• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# Security in AWS Systems Manager
Cloud security at Amazon Web Services is the highest priority. As an AWS customer, you benefit from a data center and network architecture that are built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Systems Manager, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You're also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using AWS Systems Manager. The following topics show you how to configure Systems Manager to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Systems Manager resources.
**Topics**
+ [
# Data protection in AWS Systems Manager
](data-protection.md)
+ [
# Data perimeters in AWS Systems Manager
](data-perimeters.md)
+ [
# Identity and access management for AWS Systems Manager
](security-iam.md)
+ [
# Using service-linked roles for Systems Manager
](using-service-linked-roles.md)
+ [
# Logging and monitoring in AWS Systems Manager
](logging-and-monitoring.md)
+ [
# Compliance validation for AWS Systems Manager
](compliance-validation.md)
+ [
# Resilience in AWS Systems Manager
](disaster-recovery-resiliency.md)
+ [
# Infrastructure security in AWS Systems Manager
](infrastructure-security.md)
+ [
# Configuration and vulnerability analysis in AWS Systems Manager
](vulnerability-analysis-and-management.md)
+ [
# Security best practices for Systems Manager
](security-best-practices.md)
# Data protection in AWS Systems Manager
Data protection refers to protecting data while *in transit* (as it travels to and from Systems Manager) and *at rest* (while it's stored in AWS data centers).
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in AWS Systems Manager. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Systems Manager or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
## Data encryption
### Encryption at rest
**Parameter Store parameters**
The types of parameters you can create in Parameter Store, a tool in AWS Systems Manager, include `String`, `StringList`, and `SecureString`.
All parameters, regardless of their type, are encrypted both in transit and at rest. In transit, parameters are encrypted using transport layer security (TLS) to create a secure HTTPS connection for API requests. At rest, they are encrypted with an AWS owned key in AWS Key Management Service (AWS KMS). For more information about AWS owned key encryption, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide* .
The `SecureString` type offers additional encryption options and is recommended for all sensitive data. You can choose from the following types of AWS KMS keys to encrypt and decrypt the value of a `SecureString` parameter:
+ The AWS managed key for your account
+ A customer managed key (CMK) that you have created in your account
+ A CMK in another AWS account that has been shared with you
For more information about AWS KMS encryption, see the [AWS Key Management Service Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/).
**Content in S3 buckets**
As part of your Systems Manager operations, you might choose to upload or store data in one or more Amazon Simple Storage Service (Amazon S3) buckets.
For information about S3 bucket encryption, see [Protecting data using encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) and [Data protection in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/DataDurability.html) in the *Amazon Simple Storage Service User Guide*.
The following are types of data you can upload or have stored in S3 buckets as part of your Systems Manager activities:
+ The output of commands in Run Command, a tool in AWS Systems Manager
+ Packages in Distributor, a tool in AWS Systems Manager
+ Patching operation logs in Patch Manager, a tool in AWS Systems Manager
+ Patch Manager patch override lists
+ Scripts or Ansible Playbooks to run in a runbook workflow in Automation, a tool in AWS Systems Manager
+ Chef InSpec profiles for use with scans in Compliance, a tool in AWS Systems Manager
+ AWS CloudTrail logs
+ Session history logs in Session Manager, a tool in AWS Systems Manager
+ Reports from Explorer, a tool in AWS Systems Manager
+ OpsData from OpsCenter, a tool in AWS Systems Manager
+ AWS CloudFormation templates for use with Automation workflows
+ Compliance data from a resource data sync scan
+ Output of requests to create or edit association in State Manager, a tool in AWS Systems Manager, on managed nodes
+ Custom Systems Manager documents (SSM documents) that you can run using the AWS managed SSM document `AWS-RunDocument`
**CloudWatch Logs log groups**
As part of your Systems Manager operations, you might choose to stream data to one or more Amazon CloudWatch Logs log groups.
For information about CloudWatch Logs log group encryption, see [Encrypt log data in CloudWatch Logs using AWS Key Management Service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) in the *Amazon CloudWatch Logs User Guide*.
The following are types of data you might have streamed to a CloudWatch Logs log group as part of your Systems Manager activities:
+ The output of Run Command commands
+ The output of scripts run using the `aws:executeScript` action in an Automation runbook
+ Session Manager session history logs
+ Logs from SSM Agent on your managed nodes
### Encryption in transit
We recommend that you use an encryption protocol such as Transport Layer Security (TLS) to encrypt sensitive data in transit between clients and your nodes.
Systems Manager provides the following support for encryption of your data in transit.
**Connections to Systems Manager API endpoints**
Systems Manager API endpoints only support secure connections over HTTPS. When you manage Systems Manager resources with the AWS Management Console, AWS SDK, or the Systems Manager API, all communication is encrypted with Transport Layer Security (TLS). For a full list of API endpoints, see [AWS service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*.
**Managed instances**
AWS provides secure and private connectivity between Amazon Elastic Compute Cloud (Amazon EC2) instances. In addition, we automatically encrypt in-transit traffic between supported instances in the same virtual private cloud (VPC) or in peered VPCs, using AEAD algorithms with 256-bit encryption. This encryption feature uses the offload capabilities of the underlying hardware, and there is no impact on network performance. The supported instances are: C5n, G4, I3en, M5dn, M5n, P3dn, R5dn, and R5n.
**Session Manager sessions**
By default, Session Manager uses TLS 1.3 to encrypt session data transmitted between the local machines of users in your account and your EC2 instances. You can also choose to further encrypt the data in transit using an AWS KMS key that has been created in AWS KMS. AWS KMS encryption is available for `Standard_Stream`, `InteractiveCommands`, and `NonInteractiveCommands` session types.
**Run Command access**
By default, remote access to your nodes using Run Command is encrypted using TLS 1.3, and requests to create a connection are signed using SigV4.
## Internetwork traffic privacy
You can use Amazon Virtual Private Cloud (Amazon VPC) to create boundaries between resources in your managed nodes and control traffic between them, your on-premises network, and the internet. For details, see [Improve the security of EC2 instances by using VPC endpoints for Systems Manager](setup-create-vpc.md).
For more information about Amazon Virtual Private Cloud security, see [Internetwork traffic privacy in Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html) in the *Amazon VPC User Guide*.
# Data perimeters in AWS Systems Manager
A data perimeter is a set of preventive guardrails in your AWS environment that help ensure your data can only be accessed by trusted identities from expected networks and resources. When you implement data perimeter controls, you might need to include exceptions for AWS service-owned resources that Systems Manager accesses on your behalf.
**Example scenario: SSM document categories S3 bucket**
Systems Manager accesses an AWS managed S3 bucket to retrieve document category information for [AWS Systems Manager Documents](documents.md). This bucket contains metadata about document categories that help organize and classify SSM Documents in the console.
Resource ARN pattern
`arn:aws:s3:::ssm-document-categories-region`
Regional examples:
+ `arn:aws:s3:::ssm-document-categories-us-east-1`
+ `arn:aws:s3:::ssm-document-categories-us-west-2`
+ `arn:aws:s3:::ssm-document-categories-eu-west-1`
+ `arn:aws:s3:::ssm-document-categories-ap-northeast-1`
When accessed
This resource is accessed when you view SSM Documents in the Systems Manager console or when using APIs that retrieve document metadata and categories.
Data stored
The bucket contains JSON files with document category definitions and metadata. This data is read-only and does not contain customer-specific information.
Identity used
Systems Manager accesses this resource using AWS service credentials on behalf of your requests.
Required permissions
`s3:GetObject` on the bucket contents.
**Data perimeter policy considerations**
When implementing data perimeter controls using Service Control Policies (SCPs) or VPC endpoint policies with conditions like `aws:ResourceOrgID`, you need to create exceptions for the AWS service-owned resources that Systems Manager requires.
For example, if you're using an SCP with `aws:ResourceOrgID` to restrict access to resources outside your organization, you would need to add an exception for the SSM Document categories bucket.
The policy would need to access to resources outside your organization but include an exception for the appropriate S3 buckets, allowing Systems Manager to continue functioning properly.
Similarly, if you're using VPC endpoint policies to restrict S3 access, you would need to ensure that the SSM document categories buckets are accessible through your VPC endpoints.
**More information**
For more information about data perimeters in AWS, see the following topics:
+ [Data perimeters on AWS](https://aws.amazon.com/identity/data-perimeters-on-aws/).
+ [Establish permissions guardrails using data perimeters](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_data-perimeters.html) in the *IAM User Guide*
+ [Service-specific guidance: AWS Systems Manager](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_specific_guidance/ssm-specific-guidance.md) and [Service-owned resources](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_owned_resources.md) in the *AWS Samples* repository on GitHub
# Identity and access management for AWS Systems Manager
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Systems Manager resources. IAM is an AWS service that you can use with no additional charge.
**Topics**
+ [
## Audience
](#security_iam_audience)
+ [
## Authenticating with identities
](#security_iam_authentication)
+ [
## Managing access using policies
](#security_iam_access-manage)
+ [
# How AWS Systems Manager works with IAM
](security_iam_service-with-iam.md)
+ [
# AWS Systems Manager identity-based policy examples
](security_iam_id-based-policy-examples.md)
+ [
# AWS managed policies for AWS Systems Manager
](security-iam-awsmanpol.md)
+ [
# Troubleshooting AWS Systems Manager identity and access
](security_iam_troubleshoot.md)
## Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting AWS Systems Manager identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How AWS Systems Manager works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [AWS Systems Manager identity-based policy examples](security_iam_id-based-policy-examples.md))
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
For information about AWS managed policies for Systems Manager, see [AWS Systems Manager managed policies](security_iam_service-with-iam.md#managed-policies).
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
### Policy condition keys
The actions that users and roles can perform and the resources on which they can take those actions can be further restricted by specific *conditions*.
In JSON policy documents, the `Condition` element (or `Condition` block) lets you specify conditions in which a statement is in effect. The `Condition` element is optional. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as `StringEquals` or `StringNotLike`, to match the condition in the policy with values in the request.
If you specify multiple `Condition` elements in a statement, or multiple keys in a single `Condition` element, AWS evaluates them using a logical `AND` operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical `OR` operation. All of the conditions must be met before the statement's permissions are granted.
You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see [IAM policy elements: variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the *IAM User Guide*.
AWS supports global condition keys and service-specific condition keys. For more information, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
**Important**
If you use Systems Manager Automation, we recommend you don't use the [aws:SourceIp](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip) condition key in your policies. The behavior of this condition key is dependent on multiple factors, including whether an IAM role for Automation runbook execution is supplied and the Automation actions used in the runbook. As a result, the condition key can produce unexpected behavior. For this reason, we recommend you don't use it.
Systems Manager supports a number of its own condition keys. For more information, see [Condition Keys for AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys) in the *Service Authorization Reference*. The actions and resources you can use a Systems Manager-specific condition key with are listed in [Resource types defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys) in the *Service Authorization Reference*.
If your policy must depend on a service principal name owned by the Systems Manager service, we recommend you check for its existence or non-existence using the `aws:PrincipalServiceNamesList` [multivalued condition key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys), rather than the `aws:PrincipalServiceName` condition key. The `aws:PrincipalServiceName` condition key contains only one entry from the list of service principal names and it may not always be the service principal name you expect. The following `Condition` block demonstrates checking for the existence of `ssm.amazonaws.com`.
```
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:PrincipalServiceNamesList": "ssm.amazonaws.com"
}
}
}
```
To view examples of Systems Manager identity-based policies, see [AWS Systems Manager identity-based policy examples](security_iam_id-based-policy-examples.md).
### Access control lists (ACLs)
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*.
### Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
### Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
# How AWS Systems Manager works with IAM
Before you use AWS Identity and Access Management (IAM) to manage access to AWS Systems Manager, you should understand what IAM features are available to use with Systems Manager. To get a high-level view of how Systems Manager and other AWS services work with IAM, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
**Topics**
+ [
## Systems Manager identity-based policies
](#security_iam_service-with-iam-id-based-policies)
+ [
## Systems Manager resource-based policies
](#security_iam_service-with-iam-resource-based-policies)
+ [
## Authorization based on Systems Manager tags
](#security_iam_service-with-iam-tags)
+ [
## Systems Manager IAM roles
](#security_iam_service-with-iam-roles)
## Systems Manager identity-based policies
With IAM identity-based policies, you can specify allowed or denied actions and resources and the conditions under which actions are allowed or denied. Systems Manager supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Actions
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
Policy actions in Systems Manager use the following prefix before the action: `ssm:`. For example, to grant someone permission to create a Systems Manager parameter (SSM parameter) with the Systems Manager `PutParameter` API operation, you include the `ssm:PutParameter` action in their policy. Policy statements must include either an `Action` or `NotAction` element. Systems Manager defines its own set of actions that describe tasks that you can perform with this service.
To specify multiple actions in a single statement, separate them with commas as follows:
```
"Action": [
"ssm:action1",
"ssm:action2"
]
```
**Note**
The following tools in AWS Systems Manager use different prefixes before actions.
AWS AppConfig uses the prefix `appconfig:` before actions.
Incident Manager uses the prefix `ssm-incidents:` or `ssm-contacts:` before actions.
Systems Manager GUI Connect uses the prefix `ssm-guiconnect:` before actions.
Quick Setup uses the prefix `ssm-quicksetup:` before actions.
You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Describe`, include the following action:
```
"Action": "ssm:Describe*"
```
To see a list of Systems Manager actions, see [Actions Defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-actions-as-permissions) in the *Service Authorization Reference*.
### Resources
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
For example, the Systems Manager maintenance window resource has the following ARN format.
```
arn:aws:ssm:region:account-id:maintenancewindow/window-id
```
To specify the mw-0c50858d01EXAMPLE maintenance windows in your statement in the US East (Ohio) Region, you would use an ARN similar to the following.
```
"Resource": "arn:aws:ssm:us-east-2:123456789012:maintenancewindow/mw-0c50858d01EXAMPLE"
```
To specify all maintenance windows that belong to a specific account, use the wildcard (\$1).
```
"Resource": "arn:aws:ssm:region:123456789012:maintenancewindow/*"
```
For `Parameter Store` API operations, you can provide or restrict access to all parameters in one level of a hierarchy by using hierarchical names and AWS Identity and Access Management (IAM) policies as follows.
```
"Resource": "arn:aws:ssm:region:123456789012:parameter/Dev/ERP/Oracle/*"
```
Some Systems Manager actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard (\$1).
```
"Resource": "*"
```
Some Systems Manager API operations accept multiple resources. To specify multiple resources in a single statement, separate their ARNs with commas as follows.
```
"Resource": [
"resource1",
"resource2"
```
**Note**
Most AWS services treat a colon (:) or a forward slash (/) as the same character in ARNs. However, Systems Manager requires an exact match in resource patterns and rules. When creating event patterns, be sure to use the correct ARN characters so that they match the resource's ARN.
The table below describes the ARN formats for the resource types supported by Systems Manager.
**Note**
Note the following exceptions to ARN formats.
The following tools in AWS Systems Manager use different prefixes before actions.
AWS AppConfig uses the prefix `appconfig:` before actions.
Incident Manager uses the prefix `ssm-incidents:` or `ssm-contacts:` before actions.
Systems Manager GUI Connect uses the prefix `ssm-guiconnect` before actions.
Documents and automation definition resources that are owned by Amazon, as well as public parameters that are provided by both Amazon and third-party sources, do not include account IDs in their ARN formats. For example:
The SSM document `AWS-RunPatchBaseline`:
`arn:aws:ssm:us-east-2::document/AWS-RunPatchBaseline`
The automation runbook `AWS-ConfigureMaintenanceWindows`:
`arn:aws:ssm:us-east-2::automation-definition/AWS-ConfigureMaintenanceWindows`
The public parameter `/aws/service/bottlerocket/aws-ecs-1-nvidia/x86_64/1.13.4/image_version`:
`arn:aws:ssm:us-east-2::parameter/aws/service/bottlerocket/aws-ecs-1-nvidia/x86_64/1.13.4/image_version`
For more information about these three resource types, see the following topics:
[Working with documents](documents-using.md)
[Run an automated operation powered by Systems Manager Automation](running-simple-automations.md)
[Working with public parameters in Parameter Store](parameter-store-public-parameters.md)
Quick Setup uses the prefix `ssm-quicksetup:` before actions.
| Resource type | ARN format |
| --- | --- |
| Application (AWS AppConfig) | arn:aws:appconfig:region:account-id:application/application-id |
| Association | arn:aws:ssm:region:account-id:association/association-id |
| Automation execution | arn:aws:ssm:region:account-id:automation-execution/automation-execution-id |
| Automation definition (with version subresource) | arn:aws:ssm:*region*:*account-id*:automation-definition/*automation-definition-id*:*version-id* **1** |
| Configuration profile (AWS AppConfig) | arn:aws:appconfig:region:account-id:application/application-id/configurationprofile/configurationprofile-id |
| Contact (Incident Manager) | arn:aws:ssm-contacts:*region*:*account-id*:contact/*contact-alias* |
| Deployment strategy (AWS AppConfig) | arn:aws:appconfig:region:account-id:deploymentstrategy/deploymentstrategy-id |
| Document | arn:aws:ssm:*region*:*account-id*:document/*document-name* |
| Environment (AWS AppConfig) | arn:aws:appconfig:region:account-id:application/application-id/environment/environment-id |
| Incident | arn:aws:ssm-incidents:*region*:*account-id*:incident-record/*response-plan-name*/*incident-id* |
| Maintenance window | arn:aws:ssm:*region*:*account-id*:maintenancewindow/*window-id* |
| Managed node | arn:aws:ssm:*region*:*account-id*:managed-instance/*managed-node-id* |
| Managed node inventory | arn:aws:ssm:region:account-id:managed-instance-inventory/managed-node-id |
| OpsItem | arn:aws:ssm:region:account-id:opsitem/OpsItem-id |
| Parameter | A one-level parameter: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html) A parameter named with a hierarchical construction: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html) |
| Patch baseline | arn:aws:ssm:*region*:*account-id*:patchbaseline/*patch-baseline-id* |
| Response plan | arn:aws:ssm-incidents:*region*:*account-id*:response-plan/*response-plan-name* |
| Session | arn:aws:ssm:*region*:*account-id*:session/*session-id* **3** |
| All Systems Manager resources | arn:aws:ssm:\$1 |
| All Systems Manager resources owned by the specified AWS account in the specified AWS Region | arn:aws:ssm:*region*:*account-id*:\$1 |
**Note**
Automation definition resources are being deprecated. Please update your IAM policies to include an allow for `ssm:StartAutomationExecution` or `ssm:StartChangeRequestExecution` on `document` and `automation-execution` resources. To view best practices and examples for setting up IAM permissions, refer to our [Setting up identity based policies example](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup-identity-based-policies.html) user guide.
**1** For automation definitions, Systems Manager supports a second-level resource, *version ID*. In AWS, these second-level resources are known as *subresources*. Specifying a version subresource for an automation definition resource allows you to provide access to certain versions of an automation definition. For example, you might want to ensure that only the latest version of an automation definition is used in your node management.
**2** To organize and manage parameters, you can create names for parameters with a hierarchical construction. With hierarchical construction, a parameter name can include a path that you define by using forward slashes. You can name a parameter resource with a maximum of fifteen levels. We suggest that you create hierarchies that reflect an existing hierarchical structure in your environment. For more information, see [Creating Parameter Store parameters in Systems Manager](sysman-paramstore-su-create.md).
**3** In most cases, the session ID is constructed using the ID of the account user who started the session, plus an alphanumeric suffix. For example:
```
arn:aws:us-east-2:111122223333:session/JohnDoe-1a2b3c4sEXAMPLE
```
However, if the user ID isn't available, the ARN is constructed this way instead:
```
arn:aws:us-east-2:111122223333:session/session-1a2b3c4sEXAMPLE
```
For more information about the format of ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *Amazon Web Services General Reference*.
For a list of Systems Manager resource types and their ARNs, see [Resources Defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-resources-for-iam-policies) in the *Service Authorization Reference*. To learn with which actions you can specify the ARN of each resource, see [Actions Defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-actions-as-permissions).
### Condition keys for Systems Manager
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
To see a list of Systems Manager condition keys, see [Condition Keys for AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys) in the *Service Authorization Reference*. To learn with which actions and resources you can use a condition key, see [Actions Defined by AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-actions-as-permissions).
For information about using the `ssm:resourceTag/*` condition key, see the following topics:
+ [Restricting access to root-level commands through SSM Agent](ssm-agent-restrict-root-level-commands.md)
+ [Restricting Run Command access based on tags](run-command-setting-up.md#tag-based-access)
+ [Restrict session access based on instance tags](getting-started-restrict-access-examples.md#restrict-access-example-instance-tags)
For information about using the `ssm:Recursive`, `ssm:Policies`, and `ssm:Overwrite` condition keys, see [Preventing access to Parameter Store API operations](parameter-store-policy-conditions.md).
### Examples
To view examples of Systems Manager identity-based policies, see [AWS Systems Manager identity-based policy examples](security_iam_id-based-policy-examples.md).
## Systems Manager resource-based policies
Other AWS services, such as Amazon Simple Storage Service (Amazon S3), support resource-based permissions policies. For example, you can attach a permissions policy to an S3 bucket to manage access permissions to that bucket.
Systems Manager doesn't support resource-based policies.
## Authorization based on Systems Manager tags
You can attach tags to Systems Manager resources or pass tags in a request to Systems Manager. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `ssm:resourceTag/key-name`, `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. You can add tags to the following resource types when you create or update them:
+ Document
+ Managed node
+ Maintenance window
+ Parameter
+ Patch baseline
+ OpsItem
To view an example identity-based policy for limiting access to a resource based on the tags on that resource, see [Viewing Systems Manager documents based on tags](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-view-documents-tags).
## Systems Manager IAM roles
An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions.
### Using temporary credentials with Systems Manager
You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS Security Token Service (AWS STS) API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html).
Systems Manager supports using temporary credentials.
### Service-linked roles
[Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles are listed in your IAM account and are owned by the service. An administrator can view but not edit the permissions for service-linked roles.
Systems Manager supports service-linked roles. For details about creating or managing Systems Manager service-linked roles, see [Using service-linked roles for Systems Manager](using-service-linked-roles.md).
### Service roles
This feature allows a service to assume a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles are displayed in your IAM account and are owned by the account. This means that an administrator can change the permissions for this role. However, doing so might break the functionality of the service.
Systems Manager supports service roles.
### Choosing an IAM role in Systems Manager
For Systems Manager to interact with your managed nodes, you must choose a role to allow Systems Manager to access nodes on your behalf. If you have previously created a service role or service-linked role, then Systems Manager provides you with a list of roles to choose from. It's important to choose a role that allows access to start and stop managed nodes.
To access EC2 instances, you must configure instance permissions. For information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md).
To access non-EC2 nodes in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types), the role your AWS account needs is an IAM service role. For information, see [Create the IAM service role required for Systems Manager in hybrid and multicloud environments](hybrid-multicloud-service-role.md).
An Automation workflow can be initiated under the context of a service role (or assume role). This allows the service to perform actions on your behalf. If you don't specify an assume role, Automation uses the context of the user who invoked the execution. However, certain situations require that you specify a service role for Automation. For more information, see [Configuring a service role (assume role) access for automations](automation-setup.md#automation-setup-configure-role).
### AWS Systems Manager managed policies
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS *managed policies* grant necessary permissions for common use cases so you can avoid having to investigate which permissions are needed. (You can also create your own custom IAM policies to allow permissions for Systems Manager actions and resources.)
