025 | 
|  [AWSQuickSetupStartSSMAssociationsExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartSSMAssociationsExecutionPolicy) – New policy  |  Systems Manager added a new policy to allow Quick Setup to run the `AWSQuickSetupType-StartSSMAssociations` Automation runbook. This runbook is used to start State Manager associations that are created by Quick Setup configurations.  | August 12, 2025 | 
|  [AWSQuickSetupStartStopInstancesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartStopInstancesExecutionPolicy) – New policy  |  Systems Manager added a new policy to allow Quick Setup to start and stop Amazon EC2 instances on a schedule. This policy provides the necessary permissions for the Quick Setup scheduler configuration type to manage instance state based on defined schedules.  | August 12, 2025 | 
|  [AWSQuickSetupDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupDeploymentRolePolicy) – Update to documentation  |  Systems Manager has updated the `AWSQuickSetupDeploymentRolePolicy` managed policy to grant permissions for additional resources. In addition, the documentation for `AWSQuickSetupDeploymentRolePolicy` has been updated with more detailed descriptions of the permissions granted by this policy for Quick Setup configuration management operations.  | August 12, 2025 | 
|  [AWS-SSM-RemediationAutomation-ExecutionRolePolicy](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-ExecutionRolePolicy) – Update to an existing policy  |  Systems Manager updated the managed policy to improve the security posture of the ssm:StartAutomationExecution API by requiring permissions for both "document" and "automation-execution" resource types. The updated policy provides more comprehensive and detailed permissions for remediation automation execution, including enhanced descriptions for networking remediation capabilities, more specific Amazon VPC endpoint creation permissions, detailed security group management permissions, and improved resource tagging controls for remediation operations.  | July 16th, 2025 | 
|  [AWS-SSM-RemediationAutomation-AdministrationRolePolicy](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-AdministrationRolePolicy) – Update to an existing policy  |  Systems Manager updated the managed policy to support API authorization improvements for remediation automation operations. The updated policy enhances permissions for executing activities defined within Automation documents, with improved security controls and resource access patterns for remediation workflows.  | July 16th, 2025 | 
|  [AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy) – Update to an existing policy  |  Systems Manager updated the managed policy to provide more detailed and accurate permissions for diagnosis automation execution. The updated policy includes enhanced descriptions for Amazon EC2 and Amazon VPC resource access, more specific SSM automation permissions, and improved AWS KMS and IAM permission descriptions with proper resource restrictions.  | July 16th, 2025 | 
|  [AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy) – Update to an existing policy  |  Systems Manager updated the managed policy to provide more specific permissions and security conditions for diagnosis automation operations. The updated policy provides enhanced security controls for AWS KMS key usage, Amazon S3 bucket access, and role assumptions, with stricter resource-based conditions and account-level restrictions.  | July 16th, 2025 | 
|  [AWSQuickSetupDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupDeploymentRolePolicy) – Update to a policy  |  Systems Manager added permissions to the managed policy `AWSQuickSetupDeploymentRolePolicy` for accessing the Amazon owned runbook [AWSQuickSetupType-ManageInstanceProfile](https://console.aws.amazon.com/systems-manager/documents/AWSQuickSetupType-ManageInstanceProfile/content). This permission makes it possible for Quick Setup to create associations using the managed policy instead of inline policies.  | July 14th, 2025 | 
|  [AmazonSSMAutomationRole](#security-iam-awsmanpol-AmazonSSMAutomationRole) – Update to documentation  |  Systems Manager added comprehensive documentation for the existing `AmazonSSMAutomationRole` policy, which provides permissions for the Systems Manager Automation service to run activities defined within Automation runbooks.  | July 15, 2025 | 
|  [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy) – Update to an policy  |  Systems Manager added permissions to allow Systems Manager to tag a resource shared by AWS Resource Access Manager for just-in-time node access.  | April 30th, 2025 | 
|  [AWSQuickSetupManageJITNAResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy) – Update to a policy  |  Systems Manager added permissions to allow Systems Manager to tag IAM roles created for just-in-time node access.  | April 30th, 2025 | 
|  [AWSSystemsManagerJustInTimeAccessTokenSessionPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenSessionPolicy) – New policy  |  Systems Manager added a new policy to allow Systems Manager to apply scoped down permissions to a just-in-time node access token.  | April 30th, 2025 | 
|  [AWSSystemsManagerNotificationsServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerNotificationsServicePolicy) – New policy  |  Systems Manager added a new policy to allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers.  | April 30th, 2025 | 
|  [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy) – New policy  |  Systems Manager added a new policy to allow Systems Manager to replicate approval policies to different Regions.  | April 30th, 2025 | 
|  [AWSSystemsManagerJustInTimeAccessTokenPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenPolicy) – New policy  |  Systems Manager added a new policy to allow Systems Manager to generate access tokens used for just-in-time node access.  | April 30th, 2025 | 
|  [AWSSystemsManagerJustInTimeAccessServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy) – New policy  |  Systems Manager added a new policy to provide permissions to AWS resources managed or used by the Systems Manager just-in-time node access feature.  | April 30th, 2025 | 
|  [AWSQuickSetupManageJITNAResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy) – New policy  |  Systems Manager added a new policy to allow Quick Setup, a tool in Systems Manager, to create the IAM roles necessary for just-in-time node access.  | April 30th, 2025 | 
|  [AWSQuickSetupJITNADeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupJITNADeploymentRolePolicy) – New policy  |  Systems Manager added a new policy that provides permissions that allow Quick Setup to deploy the configuration type required to set up just-in-time node access.  | April 30th, 2025 | 
|  [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy) – Update to an policy  |  Systems Manager added permissions to allow Systems Manager to tag a resource shared by AWS Resource Access Manager for just-in-time node access.  | April 30th, 2025 | 
|  [AWSQuickSetupManageJITNAResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy) – Update to an policy  |  Systems Manager added permissions to allow Systems Manager to tag IAM roles created for just-in-time node access.  | April 30th, 2025 | 
|  [AWSSystemsManagerJustInTimeAccessTokenSessionPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenSessionPolicy) – New policy  |  Systems Manager added a new policy to allow Systems Manager to apply scoped down permissions to a just-in-time node access token.  | April 30th, 2025 | 
|  [AWSSystemsManagerNotificationsServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerNotificationsServicePolicy) – New policy  |  Systems Manager added a new policy to allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers.  | April 30th, 2025 | 
|  [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy) – New policy  |  Systems Manager added a new policy to allow Systems Manager to replicate approval policies to different Regions.  | April 30th, 2025 | 
|  [AWSSystemsManagerJustInTimeAccessTokenPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenPolicy) – New policy  |  Systems Manager added a new policy to allow Systems Manager to generate access tokens used for just-in-time node access.  | April 30th, 2025 | 
|  [AWSSystemsManagerJustInTimeAccessServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy) – New policy  |  Systems Manager added a new policy to provide permissions to AWS resources managed or used by the Systems Manager just-in-time node access feature.  | April 30th, 2025 | 
|  [AWSQuickSetupManageJITNAResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy) – New policy  |  Systems Manager added a new policy to allow Quick Setup, a tool in Systems Manager, to create the IAM roles necessary for just-in-time node access.  | April 30th, 2025 | 
|  [AWSQuickSetupJITNADeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupJITNADeploymentRolePolicy) – New policy  |  Systems Manager added a new policy that provides permissions that allow Quick Setup to deploy the configuration type required to set up just-in-time node access.  | April 30th, 2025 | 
|  [`AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy`](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy) – New policy  |  Systems Manager added a new policy that provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions.  | November 21, 2024 | 
|  [`AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy`](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy) – New policy  |  Systems Manager added a new policy that provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions.  | November 21, 2024 | 
|  [`AWS-SSM-Automation-DiagnosisBucketPolicy`](#security-iam-awsmanpol-AWS-SSM-Automation-DiagnosisBucketPolicy) – New policy  |  Systems Manager added a new policy to support starting Automation workflows that diagnose issues with managed nodes in targeted accounts and Regions.  | November 21, 2024 | 
|  [`AmazonSSMServiceRolePolicy`](#security-iam-awsmanpol-AmazonSSMServiceRolePolicy) – Update to an existing policy  |  Systems Manager added new permissions to allow AWS Resource Explorer to gather details about Amazon EC2 instances and display the results in widgets in the new Systems Manager Dashboard.  | November 21, 2024 | 