For more information about managed policies for Systems Manager, see [AWS managed policies for AWS Systems Manager](security-iam-awsmanpol.md)
For general information about managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
# AWS Systems Manager identity-based policy examples
By default, AWS Identity and Access Management (IAM) entities (users and roles) don't have permission to create or modify AWS Systems Manager resources. They also can't perform tasks using the Systems Manager console, AWS Command Line Interface (AWS CLI), or AWS API. An administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the users or groups that require those permissions.
The following is an example of a permissions policy that allows a user to delete documents with names that begin with **MyDocument-** in the US East (Ohio) (us-east-2) AWS Region.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ssm:DeleteDocument"
],
"Resource" : [
"arn:aws:ssm:us-east-1:111122223333:document/MyDocument-*"
]
}
]
}
```
------
To learn how to create an IAM identity-based policy using these example JSON Policy documents, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*.
**Topics**
+ [
## Policy best practices
](#security_iam_service-with-iam-policy-best-practices)
+ [
## Example: Permission to using the Systems Manager console
](#security_iam_id-based-policy-examples-console)
+ [
## Example: Permission to allow users to view their own permissions
](#security_iam_id-based-policy-examples-view-own-permissions)
+ [
## Example: Permission to read and describe individual parameters
](#security_iam_id-based-policy-examples-view-one-parameter)
+ [
# Cross-service confused deputy prevention
](cross-service-confused-deputy-prevention.md)
+ [
## Customer managed policy examples
](#customer-managed-policies)
+ [
## Viewing Systems Manager documents based on tags
](#security_iam_id-based-policy-examples-view-documents-tags)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete Systems Manager resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Example: Permission to using the Systems Manager console
To access the Systems Manager console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Systems Manager resources and other resources in your AWS account.
If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for IAM entities (users or roles) with that policy.
You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.
To ensure that users and roles can still use the Systems Manager console, also attach the [AmazonSSMFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMFullAccess.html) or [AmazonSSMReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMReadOnlyAccess.html) AWS managed policy to the entities. For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
## Example: Permission to allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
## Example: Permission to read and describe individual parameters
**Example Read and describe one parameter**
You can grant access to a parameter by attaching the following policy to an identity.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:DescribeParameters"
],
"Resource": "arn:aws:ssm:us-east-1:111122223333:parameter/parameter-name"
}
]
}
```
# Cross-service confused deputy prevention
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account.
We recommend using the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource policies to limit the permissions that AWS Systems Manager gives another service to the resource. If the `aws:SourceArn` value does not contain the account ID, such as an Amazon Resource Name (ARN) for an S3 bucket, you must use both global condition context keys to limit permissions. If you use both global condition context keys and the `aws:SourceArn` value contains the account ID, the `aws:SourceAccount` value and the account in the `aws:SourceArn` value must use the same account ID when used in the same policy statement. Use `aws:SourceArn` if you want only one resource to be associated with the cross-service access. Use `aws:SourceAccount` if you want to allow any resource in that account to be associated with the cross-service use.
The following sections provide example policies for AWS Systems Manager tools.
## Hybrid activation policy example
For service roles used in a [hybrid activation](activations.md), the value of `aws:SourceArn` must be the ARN of the AWS account. Be sure to specify the AWS Region in the ARN where you created your hybrid activation. If you don't know the full ARN of the resource or if you're specifying multiple resources, use the `aws:SourceArn` global context condition key with wildcards (`*`) for the unknown portions of the ARN. For example, `arn:aws:ssm:*:region:123456789012:*`.
The following example demonstrates using the `aws:SourceArn` and `aws:SourceAccount` global condition context keys for Automation to prevent the confused deputy problem in the US East (Ohio) Region (us-east-2).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"ssm.amazonaws.com"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"aws:SourceAccount":"123456789012"
},
"ArnEquals":{
"aws:SourceArn":"arn:aws:ssm:us-east-1:123456789012:*"
}
}
}
]
}
```
------
## Resource data sync policy example
Systems Manager Inventory, Explorer, and Compliance enable you to create a resource data sync to centralize storage of your operations data (OpsData) in a central Amazon Simple Storage Service bucket. If you want to encrypt a resource data sync by using AWS Key Management Service (AWS KMS), then you must either create a new key that includes the following policy, or you must update an existing key and add this policy to it. The `aws:SourceArn` and `aws:SourceAccount` condition keys in this policy prevent the confused deputy problem. Here is an example policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "ssm-access-policy",
"Statement": [
{
"Sid": "ssm-access-policy-statement",
"Action": [
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Resource": "arn:aws:kms:us-east-1:123456789012:key/KMS_key_id",
"Condition": {
"StringLike": {
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:ssm:*:123456789012:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM"
}
}
}
]
}
```
------
**Note**
The ARN in the policy example enables the system to encrypt OpsData from all sources except AWS Security Hub CSPM. If you need to encrypt Security Hub CSPM data, for example if you use Explorer to collect Security Hub CSPM data, then you must attach an additional policy that specifies the following ARN:
`"aws:SourceArn": "arn:aws:ssm:*:account-id:role/aws-service-role/opsdatasync.ssm.amazonaws.com/AWSServiceRoleForSystemsManagerOpsDataSync"`
## Customer managed policy examples
You can create standalone policies that you administer in your own AWS account. We refer to these as *customer managed policies*. You can attach these policies to multiple principal entities in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy. For more information, see [Customer managed policy examples](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) in the *[IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/)*.
The following examples of user policies grant permissions for various Systems Manager actions. Use them to limit the Systems Manager access for your IAM entities (users and roles). These policies work when performing actions in the Systems Manager API, AWS SDKs, or the AWS CLI. For users who use the console, you need to grant additional permissions specific to the console. For more information, see [Example: Permission to using the Systems Manager console](#security_iam_id-based-policy-examples-console).
**Note**
All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs. The account ID shouldn't be specified in the Amazon Resource Name (ARN) for AWS public documents (documents that begin with `AWS-*`).
**Examples**
+ [Example 1: Allow a user to perform Systems Manager operations in a single Region](#identity-based-policies-example-1)
+ [Example 2: Allow a user to list documents for a single Region](#identity-based-policies-example-2)
### Example 1: Allow a user to perform Systems Manager operations in a single Region
The following example grants permissions to perform Systems Manager operations only in the US East (Ohio) Region (us-east-2).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:*"
],
"Resource": [
"arn:aws:ssm:us-east-1:111122223333:*"
]
}
]
}
```
------
### Example 2: Allow a user to list documents for a single Region
The following example grants permissions to list all document names that begin with **Update** in the US East (Ohio) Region (us-east-2).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:ListDocuments"
],
"Resource": [
"arn:aws:ssm:us-east-1:111122223333:document/Update*"
]
}
]
}
```
------
### Example 3: Allow a user to use a specific SSM document to run commands on specific nodes
The following example IAM policy allows a user to do the following in the US East (Ohio) Region (us-east-2):
+ List Systems Manager documents (SSM documents) and document versions.
+ View details about documents.
+ Send a command using the document specified in the policy. The name of the document is determined by the following entry.
```
arn:aws:ssm:us-east-2:aws-account-ID:document/Systems-Manager-document-name
```
+ Send a command to three nodes. The nodes are determined by the following entries in the second `Resource` section.
```
"arn:aws:ec2:us-east-2:aws-account-ID:instance/i-02573cafcfEXAMPLE",
"arn:aws:ec2:us-east-2:aws-account-ID:instance/i-0471e04240EXAMPLE",
"arn:aws:ec2:us-east-2:aws-account-ID:instance/i-07782c72faEXAMPLE"
```
+ View details about a command after it has been sent.
+ Start and stop workflows in Automation, a tool in AWS Systems Manager.
+ Get information about Automation workflows.
If you want to give a user permission to use this document to send commands on any node for which the user has access, you could specify an entry similar to the following in the `Resource` section and remove the other node entries. The following example uses the US East (Ohio) Region (us-east-2).
```
"arn:aws:ec2:us-east-2:*:instance/*"
```
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:ListDocumentVersions",
"ssm:DescribeDocument",
"ssm:GetDocument",
"ssm:DescribeInstanceInformation",
"ssm:DescribeDocumentParameters",
"ssm:DescribeInstanceProperties"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/i-02573cafcfEXAMPLE",
"arn:aws:ec2:us-east-1:111122223333:instance/i-0471e04240EXAMPLE",
"arn:aws:ec2:us-east-1:111122223333:instance/i-07782c72faEXAMPLE",
"arn:aws:ssm:us-east-1:111122223333:document/Systems-Manager-document-name"
]
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:us-east-1:111122223333:document/*",
"arn:aws:ssm:us-east-1:111122223333:automation-execution/*"
]
},
{
"Action": "ssm:DescribeAutomationExecutions",
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
```
------
## Viewing Systems Manager documents based on tags
You can use conditions in your identity-based policy to control access to Systems Manager resources based on tags. This example shows how you might create a policy that allows viewing an SSM document. However, permission is granted only if the document tag `Owner` has the value of that user's user name. This policy also grants the permissions necessary to complete this action on the console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListDocumentsInConsole",
"Effect": "Allow",
"Action": "ssm:ListDocuments",
"Resource": "*"
},
{
"Sid": "ViewDocumentIfOwner",
"Effect": "Allow",
"Action": "ssm:GetDocument",
"Resource": "arn:aws:ssm:*:*:document/*",
"Condition": {
"StringEquals": {"ssm:ResourceTag/Owner": "${aws:username}"}
}
}
]
}
```
------
You can attach this policy to the users in your account. If a user named `richard-roe` attempts to view an Systems Manager document, the document must be tagged `Owner=richard-roe` or `owner=richard-roe`. Otherwise they're denied access. The condition tag key `Owner` matches both `Owner` and `owner` because condition key names aren't case-sensitive. For more information, see [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
# AWS managed policies for AWS Systems Manager
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
**Topics**
+ [
## AWS managed policy: AmazonSSMServiceRolePolicy
](#security-iam-awsmanpol-AmazonSSMServiceRolePolicy)
+ [
## AWS managed policy: AmazonSSMAutomationRole
](#security-iam-awsmanpol-AmazonSSMAutomationRole)
+ [
## AWS managed policy: AmazonSSMReadOnlyAccess
](#security-iam-awsmanpol-AmazonSSMReadOnlyAccess)
+ [
## AWS managed policy: AWSSystemsManagerOpsDataSyncServiceRolePolicy
](#security-iam-awsmanpol-AWSSystemsManagerOpsDataSyncServiceRolePolicy)
+ [
## AWS managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy
](#security-iam-awsmanpol-AmazonSSMManagedEC2InstanceDefaultPolicy)
+ [
## AWS managed policy: SSMQuickSetupRolePolicy
](#security-iam-awsmanpol-SSMQuickSetupRolePolicy)
+ [
## AWS managed policy: AWSQuickSetupDeploymentRolePolicy
](#security-iam-awsmanpol-AWSQuickSetupDeploymentRolePolicy)
+ [
## AWS managed policy: AWSQuickSetupPatchPolicyDeploymentRolePolicy
](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyDeploymentRolePolicy)
+ [
## AWS managed policy: AWSQuickSetupPatchPolicyBaselineAccess
](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyBaselineAccess)
+ [
## AWS managed policy: `AWSSystemsManagerEnableExplorerExecutionPolicy`
](#security-iam-awsmanpol-AWSSystemsManagerEnableExplorerExecutionPolicy)
+ [
## AWS managed policy: `AWSSystemsManagerEnableConfigRecordingExecutionPolicy`
](#security-iam-awsmanpol-AWSSystemsManagerEnableConfigRecordingExecutionPolicy)
+ [
## AWS managed policy: AWSQuickSetupDevOpsGuruPermissionsBoundary
](#security-iam-awsmanpol-AWSQuickSetupDevOpsGuruPermissionsBoundary)
+ [
## AWS managed policy: AWSQuickSetupDistributorPermissionsBoundary
](#security-iam-awsmanpol-AWSQuickSetupDistributorPermissionsBoundary)
+ [
## AWS managed policy: AWSQuickSetupSSMHostMgmtPermissionsBoundary
](#security-iam-awsmanpol-AWSQuickSetupSSMHostMgmtPermissionsBoundary)
+ [
## AWS managed policy: AWSQuickSetupPatchPolicyPermissionsBoundary
](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyPermissionsBoundary)
+ [
## AWS managed policy: AWSQuickSetupSchedulerPermissionsBoundary
](#security-iam-awsmanpol-AWSQuickSetupSchedulerPermissionsBoundary)
+ [
## AWS managed policy: AWSQuickSetupCFGCPacksPermissionsBoundary
](#security-iam-awsmanpol-AWSQuickSetupCFGCPacksPermissionsBoundary)
+ [
## AWS managed policy: AWSQuickSetupStartStopInstancesExecutionPolicy
](#security-iam-awsmanpol-AWSQuickSetupStartStopInstancesExecutionPolicy)
+ [
## AWS managed policy: AWSQuickSetupStartSSMAssociationsExecutionPolicy
](#security-iam-awsmanpol-AWSQuickSetupStartSSMAssociationsExecutionPolicy)
+ [
## AWS managed policy: AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy
](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy)
+ [
## AWS managed policy: AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy
](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy)
+ [
## AWS managed policy: AWS-SSM-RemediationAutomation-AdministrationRolePolicy
](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-AdministrationRolePolicy)
+ [
## AWS managed policy: AWS-SSM-RemediationAutomation-ExecutionRolePolicy
](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-ExecutionRolePolicy)
+ [
## AWS managed policy: AWSQuickSetupSSMManageResourcesExecutionPolicy
](#security-iam-awsmanpol-AWSQuickSetupSSMManageResourcesExecutionPolicy)
+ [
## AWS managed policy: AWSQuickSetupSSMLifecycleManagementExecutionPolicy
](#security-iam-awsmanpol-AWSQuickSetupSSMLifecycleManagementExecutionPolicy)
+ [
## AWS managed policy: AWSQuickSetupSSMDeploymentRolePolicy
](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentRolePolicy)
+ [
## AWS managed policy: AWSQuickSetupSSMDeploymentS3BucketRolePolicy
](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentS3BucketRolePolicy)
+ [
## AWS managed policy: AWSQuickSetupEnableDHMCExecutionPolicy
](#security-iam-awsmanpol-AWSQuickSetupEnableDHMCExecutionPolicy)
+ [
## AWS managed policy: AWSQuickSetupEnableAREXExecutionPolicy
](#security-iam-awsmanpol-AWSQuickSetupEnableAREXExecutionPolicy)
+ [
## AWS managed policy: AWSQuickSetupManagedInstanceProfileExecutionPolicy
](#security-iam-awsmanpol-AWSQuickSetupManagedInstanceProfileExecutionPolicy)
+ [
## AWS managed policy: AWSQuickSetupManageJITNAResourcesExecutionPolicy
](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy)
+ [
## AWS managed policy: AWSQuickSetupJITNADeploymentRolePolicy
](#security-iam-awsmanpol-AWSQuickSetupJITNADeploymentRolePolicy)
+ [
## AWS managed policy: AWSSystemsManagerJustInTimeAccessServicePolicy
](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy)
+ [
## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenPolicy
](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenPolicy)
+ [
## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenSessionPolicy
](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenSessionPolicy)
+ [
## AWS managed policy: AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy
](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy)
+ [
## AWS managed policy: AWSSystemsManagerNotificationsServicePolicy
](#security-iam-awsmanpol-AWSSystemsManagerNotificationsServicePolicy)
+ [
## AWS managed policy: AWS-SSM-Automation-DiagnosisBucketPolicy
](#security-iam-awsmanpol-AWS-SSM-Automation-DiagnosisBucketPolicy)
+ [
## AWS managed policy: AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy)
+ [
## AWS managed policy: AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy
](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy)
+ [
## Systems Manager updates to AWS managed policies
](#security-iam-awsmanpol-updates)
+ [
## Additional managed policies for Systems Manager
](#policies-list)
## AWS managed policy: AmazonSSMServiceRolePolicy
This policy provides access to a number of AWS resources that are managed by AWS Systems Manager or used in Systems Manager operations.
You can't attach `AmazonSSMServiceRolePolicy` to your AWS Identity and Access Management (IAM) entities. This policy is attached to a service-linked role that allows AWS Systems Manager to perform actions on your behalf. For more information, see [Using roles to collect inventory and view OpsData](using-service-linked-roles-service-action-1.md).
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to start and step executions for both Run Command and Automation; and to retrieve information about Run Command and Automation operations; to retrieve information about Parameter Store parameters Change Calendar calendars; to update and retrieve information about Systems Manager service settings for OpsCenterresources; and to read information about tags that have have applied to resources.
+ `cloudformation` – Allows principals to retrieve information about stackset operations and stackset instances, and to delete stacksets on the resource `arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*`. Allows principals to delete stack instances that are associated with the following resources:
```
arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*
arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:*
arn:aws:cloudformation:*:*:type/resource/*
```
+ `cloudwatch` – Allows principals to retrieve information about Amazon CloudWatch alarms.
+ `compute-optimizer` – Allows principals to retrieve the enrollment (opt in) status of an account to the AWS Compute Optimizer service, and to retrieve recommendations for Amazon EC2 instances that meet a specific set of stated requirements.
+ `config` – Allows principals to retrieve information remediation configurations and configuration recorders in AWS Config, and to determine whether specified AWS Config rules and AWS resources are compliant.
+ `events` – Allows principals retrieve information about EventBridge rules; to create EventBridge rules and targets exclusively for the the Systems Manager service (`ssm.amazonaws.com`); and to delete rules and targets for the resource `arn:aws:events:*:*:rule/SSMExplorerManagedRule`.
+ `ec2` – Allows principals to retrieve information about Amazon EC2 instances..
+ `iam` – Allows principals to pass roles permissions for the Systems Manager service (`ssm.amazonaws.com`).
+ `lambda` – Allows principals to invoke Lambda functions that are configured specifically for use by Systems Manager.
+ `resource-explorer-2` – Allows principals to retrieve data about EC2 instances to determine whether or not each instance is currently managed by Systems Manager.
The action `resource-explorer-2:CreateManagedView` is allowed for the `arn:aws:resource-explorer-2:*:*:managed-view/AWSManagedViewForSSM*` resource.
+ `resource-groups` – Allows principals to retrieve list resource groups and their members from AWS Resource Groups of resources that belong to a resource group.
+ `securityhub` – Allows principals to retrieve information about AWS Security Hub CSPM hub resources in the current account.
+ `states` – Allows principals to start and retrieve information for AWS Step Functions that are configured specifically for use by Systems Manager.
+ `support` – Allows principals to retrieve information about checks and cases in AWS Trusted Advisor.
+ `tag` – Allows principals to retrieve information about all the tagged or previously tagged resources that are located in a specified AWS Region for an account.
To view more details about the policy, including the latest version of the JSON policy document, see [AmazonSSMServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMServiceRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AmazonSSMAutomationRole
You can attach the `AmazonSSMAutomationRole` policy to your IAM identities. This policy provides permissions for the AWS Systems Manager Automation service to run activities defined within Automation runbooks.
**Permissions details**
This policy includes the following permissions.
+ `lambda` – Allows principals to invoke Lambda functions with names that begin with "Automation". This is required for Automation runbooks to execute Lambda functions as part of their workflow.
+ `ec2` – Allows principals to perform various Amazon EC2 operations including creating, copying, and deregistering images; managing snapshots; starting, running, stopping, and terminating instances; managing instance status; and creating, deleting, and describing tags. These permissions enable Automation runbooks to manage Amazon EC2 resources during execution.
+ `cloudformation` – Allows principals to create, describe, update, and delete CloudFormation stacks. This enables Automation runbooks to manage infrastructure as code through CloudFormation.
+ `ssm` – Allows principals to use all Systems Manager actions. This comprehensive access is required for Automation runbooks to interact with all Systems Manager capabilities.
+ `sns` – Allows principals to publish messages to Amazon SNS topics with names that begin with "Automation". This enables Automation runbooks to send notifications during execution.
+ `ssmmessages` – Allows principals to open data channels to Systems Manager sessions. This enables Automation runbooks to establish communication channels for session-based operations.
To view more details about the policy, including the latest version of the JSON policy document, see [AmazonSSMAutomationRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMAutomationRole.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AmazonSSMReadOnlyAccess
You can attach the `AmazonSSMReadOnlyAccess` policy to your IAM identities. This policy grants read-only access to AWS Systems Manager API operations including `Describe*`, `Get*`, and `List*`.
To view more details about the policy, including the latest version of the JSON policy document, see [AmazonSSMReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSystemsManagerOpsDataSyncServiceRolePolicy
You can't attach `AWSSystemsManagerOpsDataSyncServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to create OpsData and OpsItems for Explorer](using-service-linked-roles-service-action-3.md).
`AWSSystemsManagerOpsDataSyncServiceRolePolicy` allows the `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role to create and update OpsItems and OpsData from AWS Security Hub CSPM findings.
The policy allows Systems Manager to complete the following actions on all related resources (`"Resource": "*"`), except where indicated:
+ `ssm:GetOpsItem` [1]
+ `ssm:UpdateOpsItem` [1]
+ `ssm:CreateOpsItem`
+ `ssm:AddTagsToResource` [2]
+ `ssm:UpdateServiceSetting` [3]
+ `ssm:GetServiceSetting` [3]
+ `securityhub:GetFindings`
+ `securityhub:GetFindings`
+ `securityhub:BatchUpdateFindings` [4]
[1] The `ssm:GetOpsItem` and `ssm:UpdateOpsItem` actions are allowed permissions by the following condition for the Systems Manager service only.
```
"Condition": {
"StringEquals": {
"aws:ResourceTag/ExplorerSecurityHubOpsItem": "true"
}
}
```
[2] The `ssm:AddTagsToResource` action is allowed permissions for the following resource only.
```
arn:aws:ssm:*:*:opsitem/*
```
[3] The `ssm:UpdateServiceSetting` and `ssm:GetServiceSetting` actions are allowed permissions for the following resources only.
```
arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*
arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*
```
[4] The `securityhub:BatchUpdateFindings` are denied permissions by the following condition for the Systems Manager service only.
```
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"StringEquals": {
"securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED"
}
}
},
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"Null": {
"securityhub:ASFFSyntaxPath/Confidence": false
}
}
},
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"Null": {
"securityhub:ASFFSyntaxPath/Criticality": false
}
}
},
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"Null": {
"securityhub:ASFFSyntaxPath/Note.Text": false
}
}
},
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"Null": {
"securityhub:ASFFSyntaxPath/Note.UpdatedBy": false
}
}
},
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"Null": {
"securityhub:ASFFSyntaxPath/RelatedFindings": false
}
}
},
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"Null": {
"securityhub:ASFFSyntaxPath/Types": false
}
}
},
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"Null": {
"securityhub:ASFFSyntaxPath/UserDefinedFields.key": false
}
}
},
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"Null": {
"securityhub:ASFFSyntaxPath/UserDefinedFields.value": false
}
}
},
{
"Effect": "Deny",
"Action": "securityhub:BatchUpdateFindings",
"Resource": "*",
"Condition": {
"Null": {
"securityhub:ASFFSyntaxPath/VerificationState": false
}
}
```
To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerOpsDataSyncServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerOpsDataSyncServiceRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy
You should only attach `AmazonSSMManagedEC2InstanceDefaultPolicy` to IAM roles for Amazon EC2 instances that you want to have permission to use Systems Manager functionality. You shouldn't attached this role to other IAM entities, such as IAM users and IAM groups, or to IAM roles that serve other purposes. For more information, see [Managing EC2 instances automatically with Default Host Management Configuration](fleet-manager-default-host-management-configuration.md).