| [`SSMQuickSetupRolePolicy`](#security-iam-awsmanpol-SSMQuickSetupRolePolicy) – Update to an existing policy | Systems Manager has updated the managed policy SSMQuickSetupRolePolicy. This updates allows the associated service-linked role AWSServiceRoleForSSMQuickSetup to manage resource data syncs.  | November 21, 2024 | 
| [`AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy `](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy) – New policy | Systems Manager added a new policy to support starting Automation workflows that diagnose issues with managed nodes in targeted account and Regions. | November 21, 2024 | 
| [`AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy`](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy) – New policy | Systems Manager added a new policy to support starting Automation workflows that diagnose issues with managed nodes in a targeted account and Region. | November 21, 2024 | 
| [`AWS-SSM-RemediationAutomation-AdministrationRolePolicy`](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-AdministrationRolePolicy) – New policy | Systems Manager added a new policy to support starting Automation workflows that remediate issues in managed nodes in targeted accounts and Regions. | November 21, 2024 | 
| [`AWS-SSM-RemediationAutomation-ExecutionRolePolicy`](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-ExecutionRolePolicy) – New policy | Systems Manager added a new policy to support starting Automation workflows that remediate issues in managed nodes in a targeted account and Region. | November 21, 2024 | 
|  [AWSQuickSetupSSMDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentRolePolicy) – Update to an policy  |  Systems Manager added permissions to allow Systems Manager to tag IAM roles and Lambda created for the unified console.  | May 7th, 2025 | 
| [`AWSQuickSetupSSMManageResourcesExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupSSMManageResourcesExecutionPolicy) – New policy | Systems Manager added a new policy to support running an operation in Quick Setup that creates IAM roles for Quick Setup associations, which in turn are created by a AWSQuickSetupType-SSM deployment. | November 21, 2024 | 
| [`AWSQuickSetupSSMLifecycleManagementExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupSSMLifecycleManagementExecutionPolicy) – New policy | Systems Manager added a new policy to support Quick Setup running a CloudFormation custom resource on lifecycle events during a Quick Setup deployment. | November 21, 2024 | 
| [`AWSQuickSetupSSMDeploymentRolePolicy`](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentRolePolicy) – New policy | Systems Manager added a new policy to support granting administrative permissions that allow Quick Setup to create resources that are using during the Systems Manager onboarding process.  | November 21, 2024 | 
| [`AWSQuickSetupSSMDeploymentS3BucketRolePolicy`](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentS3BucketRolePolicy) – New policy | Systems Manager added a new policy to support managing and retrieving information about specific buckets in the principal account that are managed through CloudFormation templates | November 21, 2024 | 
| [`AWSQuickSetupEnableDHMCExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupEnableDHMCExecutionPolicy) – New policy | Systems Manager is introducing a new policy to allow Quick Setup to create an IAM role that itself uses the existing [`AmazonSSMManagedEC2InstanceDefaultPolicy`](#security-iam-awsmanpol-AmazonSSMManagedEC2InstanceDefaultPolicy). This policy contains all the permissions required for SSM Agent to communicate with Systems Manager service. The new policy also allows modifications to the Systems Manager service settings. | November 21, 2024 | 
| [`AWSQuickSetupEnableAREXExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupEnableAREXExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to create a service-linked role for AWS Resource Explorer, for accessing Resource Explorer views and aggregator indexes. | November 21, 2024 | 
| [`AWSQuickSetupManagedInstanceProfileExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupManagedInstanceProfileExecutionPolicy) – New policy |  Systems Manager added a new policy to allow Quick Setup to create a default Quick Setup instance profile and to attach it to any Amazon EC2 instances that lack an associated instance profile. This new policy also allows Quick Setup to attach permissions to existing profiles to ensure that all required Systems Manager permissions have been granted.  | November 21, 2024 | 
|  [`SSMQuickSetupRolePolicy`](#security-iam-awsmanpol-SSMQuickSetupRolePolicy) – Update to an existing policy  |  Systems Manager added new permissions to allow Quick Setup to check the health of additional AWS CloudFormation stack sets that it has created.  | August 13, 2024 | 
| [`AmazonSSMManagedEC2InstanceDefaultPolicy`](#security-iam-awsmanpol-AmazonSSMManagedEC2InstanceDefaultPolicy) – Update to an existing policy | Systems Manager has added statement IDs (Sids) to the JSON policy for AmazonSSMManagedEC2InstanceDefaultPolicy. These Sids provide inline descriptions of the purpose of each policy statement.  | July 18, 2024 | 