This policy grants permissions that allow SSM Agent on your Amazon EC2 instance to communicate with the Systems Manager service in the cloud in order to perform a variety of tasks. It also grants permissions for the two services that provide authorization tokens to ensure that operations are performed on the correct instance.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to retrieve Documents, execute commands using Run Command, establish sessions using Session Manager, collect an inventory of the instance, and scan for patches and patch compliance using Patch Manager.
+ `ssmmessages` – Allows principals to access, for each instance, a personalized authorization token that was created by the *[Amazon Message Gateway Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmessagegatewayservice.html)*. Systems Manager validates the personalized authorization token against the Amazon Resource Name (ARN) of the instance that was provided in the API operation. This access is necessary to ensure that SSM Agent performs the API operations on the correct instance.
+ `ec2messages` – Allows principals to access, for each instance, a personalized authorization token that was created by the *[Amazon Message Delivery Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmessagegatewayservice.html)*. Systems Manager validates the personalized authorization token against the Amazon Resource Name (ARN) of the instance that was provided in the API operation. This access is necessary to ensure that SSM Agent performs the API operations on the correct instance.
For related information about the `ssmmessages` and `ec2messages` endpoints, including the differences between the two, see [Agent-related API operations (`ssmmessages` and `ec2messages` endpoints)](systems-manager-setting-up-messageAPIs.md#message-services).
To view more details about the policy, including the latest version of the JSON policy document, see [AmazonSSMManagedEC2InstanceDefaultPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedEC2InstanceDefaultPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: SSMQuickSetupRolePolicy
You can't attach SSMQuickSetupRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to maintain Quick Setup-provisioned resource health and consistency](using-service-linked-roles-service-action-5.md).
This policy grants read-only permissions that allow Systems Manager to check configuration health, ensure consistent use of parameters and provisioned resources, and remediate resources when drift is detected. It also grants administrative permissions for creating a service-linked role.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to read information Resource Data Syncs and SSM Documents in Systems Manager, including in delegated administrator accounts. This is required so Quick Setup can determine the state that configured resources are intended to be in.
+ `organizations` – Allows principals to read information about the member accounts that belong to an organization as configured in AWS Organizations. This is required so Quick Setup can identify all accounts in an organization where resource health checks are to be performed.
+ `cloudformation` – Allows principals to read information from CloudFormation. This is required so Quick Setup can gather data about the CloudFormation stacks used to manage the state of resources and CloudFormation stackset operations.
To view more details about the policy, including the latest version of the JSON policy document, see [SSMQuickSetupRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SSMQuickSetupRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupDeploymentRolePolicy
The managed policy `AWSQuickSetupDeploymentRolePolicy` supports multiple Quick Setup configuration types. These configuration types create IAM roles and automations that configure frequently used Amazon Web Services services and features with recommended best practices.
You can attach `AWSQuickSetupDeploymentRolePolicy` to your IAM entities.
This policy grants administrative permissions needed to create resources associated with the following Quick Setup configurations:
+ [Set up Amazon EC2 host management using Quick Setup](quick-setup-host-management.md)
+ [Create an AWS Config configuration recorder using Quick Setup](quick-setup-config.md)
+ [Deploy AWS Config conformance pack using Quick Setup](quick-setup-cpack.md)
+ [Set up DevOps Guru using Quick Setup](quick-setup-devops.md)
+ [Deploy Distributor packages using Quick Setup](quick-setup-distributor.md)
+ [Stop and start EC2 instances automatically on a schedule using Quick Setup](quick-setup-scheduler.md)
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to read, create, update, and delete SSM documents with names beginning with "AWSQuickSetup-" or "AWSOperationsPack-" when called via CloudFormation; to read specific AWS owned documents including "AWSQuickSetupType-ManageInstanceProfile", "AWSQuickSetupType-ConfigureDevOpsGuru", and "AWSQuickSetupType-DeployConformancePack"; to create, update, and delete associations for Quick Setup documents and AWS owned documents when called via CloudFormation; and to clean up legacy resources tagged with `QuickSetupID`. This enables Quick Setup to deploy and manage automation workflows and associations.
+ `cloudformation` – Allows principals to read information about CloudFormation stacks and stack sets; and to create, update, and delete CloudFormation stacks and change sets for resources with names beginning with "StackSet-AWS-QuickSetup-". This enables Quick Setup to manage infrastructure deployments across accounts and regions.
+ `config` – Allows principals to read information about AWS Config conformance packs and their status; and to create and delete conformance packs with names beginning with "AWS-QuickSetup-" when called via CloudFormation. This enables Quick Setup to deploy compliance monitoring configurations.
+ `events` – Allows principals to manage EventBridge rules and targets for resources with names containing "QuickSetup-". This enables Quick Setup to create scheduled automation workflows.
+ `iam` – Allows principals to create service-linked roles for AWS Config and Systems Manager; to create, manage, and delete IAM roles with names beginning with "AWS-QuickSetup-" or "AWSOperationsPack-" when called via CloudFormation; to pass these roles to Systems Manager and EventBridge services; to attach specific AWS managed policies to these roles; and to set permissions boundaries using specific Quick Setup managed policies. This enables Quick Setup to create the necessary service roles for its operations.
+ `resource-groups` – Allows principals to retrieve resource group queries. This enables Quick Setup to target specific sets of resources for configuration management.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupDeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupDeploymentRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupPatchPolicyDeploymentRolePolicy
The managed policy `AWSQuickSetupPatchPolicyDeploymentRolePolicy` supports the [Configure patching for instances in an organization using a Quick Setup patch policy](quick-setup-patch-manager.md) Quick Setup type. This configuration type helps automate patching of applications and nodes in a single account or across your organization.
You can attach `AWSQuickSetupPatchPolicyDeploymentRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
This policy grants administrative permissions that allow Quick Setup to create resources associated with a patch policy configuration.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to manage and delete IAM roles required for Automation configuration tasks; and to manage Automation role policies.
+ `cloudformation` – Allows principals to read CloudFormation stack information; and to control CloudFormation stacks that were created by Quick Setup using CloudFormation stack sets.
+ `ssm` – Allows principals to create, update, read, and delete Automation runbooks required for configuration tasks; and to create, update, and delete State Manager associations.
+ `resource-groups` – Allows principals to retrieve resource queries that are associated with resource groups targeted by Quick Setup configurations.
+ `s3` – Allows principals to list Amazon S3 buckets; and to manage the buckets for storing patch policy access logs.
+ `lambda` – Allows principals to manage AWS Lambda remediation functions that maintain configurations in the correct state.
+ `logs` – Allows principals to describe and manage log groups for Lambda configuration resources.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupPatchPolicyDeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupPatchPolicyDeploymentRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupPatchPolicyBaselineAccess
The managed policy `AWSQuickSetupPatchPolicyBaselineAccess` supports the [Configure patching for instances in an organization using a Quick Setup patch policy](quick-setup-patch-manager.md) Quick Setup type. This configuration type helps automate patching of applications and nodes in a single account or across your organization.
You can attach `AWSQuickSetupPatchPolicyBaselineAccess` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
This policy provides read-only permissions to access patch baselines that have been configured by an administrator in the current AWS account or organization using Quick Setup. The patch baselines are stored in an Amazon S3 bucket and can be used for patching instances in a single account or across an entire organization.
**Permissions details**
This policy includes the following permission.
+ `s3` – Allows principals to read patch baseline overrides stored in Amazon S3 buckets.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupPatchPolicyBaselineAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupPatchPolicyBaselineAccess.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: `AWSSystemsManagerEnableExplorerExecutionPolicy`
The managed policy `AWSSystemsManagerEnableExplorerExecutionPolicy` supports enabling Explorer, a tool in AWS Systems Manager.
You can attach `AWSSystemsManagerEnableExplorerExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
This policy grants administrative permissions for enabling Explorer. This includes permissions to update related Systems Manager service settings, and to create a service-linked role for Systems Manager.
**Permissions details**
This policy includes the following permissions.
+ `config` – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `iam` – Allows principals to help enable Explorer.
+ `ssm` – Allows principals to start an Automation workflow that enables Explorer.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerEnableExplorerExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerEnableExplorerExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: `AWSSystemsManagerEnableConfigRecordingExecutionPolicy`
The managed policy `AWSSystemsManagerEnableConfigRecordingExecutionPolicy` supports the [Create an AWS Config configuration recorder using Quick Setup](quick-setup-config.md) Quick Setup configuration type. This configuration type enables Quick Setup to track and record changes to the AWS resource types you choose for AWS Config. It also enables Quick Setup to configure delivery and notifications options for the recorded data.
You can attach `AWSSystemsManagerEnableConfigRecordingExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
This policy grants administrative permissions that allow Quick Setup to enable and configure AWS Config configuration recording.
**Permissions details**
This policy includes the following permissions.
+ `s3` – Allows principals to create and configure Amazon S3 buckets for delivery of configuration recordings.
+ `sns` – Allows principals to list and create Amazon SNS topics.
+ `config` – Allows principals to configure and start the configuration recorder; and to help enable Explorer.
+ `iam` – Allows principals to create, get, and pass a service-linked role for AWS Config; and to create a service-linked role for Systems Manager; and to help enable Explorer.
+ `ssm` – Allows principals to start an Automation workflow that enables Explorer.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerEnableConfigRecordingExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerEnableConfigRecordingExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupDevOpsGuruPermissionsBoundary
**Note**
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
The managed policy `AWSQuickSetupDevOpsGuruPermissionsBoundary` supports the [Set up DevOps Guru using Quick Setup](quick-setup-devops.md) type. The configuration type enables the machine learning-powered Amazon DevOps Guru. The DevOps Guru service can help improve an application’s operational performance and availability.
When you create an `AWSQuickSetupDevOpsGuruPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable and configure Amazon DevOps Guru.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to create service-linked roles for DevOps Guru and Systems Manager; and to list roles that help enable Explorer.
+ `cloudformation` – Allows principals to list and describe CloudFormation stacks.
+ `sns` – Allows principals to list and create Amazon SNS topics.
+ `devops-guru` – Allows principals to configure DevOps Guru; and to add a notification channel.
+ `config` – – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `ssm` – Allows principals to start an Automation workflow that enables Explorer; and to read and update Explorer service settings.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupDevOpsGuruPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupDevOpsGuruPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupDistributorPermissionsBoundary
**Note**
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
The managed policy `AWSQuickSetupDistributorPermissionsBoundary` supports the [Deploy Distributor packages using Quick Setup](quick-setup-distributor.md) Quick Setup configuration type. The configuration type helps enable the distribution of software packages, such as agents, to your Amazon Elastic Compute Cloud (Amazon EC2) instances, using Distributor, a tool in AWS Systems Manager.
When you create an `AWSQuickSetupDistributorPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable the distribution of software packages, such as agents, to your Amazon EC2 instances using Distributor.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to get and pass the Distributor automation role; to create, read, update, and delete the default instance role; to pass the default instance role to Amazon EC2 and Systems Manager; to attach instance management policies to instance roles; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about IAM roles and instance profiles; and to create the default instance profile.
+ `ec2` – Allows principals to associate the default instance profile with EC2 instances; and to help enable Explorer.
+ `ssm` – Allows principals to start automation workflows that which configure instances and install packages; and to help start the automation workflow that enables Explorer; and to read and update Explorer service settings.
+ `config` – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupDistributorPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupDistributorPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupSSMHostMgmtPermissionsBoundary
**Note**
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
The managed policy `AWSQuickSetupSSMHostMgmtPermissionsBoundary` supports the [Set up Amazon EC2 host management using Quick Setup](quick-setup-host-management.md) Quick Setup configuration type. This configuration type configures IAM roles and enables commonly used Systems Manager tools to securely manage your Amazon EC2 instances.
When you create an `AWSQuickSetupSSMHostMgmtPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable and configure Systems Manager tools needed for securely managing EC2 instances.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to get and pass the service role to Automation. Allows principals to create, read, update, and delete the default instance role; to pass the default instance role to Amazon EC2 and Systems Manager; to attach instance management policies to instance roles; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about IAM roles and instance profiles; and to create the default instance profile.