| [`SSMQuickSetupRolePolicy`](#security-iam-awsmanpol-SSMQuickSetupRolePolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to check the health of deployed resources and remediate instances that have drifted from the original configuration.  | July 3, 2024 | 
| [`AWSQuickSetupDeploymentRolePolicy`](#security-iam-awsmanpol-SSMQuickSetupRolePolicy) – New policy | Systems Manager added a new policy to support multiple Quick Setup configuration types that create IAM roles and automations, which in turn configure frequently used Amazon Web Services services and features with recommended best practices. | July 3, 2024 | 
|  [`AWSQuickSetupPatchPolicyDeploymentRolePolicy`](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyDeploymentRolePolicy)  – New policy  |  Systems Manager added a new policy to allow Quick Setup to create resources associated with Patch Manager patch policy Quick Setup configurations.   | July 3, 2024 | 
|  [AWSQuickSetupPatchPolicyBaselineAccess](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyBaselineAccess) – New policy  |  Systems Manager added a new policy to allow Quick Setup to access patch baselines in Patch Manager with read-only permissions.   | July 3, 2024 | 
| [AWSSystemsManagerEnableExplorerExecutionPolicy](#security-iam-awsmanpol-AWSSystemsManagerEnableExplorerExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to grant administrative permissions for enabling Explorer. | July 3, 2024 | 
| [AWSSystemsManagerEnableConfigRecordingExecutionPolicy](#security-iam-awsmanpol-AWSSystemsManagerEnableConfigRecordingExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to enable and configure AWS Config configuration recording. | July 3, 2024 | 
|  [AWSQuickSetupDevOpsGuruPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupDevOpsGuruPermissionsBoundary) – New policy  |  Systems Manager added a new policy to allow Quick Setup to enable and configure Amazon DevOps Guru.  | July 3, 2024 | 
|  [AWSQuickSetupDistributorPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupDistributorPermissionsBoundary) – New policy  |  Systems Manager added a new policy to allow Quick Setup to enable and configure Distributor, a tool in AWS Systems Manager.   | July 3, 2024 | 
|  [AWSQuickSetupSSMHostMgmtPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupSSMHostMgmtPermissionsBoundary) – New policy  |  Systems Manager added a new policy to allow Quick Setup to enable and configure Systems Manager tools for securely managing Amazon EC2 instances.  | July 3, 2024 | 
|  [AWSQuickSetupPatchPolicyPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyPermissionsBoundary) – New policy  |  Systems Manager added a new policy to allow Quick Setup to enable and configure patch policies in Patch Manager, a tool in AWS Systems Manager.   | July 3, 2024 | 
|  [AWSQuickSetupSchedulerPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupSchedulerPermissionsBoundary) – New policy  |  Systems Manager added a new policy to allow Quick Setup to enable and configure scheduled operations on Amazon EC2 instances and other resources.   | July 3, 2024 | 
|  [AWSQuickSetupCFGCPacksPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupCFGCPacksPermissionsBoundary) – New policy  |  Systems Manager added a new policy to allow Quick Setup to deploy AWS Config conformance packs.   | July 3, 2024 | 
|  [`AWSSystemsManagerOpsDataSyncServiceRolePolicy`](#security-iam-awsmanpol-AWSSystemsManagerOpsDataSyncServiceRolePolicy) – Update to an existing policy  | OpsCenter updated the policy to improve the security of the service code within the service-linked role for Explorer to manage OpsData-related operations. | July 3, 2023 | 
|  [`AmazonSSMManagedEC2InstanceDefaultPolicy`](#security-iam-awsmanpol-AmazonSSMManagedEC2InstanceDefaultPolicy) – New policy  |  Systems Manager added a new policy to allow Systems Manager functionality on Amazon EC2 instances without the use of an IAM instance profile.  | August 18, 2022 | 
|  [AmazonSSMServiceRolePolicy](#security-iam-awsmanpol-AmazonSSMServiceRolePolicy) – Update to an existing policy  |  Systems Manager added new permissions to allow Explorer to create a managed rule when you turn on Security Hub CSPM from Explorer or OpsCenter. New permissions were added to check that config and the compute-optimizer meet the necessary requirements before allowing OpsData.  | April 27, 2021 | 
|  [`AWSSystemsManagerOpsDataSyncServiceRolePolicy`](#security-iam-awsmanpol-AWSSystemsManagerOpsDataSyncServiceRolePolicy) – New policy  |  Systems Manager added a new policy to create and update OpsItems and OpsData from Security Hub CSPM findings in Explorer and OpsCenter.  | April 27, 2021 | 
|  `AmazonSSMServiceRolePolicy` – Update to an existing policy  |  Systems Manager added new permissions to allow viewing aggregate OpsData and OpsItems details from multiple accounts and AWS Regions in Explorer.  | March 24, 2021 | 
|  Systems Manager started tracking changes  |  Systems Manager started tracking changes for its AWS managed policies.  | March 12, 2021 | 