+ `ec2` – Allows principals to associate and disassociate the default instance profile with EC2 instances.
+ `ssm` – Allows principals to start Automation workflows that enable Explorer; to read and update Explorer service settings; to configure instances; and to enable Systems Manager tools on instances.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMHostMgmtPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMHostMgmtPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupPatchPolicyPermissionsBoundary
**Note**
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
The managed policy `AWSQuickSetupPatchPolicyPermissionsBoundary` supports the [Configure patching for instances in an organization using a Quick Setup patch policy](quick-setup-patch-manager.md) Quick Setup type. This configuration type helps automate patching of applications and nodes in a single account or across your organization.
When you create an `AWSQuickSetupPatchPolicyPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable and configure patch policies in Patch Manager, a tool in AWS Systems Manager.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to get the Patch Manager Automation role; to pass Automation roles to Patch Manager patching operations; to create the default instance role, `AmazonSSMRoleForInstancesQuickSetup`; to pass the default instance role to Amazon EC2 and Systems Manager; to attach selected AWS managed policies to the instance role; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about instance profiles and roles; to create a default instance profile; and to tag roles that have permissions to read patch baseline overrides.
+ `ssm` – Allows principals to update the instance role this is managed by Systems Manager; to manage associations created by Patch Manager patch policies created in Quick Setup; to tag instances targeted by a patch policy configuration; to read information about instances and patching status; to start Automation workflows that configure, enable and remediate instance patching; to start automation workflows that enable Explorer; to help enable Explorer; and to read and update Explorer service settings.
+ `ec2` – Allows principals to associate and disassociate the default instance profile with EC2 instances; to tag instances targeted by a patch policy configuration; to tag instances targeted by a patch policy configuration; and to help enable Explorer.
+ `s3` – Allows principals to create and configure S3 buckets to store patch baseline overrides.
+ `lambda` – Allows principals to invoke AWS Lambda functions that configure patching and to perform clean-up operations after a Quick Setup patch policy configuration is deleted.
+ `logs` – Allows principals to configure logging for Patch Manager Quick Setup AWS Lambda functions.
+ `config` – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupPatchPolicyPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupPatchPolicyPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupSchedulerPermissionsBoundary
**Note**
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
The managed policy `AWSQuickSetupSchedulerPermissionsBoundary` supports the [Stop and start EC2 instances automatically on a schedule using Quick Setup](quick-setup-scheduler.md) Quick Setup configuration type. This configuration type lets you stop and start your EC2 instances and other resources at the times you specify.
When you create an `AWSQuickSetupSchedulerPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable and configure scheduled operations on EC2 instances and other resources.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to retrieve and pass roles for instance management automation actions; to manage, pass, and attach default instance roles for EC2 instance management; to create default instance profiles; to add default instance roles to instance profiles; to create a service-linked role for Systems Manager; to read information about IAM roles and instance profiles; to associate a default instance profile with EC2 instances; and to start Automation workflows to configure instances and enable Systems Manager tools on them.
+ `ssm` – Allows principals to start Automation workflows that enable Explorer; and to read and update Explorer service settings.
+ ec2 – Allows principals to locate targeted instances and to start and stop them on a schedule.
+ `config` – Allows principals to help enable Explorer by providing read-only access to configuration recorder details.
+ `compute-optimizer` – Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
+ `support` – Allows principals to help enable Explorer by providing read-only access to AWS Trusted Advisor checks for an account.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSchedulerPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSchedulerPermissionsBoundary.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupCFGCPacksPermissionsBoundary
**Note**
This policy is a *permissions boundary*. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
The managed policy `AWSQuickSetupCFGCPacksPermissionsBoundary`supports the [Deploy AWS Config conformance pack using Quick Setup](quick-setup-cpack.md) Quick Setup configuration type. This configuration type deploys AWS Config conformance packs. Conformance packs are collections of AWS Config rules and remediation actions that can be deployed as a single entity.
When you create an `AWSQuickSetupCFGCPacksPermissionsBoundary` configuration using Quick Setup, the system applies this permissions boundary to the IAM roles that are created when the configuration is deployed. The permissions boundary limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to deploy AWS Config conformance packs.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to create, get, and pass a service-linked role for AWS Config.
+ `sns` – Allows principals to list platform applications in Amazon SNS.
+ `config` – Allows principals to deploy AWS Config conformance packs; to get the status of conformance packs; and to get information about configuration recorders.
+ `ssm` – Allows principals to get information about SSM documents and Automation workflows; to get information about resource tags; and to get information about and update service settings.
+ `compute-optimizer` – Allows principals to get the opt-in status of an account.
+ `support` – Allows principals to get information about AWS Trusted Advisor checks.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupCFGCPacksPermissionsBoundary](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupCFGCPacksConfigurationPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupStartStopInstancesExecutionPolicy
You can attach `AWSQuickSetupStartStopInstancesExecutionPolicy` to your IAM entities. This policy provides permissions for Quick Setup to manage the starting and stopping of Amazon EC2 instances using Systems Manager automation.
**Permissions details**
This policy includes the following permissions.
+ `ec2` – Allows principals to describe Amazon EC2 instances, their status, regions, and tags. Also allows starting and stopping specific Amazon EC2 instances.
+ `ssm` – Allows principals to get calendar state from Quick Setup change calendars, start associations, and execute automation documents for instance scheduling.
+ `iam` – Allows principals to pass Quick Setup IAM roles to Systems Manager for automation execution, with conditions that restrict the service to ssm.amazonaws.com and specific resource ARNs.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupStartStopInstancesExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupStartStopInstancesExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupStartSSMAssociationsExecutionPolicy
This policy grants permissions that allow Quick Setup to run the `AWSQuickSetupType-Scheduler-ChangeCalendarState` Automation runbook. This runbook is used to manage change calendar states for scheduled operations in Quick Setup configurations.
You can attach `AWSQuickSetupStartSSMAssociationsExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to start automation executions specifically for the `AWSQuickSetupType-Scheduler-ChangeCalendarState` document. This is required for Quick Setup to manage change calendar states for scheduled operations.
+ `iam` – Allows principals to pass roles with names that begin with "AWS-QuickSetup-" to the Systems Manager service. This permission is restricted to use with specific SSM documents related to change calendar management. This is required for Quick Setup to pass the appropriate execution role to the automation process.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupStartSSMAssociationsExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupStartSSMAssociationsExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy
The policy `AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy` provides permissions for diagnosing issues with nodes that interact with Systems Manager services by starting Automation workflows in accounts and Regions where nodes are managed.
You can attach `AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform diagnosis actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to run specific Automation runbooks that diagnose node issues, access the execution status for workflows, and retrieve automation execution details. The policy grants permissions to describe automation executions, describe automation step executions, get automation execution details, and start automation executions for diagnosis-related documents.
+ `kms` – Allows principals to use customer-specified AWS Key Management Service keys for decryption and data key generation when accessing encrypted objects in Amazon S3 buckets used for diagnosis operations. These permissions are restricted to keys tagged with `SystemsManagerManaged` and used via Amazon S3 service with specific encryption context requirements.
+ `sts` – Allows principals to assume diagnosis execution roles to run Automation runbooks in the same account. This permission is restricted to roles with the `AWS-SSM-DiagnosisExecutionRole` naming pattern and includes a condition to ensure the resource account matches the principal account.
+ `iam` – Allows principals to pass the diagnosis administration role to Systems Manager to run Automation runbooks. This permission is restricted to roles with the `AWS-SSM-DiagnosisAdminRole` naming pattern and can only be passed to the Systems Manager service.
+ `s3` – Allows principals to access, read, write, and delete objects in Amazon S3 buckets used for diagnosis operations. These permissions are restricted to buckets with the `do-not-delete-ssm-diagnosis-` naming pattern and include conditions to ensure operations are performed within the same account.
To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy
The managed policy `AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy` provides administrative permission for running Automation runbooks in a targeted AWS account and Region to diagnose issues with managed nodes that interact with Systems Manager services.
You can attach `AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `ec2` – Allows principals to describe Amazon EC2 and Amazon VPC resources and their configurations to diagnose issues with Systems Manager services. This includes permissions to describe VPCs, VPC attributes, VPC endpoints, subnets, security groups, instances, instance status, network ACLs, and internet gateways.
+ `ssm` – Allows principals to run diagnosis-specific Automation runbooks and access the automation workflow status and execution metadata. This includes permissions to describe automation step executions, describe instance information, describe automation executions, describe activations, get automation execution details, get service settings, and start automation executions for specific AWS unmanaged EC2 diagnosis documents.
+ `kms` – Allows principals to use customer-specified AWS Key Management Service keys for decryption and data key generation when accessing encrypted objects in Amazon S3 buckets used for diagnosis operations. These permissions are restricted to keys tagged with `SystemsManagerManaged` and used via Amazon S3 service with specific encryption context requirements for diagnosis buckets.
+ `iam` – Allows principals to pass the diagnosis execution role to Systems Manager to run Automation documents. This permission is restricted to roles with the `AWS-SSM-DiagnosisExecutionRole` naming pattern and can only be passed to the Systems Manager service.
To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWS-SSM-RemediationAutomation-AdministrationRolePolicy
The policy `AWS-SSM-RemediationAutomation-AdministrationRolePolicy` provides permissions for remediating issues with Systems Manager services by executing activities defined within Automation documents, primarily used for running the Automation documents. This policy enables starting Automation workflows in accounts and Regions where nodes are managed to address connectivity and configuration issues.
You can attach `AWS-SSM-RemediationAutomation-AdministrationRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform remediation actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to run specific Automation runbooks that remediate node issues, access the execution status for workflows, and retrieve automation execution details. The policy grants permissions to describe automation executions, describe automation step executions, get automation execution details, and start automation executions for remediation-related documents.
+ `kms` – Allows principals to use customer-specified AWS Key Management Service keys for decryption and data key generation when accessing encrypted objects in Amazon S3 buckets used for remediation operations. These permissions are restricted to keys tagged with `SystemsManagerManaged` and used via Amazon S3 service with specific encryption context requirements.
+ `sts` – Allows principals to assume remediation execution roles to run Automation runbooks in the same account. This permission is restricted to roles with the `AWS-SSM-RemediationExecutionRole` naming pattern and includes a condition to ensure the resource account matches the principal account.
+ `iam` – Allows principals to pass the remediation administration role to Systems Manager to run Automation runbooks. This permission is restricted to roles with the `AWS-SSM-RemediationAdminRole` naming pattern and can only be passed to the Systems Manager service.
+ `s3` – Allows principals to access, read, write, and delete objects in Amazon S3 buckets used for remediation operations. These permissions are restricted to buckets with the `do-not-delete-ssm-diagnosis-` naming pattern and include conditions to ensure operations are performed within the same account.
To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-RemediationAutomation-AdministrationRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-RemediationAutomation-AdministrationRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWS-SSM-RemediationAutomation-ExecutionRolePolicy
The managed policy `AWS-SSM-RemediationAutomation-ExecutionRolePolicy` provides permissions for running Automation runbooks in a specific target account and Region to remediate networking and connectivity issues with managed nodes that interact with Systems Manager services. This policy enables remediation activities defined within Automation documents, primarily used for running the Automation documents to address connectivity and configuration issues.
You can attach the policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform remediation actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to retrieve information about Automation executions and their step executions, and to start specific remediation Automation runbooks including `AWS-OrchestrateUnmanagedEC2Actions` and `AWS-RemediateSSMAgent` documents. The policy grants permissions to describe automation executions, describe automation step executions, get automation execution details, and start automation executions for remediation-related documents.
+ `ec2` – Allows principals to describe and modify Amazon VPC networking resources to remediate connectivity issues. This includes:
+ Describing Amazon VPC attributes, subnets, Amazon VPC endpoints, and security groups.
+ Creating Amazon VPC endpoints for Systems Manager services (`ssm`, `ssmmessages`, and `ec2messages`) with required tags.
+ Modifying Amazon VPC attributes to enable DNS support and hostnames.
+ Creating and managing security groups with specific tags for Amazon VPC endpoint access.
+ Authorizing and revoking security group rules for HTTPS access with appropriate tags.
+ Creating tags on Amazon VPC endpoints, security groups, and security group rules during resource creation.
+ `kms` – Allows principals to use customer-specified AWS Key Management Service keys for decryption and data key generation when accessing encrypted objects in Amazon S3 buckets used for remediation operations. These permissions are restricted to keys tagged with `SystemsManagerManaged` and used via Amazon S3 service with specific encryption context requirements.
+ `iam` – Allows principals to pass the remediation execution role to Systems Manager to run Automation runbooks. This permission is restricted to roles with the `AWS-SSM-RemediationExecutionRole` naming pattern and can only be passed to the Systems Manager service.
To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-RemediationAutomation-ExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-RemediationAutomation-ExecutionRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupSSMManageResourcesExecutionPolicy
This policy grants permissions that allow Quick Setup to run the `AWSQuickSetupType-SSM-SetupResources` Automation runbook. This runbook creates IAM roles for Quick Setup associations, which in turn are created by a `AWSQuickSetupType-SSM` deployment. It also grants permissions to clean up an associated Amazon S3 bucket on during a Quick Setup delete operation.
You can attach the policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to list and manage IAM roles for use with Quick Setup Systems Manager Explorer operations; to view, attach, and detach IAM policies for use with Quick Setup and Systems Manager Explorer These permissions are required so Quick Setup can create the roles needed for some of its configuration operations.
+ `s3` – Allows principals to retrieve information about objects in, and to delete objects from Amazon S3 buckets, in the principal account, that are used specifically in Quick Setup configuration operations. This is required so that S3 objects that are no longer needed after configuration can be removed.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMManageResourcesExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMManageResourcesExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupSSMLifecycleManagementExecutionPolicy
The `AWSQuickSetupSSMLifecycleManagementExecutionPolicy` policy grants administrative permissions that allow Quick Setup to run the a CloudFormation custom resource on lifecycle events during Quick Setup deployment in Systems Manager.
You can attach this policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to get information about automation executions and start automation executions for setting up certain Quick Setup operations.
+ `iam` – Allows principals to pass roles from IAM for setting up certain Quick Setup resources.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMLifecycleManagementExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMLifecycleManagementExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupSSMDeploymentRolePolicy
The managed policy `AWSQuickSetupSSMDeploymentRolePolicy` grants administrative permissions that allow Quick Setup to create resources that are used during the Systems Manager onboarding process.
Though you can manually attach this policy to your IAM entities, this is not recommended. Quick Setup creates entities that attach this policy to a service role that allows Systems Manager to perform actions on your behalf.
This policy is not related to the [`SSMQuickSetupRolePolicy` policy](using-service-linked-roles-service-action-5.md), which is used to provide permissions for the `AWSServiceRoleForSSMQuickSetup` service-linked role.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to manage associations for certain resources that are created using AWS CloudFormation templates and a specific set of SSM documents; to manage roles and role policies using for diagnosing and remediating managed nodes through CloudFormation templates; and to attach and delete policies for Quick Setup lifecycle events
+ `iam` – Allows principals to tag roles and pass roles permissions for the Systems Manager service and Lambda service, and to pass role permissions for diagnosis operations.
+ `lambda` – Allows principals to tag and manage functions for the Quick Setup lifecycle in the principal account using CloudFormation templates.
+ `cloudformation` – Allows principals to read information from CloudFormation. This is required so Quick Setup can gather data about the CloudFormation stacks used to manage the state of resources and CloudFormation stackset operations.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMDeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMDeploymentRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupSSMDeploymentS3BucketRolePolicy
The `AWSQuickSetupSSMDeploymentS3BucketRolePolicy` policy grants permissions for listing all S3 buckets in an account; and for managing and retrieving information about specific buckets in the principal account that are managed through CloudFormation templates.
You can attach `AWSQuickSetupSSMDeploymentS3BucketRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `s3` – Allows principals list all S3 buckets in an account; and to manage and retrieve information about specific buckets in the principal account that are managed through CloudFormation templates.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupSSMDeploymentS3BucketRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupSSMDeploymentS3BucketRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupEnableDHMCExecutionPolicy
This policy grants administrative permissions that allow principals to run the `AWSQuickSetupType-EnableDHMC` Automation runbook, which enables Default Host Management Configuration. The Default Host Management Configuration setting allows Systems Manager to automatically manage Amazon EC2 instances as *managed instances*. A managed instance is an EC2 instance that is configured for use with Systems Manager. This policy also grants permissions for creating IAM roles that are specified in Systems Manager service settings as the default roles for SSM Agent.
You can attach `AWSQuickSetupEnableDHMCExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to update and get information about Systems Manager service settings.
+ `iam` – Allows principals to create and retrieve information about IAM roles for Quick Setup operations.
To view more details about the policy, including the latest version of the JSON policy document, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupEnableDHMCExecutionPolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupEnableDHMCExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupEnableAREXExecutionPolicy
This policy grants administrative permissions that allow Systems Manager to run the `AWSQuickSetupType-EnableAREX` Automation runbook, which enables AWS Resource Explorer for use with Systems Manager. Resource Explorer makes it possible to view resources in your account with a search experience similar to an Internet search engine. The policy also grants permissions for managing Resource Explorer indexes and views.
You can attach `AWSQuickSetupEnableAREXExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `iam` – Allows principals to to create a service-linked role in the AWS Identity and Access Management (IAM) service.
+ `resource-explorer-2` – Allows principals to retrieve information about Resource Explorer views and indexes; to create Resource Explorer views and indexes; to change the index type for indexes displayed in Quick Setup.
To view more details about the policy, including the latest version of the JSON policy document, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupEnableAREXExecutionPolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupEnableAREXExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupManagedInstanceProfileExecutionPolicy
This policy grants administrative permissions that allow Systems Manager to create a default IAM instance profile for the Quick Setup tool, and to attach it to Amazon EC2 instances that don't already have an instance profile attached. The policy also grants Systems Manager the ability to attach permissions to existing instance profiles. This is done to ensure that the permissions required for Systems Manager to communicate with SSM Agent on EC2 instances are in place.
You can attach `AWSQuickSetupManagedInstanceProfileExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to start automation workflows associated with Quick Setup processes.
+ `ec2` – Allows principals to attach IAM instance profiles to EC2 instances that are managed by Quick Setup.
+ `iam` – Allows principals to create, update, and retrieve information about roles from IAM that are used in Quick Setup processes; to create IAM instance profiles; to attach the `AmazonSSMManagedInstanceCore` managed policy to IAM instance profiles.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupManagedInstanceProfileExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupManagedInstanceProfileExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupManageJITNAResourcesExecutionPolicy
The managed policy `AWSQuickSetupManageJITNAResourcesExecutionPolicy` enables Quick Setup, a tool in Systems Manager, to set up just-in-time node access.
You can attach `AWSQuickSetupManageJITNAResourcesExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
This policy grants administrative permissions that allow Systems Manager to create resources associated with just-in-time node access.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to get and update the service setting that specifies the identity provider for just-in-time node access.
+ `iam` – Allows principals to create, tag, and get roles, attach role policies for just-in-time node access managed policies, and create service-linked roles for just-in-time node access and notifications.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupManageJITNAResourcesExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupManageJITNAResourcesExecutionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSQuickSetupJITNADeploymentRolePolicy
The managed policy `AWSQuickSetupJITNADeploymentRolePolicy` allows Quick Setup to deploy the configuration type required to set up just-in-time node access.
You can attach `AWSQuickSetupJITNADeploymentRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
This policy grants administrative permissions that allow Systems Manager to create resources associated with just-in-time node access.
**Permissions details**
This policy includes the following permissions.
+ `cloudformation` – Allows principals to create, update, delete, and read CloudFormation stacks.
+ `ssm` – Allows principals to create, delete, update, and read State Manager associations that are called by CloudFormation.
+ `iam` – Allows principals create, delete, read and tag IAM roles that are called by CloudFormation.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupJITNADeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupJITNADeploymentRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSystemsManagerJustInTimeAccessServicePolicy
The managed policy `AWSSystemsManagerJustInTimeAccessServicePolicy` provides access to AWS resources managed or used by the AWS Systems Manager just-in-time access framework. This policy update adds automation execution tagging permissions to enable customers to scope down operator permissions to specific tags.
You can't attach `AWSSystemsManagerJustInTimeAccessServicePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to enable just-in-time node access](using-service-linked-roles-service-action-8.md).
This policy grants administrative permissions that allows access to resources associated with just-in-time node access.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to create and manage OpsItems, add tags to OpsItems and automation executions, get and update OpsItems, retrieve and describe documents, describe OpsItems and sessions, list documents and tags for managed instances.
+ `ssm-guiconnect` – Allows principals to list connections.
+ `identitystore` – Allows principals to get user and group IDs, describe users, and list group membership.
+ `sso-directory` – Allows principals to describe users and determine if a user is a member of a group.
+ `sso` – Allows principals to describe registered Regions and list instances and directory associations.
+ `cloudwatch` – Allows principals to put metric data for the `AWS/SSM/JustInTimeAccess` namespace.
+ `ec2` – Allows principals to describe tags.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessServicePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenPolicy
The managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy` provides permissions for users to establish secure connections to Amazon EC2 instances and managed instances through Session Manager and Systems Manager GUI Connect RDP connections as part of just-in-time node access workflows.
You can attach `AWSSystemsManagerJustInTimeAccessTokenPolicy` to your IAM entities.
This policy grants contributor permissions that allow users to start and manage secure sessions, establish RDP connections, and perform necessary cryptographic operations for just-in-time node access.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to start Session Manager sessions on Amazon EC2 instances and managed instances using the SSM-SessionManagerRunShell document. Also allows terminating and resuming sessions, retrieving command invocation details, and sending commands to instances for SSO user setup when called through Systems Manager GUI Connect. Additionally allows starting port forwarding sessions for RDP connections when called through Systems Manager GUI Connect.
+ `ssmmessages` – Allows principals to open data channels for secure communication during Session Manager sessions.
+ `ssm-guiconnect` – Allows principals to start, get details about, and cancel Systems Manager GUI Connect RDP connections to instances.
+ `kms` – Allows principals to generate data keys for Session Manager encryption and create grants for RDP connections. These permissions are restricted to AWS KMS keys tagged with `SystemsManagerJustInTimeNodeAccessManaged=true`. Grant creation is further restricted to be used only through the Systems Manager GUI Connect service.
+ `sso` – Allows principals to list directory associations when called through Systems Manager GUI Connect. This is required for RDP SSO user setup.
+ `identitystore` – Allows principals to describe users in the identity store when called through Systems Manager GUI Connect. This is required for RDP SSO user setup.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessTokenPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessTokenPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenSessionPolicy
The managed policy `AWSSystemsManagerJustInTimeAccessTokenSessionPolicy` allows Systems Manager to apply scoped down permissions to a just-in-time node access token.
You can attach `AWSSystemsManagerJustInTimeAccessTokenSessionPolicy` to your IAM entities.
This policy grants administrative permissions that allow Systems Manager to scope down permissions for just-in-time node access tokens.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to start Session Manager sessions using the `SSM-SessionManagerRunShell` document. Also when called first via `ssm-guiconnect`, start sessions using the `AWS-StartPortForwardingSession` document, list command invocations, and send commands using the `AWSSSO-CreateSSOUser` document.
+ `ssm-guiconnect` – Allows principals to cancel, get, and start connections on all resources.
+ `kms` – Allows principals to create grants and generate data keys for keys tagged with `SystemsManagerJustInTimeNodeAccessManaged` when called via `ssm-guiconnect` through an AWS service.
+ `sso` – Allows principals to list directory associations when called via `ssm-guiconnect`.