## Additional managed policies for Systems Manager
<a name="policies-list"></a>

In addition to the managed policies described earlier in this topic, the following policies are also supported by Systems Manager.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMAutomationApproverAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMAutomationApproverAccess.html) – AWS managed policy that allows access to view automation executions and send approval decisions to automation that is waiting for approval.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMDirectoryServiceAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMDirectoryServiceAccess.html) – AWS managed policy that that allows SSM Agent to access Directory Service on behalf of the user for requests to join the domain by the managed node.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMFullAccess.html) – AWS managed policy that grants full access to the Systems Manager API and documents.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMMaintenanceWindowRole.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMMaintenanceWindowRole.html) – AWS managed policy that provides maintenance windows with permissions to the Systems Manager API.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) – AWS managed policy that allows a node to use Systems Manager service core functionality.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMPatchAssociation.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMPatchAssociation.html) – AWS managed policy that provides access to child instances for patch association operations.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMReadOnlyAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMReadOnlyAccess.html) – AWS managed policy that grants access to Systems Manager read-only API operations, such as `Get*` and `List*`.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSMOpsInsightsServiceRolePolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSMOpsInsightsServiceRolePolicy.html) – AWS managed policy that provides permissions for creating and updating operational insight *OpsItems* in Systems Manager. Used to provide permissions through the service-linked role [`AWSServiceRoleForAmazonSSM_OpsInsights`](using-service-linked-roles-service-action-4.md).
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerAccountDiscoveryServicePolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerAccountDiscoveryServicePolicy.html) – AWS managed policy that grants Systems Manager permission to discover AWS account information.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2RoleforSSM.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2RoleforSSM.html) – This policy is no longer supported and should not be used. In its place, use the `AmazonSSMManagedInstanceCore` policy to allow Systems Manager service core functionality on EC2 instances. For information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md). 

# Troubleshooting AWS Systems Manager identity and access
<a name="security_iam_troubleshoot"></a>

Use the following information to help you diagnose and fix common issues that you might encounter when working with AWS Systems Manager and AWS Identity and Access Management (IAM).

**Topics**
+ [I am not authorized to perform an action in Systems Manager](#security_iam_troubleshoot-no-permissions)
+ [I am not authorized to perform iam:PassRole](#security_iam_troubleshoot-passrole)
+ [I want to allow people outside of my AWS account to access my Systems Manager resources](#security_iam_troubleshoot-cross-account-access)

## I am not authorized to perform an action in Systems Manager
<a name="security_iam_troubleshoot-no-permissions"></a>

If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your sign-in credentials.

The following example error occurs when the `mateojackson` user tries to use the console to view details about a document but doesn't have `ssm:GetDocument` permissions.

```
User: arn:aws:ssm::123456789012:user/mateojackson isn't authorized to perform: ssm:GetDocument on resource: MyExampleDocument
```

In this case, Mateo asks his administrator to update his policies to allow him to access the `MyExampleDocument` resource using the `ssm:GetDocument` action.

## I am not authorized to perform iam:PassRole
<a name="security_iam_troubleshoot-passrole"></a>

If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Systems Manager.

Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.

The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Systems Manager. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.

```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```

In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.

If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.

## I want to allow people outside of my AWS account to access my Systems Manager resources
<a name="security_iam_troubleshoot-cross-account-access"></a>

You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.

To learn more, consult the following:
+ To learn whether Systems Manager supports these features, see [How AWS Systems Manager works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.