+ `identitystore` – Allows principals to describe a user when called via `ssm-guiconnect`.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessTokenSessionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessTokenSessionPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy
The managed policy `AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy` allows Systems Manager to share deny-access policies from the delegated administrator account to member accounts, and replicate the policies across multiple AWS Regions.
You can attach `AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy` to your IAM entities.
This policy provides the administrative permissions necessary for Systems Manager to share and create deny-access policies. This ensures that deny-access policies are applied to all accounts in an AWS Organizations organization and Regions configured for just-in-time node access.
**Permissions details**
This policy includes the following permissions.
+ `ssm` – Allows principals to manage SSM documents and resource policies.
+ `ssm-quicksetup` – Allows principals to read Quick Setup configuration managers.
+ `organizations` – Allows principals to list details about an AWS Organizations organization and delegated administrators.
+ `ram` – Allows principals to create, tag, and describe resource shares.
+ `iam` – Allows principals to describe a service role.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSystemsManagerNotificationsServicePolicy
The managed policy `AWSSystemsManagerNotificationsServicePolicy` allows Systems Manager to send email notifications for just-in-time node access requests to access request approvers.
You can't attach `AWSSystemsManagerJustInTimeAccessServicePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to send just-in-time node access request notifications](using-service-linked-roles-service-action-9.md).
This policy grants administrative permissions that allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers.
**Permissions details**
This policy includes the following permissions.
+ `identitystore` – Allows principals to list and describe users and group membership.
+ `sso` – Allows principals to list instances, directories, and describe registered Regions.
+ `sso-directory` – Allows principals to describe users and list members in a group.
+ `iam` – Allows principals to get information about roles.
To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerNotificationsServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerNotificationsServicePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWS-SSM-Automation-DiagnosisBucketPolicy
The managed policy `AWS-SSM-Automation-DiagnosisBucketPolicy` provides permissions for diagnosing issues with nodes that interact with AWS Systems Manager services, by allowing access to S3 buckets that are used for diagnosis and remediation of issues.
You can attach the `AWS-SSM-Automation-DiagnosisBucketPolicy` policy to your IAM identities. Systems Manager also attaches this policy to an IAM role that allows Systems Manager to perform diagnosis actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `s3` – Allows principals to access and write objects to an Amazon S3 bucket.
To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-Automation-DiagnosisBucketPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-Automation-DiagnosisBucketPolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
The managed policy `AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy` provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions.
You can attach `AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy` to your IAM identities. Systems Manager also attaches this policy to an IAM role that allows Systems Manager to perform diagnosis actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `organizations` – Allows principals to list a root of the organization, and get member accounts to determine target accounts.
+ `sts` – Allows principals to assume remediation execution roles to run SSM Automation documents across accounts and Regions, within the same organization.
To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy
The managed policy `AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy` provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions.
You can attach the `AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy` policy to your IAM identities. Systems Manager also attaches this policy to an IAM role that allows Systems Manager to perform diagnosis actions on your behalf.
**Permissions details**
This policy includes the following permissions.
+ `organizations` – Allows principals to list a root of the organization, and get member accounts to determine target accounts.
+ `sts` – Allows principals to assume diagnosis execution roles to run SSM Automation documents across accounts and Regions, within the same organization.
To view more details about the policy, including the latest version of the JSON policy document, see [AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## Systems Manager updates to AWS managed policies
In the following table, view details about updates to AWS managed policies for Systems Manager since this service began tracking these changes on March 12, 2021. For information about other managed policies for the Systems Manager service, see [Additional managed policies for Systems Manager](#policies-list) later in this topic. For automatic alerts about changes to this page, subscribe to the RSS feed on the Systems Manager [Document history](systems-manager-release-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AmazonSSMAutomationRole](#security-iam-awsmanpol-AmazonSSMAutomationRole) – Update to an existing policy | Systems Manager added the `cloudformation:TagResource` and `cloudformation:UntagResource` permissions. These permissions allow Automation runbooks that create CloudFormation stacks to add and remove tags from resources. | March 20, 2026 |
| [AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy) – Updated managed policy | Systems Manager updated the managed policy to add additional EC2 and SSM permissions for enhanced diagnosis capabilities. The policy now includes permissions to describe EC2 instance status and network ACLs, as well as SSM activations and service settings, providing more comprehensive diagnostic information for troubleshooting managed node issues. | December 19, 2025 |
| [AWSQuickSetupDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupDeploymentRolePolicy) – Updated managed policy | Systems Manager updated the managed policy `AWSQuickSetupDeploymentRolePolicy` to add support for two additional SSM documents: `AWSQuickSetupType-ConfigureDevOpsGuru` and `AWSQuickSetupType-DeployConformancePack`. These additions enable Quick Setup to deploy DevOps Guru configurations and conformance packs through the policy. | December 15, 2025 |
| [AWSSystemsManagerJustInTimeAccessTokenPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenPolicy) – Update to an existing policy | Systems Manager updated the managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy`. The statement (`SID`) `TerminateAndResumeSession` has been renamed to `TerminateAndResumeSessionAndOpenDataChannel` and now includes the `ssmmessages:OpenDataChannel` action, combining session management and data channel permissions into a single statement. | September 25, 2025 |
| Updated managed policies: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/security-iam-awsmanpol.html) | Systems Manager updated three managed policies to add support for starting Automation executions on additional Systems Manager resources, including specific Automation runbooks and SSM Command documents. | September 12, 2025 |
| [AWSQuickSetupStartStopInstancesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartStopInstancesExecutionPolicy) – Updated managed policy | Systems Manager updated the managed policy to refine permissions for Quick Setup scheduler configuration. The policy now provides more specific permissions for starting and stopping Amazon EC2 instances, accessing change calendars, and executing automation documents with enhanced security conditions. | September 12, 2025 |
| [AWSQuickSetupStartSSMAssociationsExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartSSMAssociationsExecutionPolicy) – Updated managed policy | Systems Manager updated the managed policy to change the automation document from `AWSQuickSetupType-StartSSMAssociations` to `AWSQuickSetupType-Scheduler-ChangeCalendarState`. This update changes the policy's purpose from starting SSM associations to managing change calendar states for scheduled operations. | September 12, 2025 |
| [AmazonSSMAutomationRole](#security-iam-awsmanpol-AmazonSSMAutomationRole) – Update to an existing policy | Systems Manager added new permissions to allow Automation runbooks to establish communication channels for session-based operations. Added the `ssmmessages:OpenDataChannel` permission for the resource `arn:*:ssm:*:*:session/*`. | September 11, 2025 |
| [AWSSystemsManagerJustInTimeAccessServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy) – Updated managed policy | Systems Manager updated the managed policy to add automation execution tagging permissions. The service needs to tag automation executions with `SystemsManagerJustInTimeNodeAccessManaged=true` tag to enable customers to scope down operator permissions to specific tags. | August 25, 2025 |
| [AWSQuickSetupStartSSMAssociationsExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartSSMAssociationsExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to run the `AWSQuickSetupType-StartSSMAssociations` Automation runbook. This runbook is used to start State Manager associations that are created by Quick Setup configurations. | August 12, 2025 |
| [AWSQuickSetupStartStopInstancesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupStartStopInstancesExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to start and stop Amazon EC2 instances on a schedule. This policy provides the necessary permissions for the Quick Setup scheduler configuration type to manage instance state based on defined schedules. | August 12, 2025 |
| [AWSQuickSetupDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupDeploymentRolePolicy) – Update to documentation | Systems Manager has updated the `AWSQuickSetupDeploymentRolePolicy` managed policy to grant permissions for additional resources. In addition, the documentation for `AWSQuickSetupDeploymentRolePolicy` has been updated with more detailed descriptions of the permissions granted by this policy for Quick Setup configuration management operations. | August 12, 2025 |
| [AWS-SSM-RemediationAutomation-ExecutionRolePolicy](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-ExecutionRolePolicy) – Update to an existing policy | Systems Manager updated the managed policy to improve the security posture of the ssm:StartAutomationExecution API by requiring permissions for both "document" and "automation-execution" resource types. The updated policy provides more comprehensive and detailed permissions for remediation automation execution, including enhanced descriptions for networking remediation capabilities, more specific Amazon VPC endpoint creation permissions, detailed security group management permissions, and improved resource tagging controls for remediation operations. | July 16th, 2025 |
| [AWS-SSM-RemediationAutomation-AdministrationRolePolicy](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-AdministrationRolePolicy) – Update to an existing policy | Systems Manager updated the managed policy to support API authorization improvements for remediation automation operations. The updated policy enhances permissions for executing activities defined within Automation documents, with improved security controls and resource access patterns for remediation workflows. | July 16th, 2025 |
| [AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy) – Update to an existing policy | Systems Manager updated the managed policy to provide more detailed and accurate permissions for diagnosis automation execution. The updated policy includes enhanced descriptions for Amazon EC2 and Amazon VPC resource access, more specific SSM automation permissions, and improved AWS KMS and IAM permission descriptions with proper resource restrictions. | July 16th, 2025 |
| [AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy) – Update to an existing policy | Systems Manager updated the managed policy to provide more specific permissions and security conditions for diagnosis automation operations. The updated policy provides enhanced security controls for AWS KMS key usage, Amazon S3 bucket access, and role assumptions, with stricter resource-based conditions and account-level restrictions. | July 16th, 2025 |
| [AWSQuickSetupDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupDeploymentRolePolicy) – Update to a policy | Systems Manager added permissions to the managed policy `AWSQuickSetupDeploymentRolePolicy` for accessing the Amazon owned runbook [AWSQuickSetupType-ManageInstanceProfile](https://console.aws.amazon.com/systems-manager/documents/AWSQuickSetupType-ManageInstanceProfile/content). This permission makes it possible for Quick Setup to create associations using the managed policy instead of inline policies. | July 14th, 2025 |
| [AmazonSSMAutomationRole](#security-iam-awsmanpol-AmazonSSMAutomationRole) – Update to documentation | Systems Manager added comprehensive documentation for the existing `AmazonSSMAutomationRole` policy, which provides permissions for the Systems Manager Automation service to run activities defined within Automation runbooks. | July 15, 2025 |
| [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy) – Update to an policy | Systems Manager added permissions to allow Systems Manager to tag a resource shared by AWS Resource Access Manager for just-in-time node access. | April 30th, 2025 |
| [AWSQuickSetupManageJITNAResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy) – Update to a policy | Systems Manager added permissions to allow Systems Manager to tag IAM roles created for just-in-time node access. | April 30th, 2025 |
| [AWSSystemsManagerJustInTimeAccessTokenSessionPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenSessionPolicy) – New policy | Systems Manager added a new policy to allow Systems Manager to apply scoped down permissions to a just-in-time node access token. | April 30th, 2025 |
| [AWSSystemsManagerNotificationsServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerNotificationsServicePolicy) – New policy | Systems Manager added a new policy to allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers. | April 30th, 2025 |
| [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy) – New policy | Systems Manager added a new policy to allow Systems Manager to replicate approval policies to different Regions. | April 30th, 2025 |
| [AWSSystemsManagerJustInTimeAccessTokenPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenPolicy) – New policy | Systems Manager added a new policy to allow Systems Manager to generate access tokens used for just-in-time node access. | April 30th, 2025 |
| [AWSSystemsManagerJustInTimeAccessServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy) – New policy | Systems Manager added a new policy to provide permissions to AWS resources managed or used by the Systems Manager just-in-time node access feature. | April 30th, 2025 |
| [AWSQuickSetupManageJITNAResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup, a tool in Systems Manager, to create the IAM roles necessary for just-in-time node access. | April 30th, 2025 |
| [AWSQuickSetupJITNADeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupJITNADeploymentRolePolicy) – New policy | Systems Manager added a new policy that provides permissions that allow Quick Setup to deploy the configuration type required to set up just-in-time node access. | April 30th, 2025 |
| [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy) – Update to an policy | Systems Manager added permissions to allow Systems Manager to tag a resource shared by AWS Resource Access Manager for just-in-time node access. | April 30th, 2025 |
| [AWSQuickSetupManageJITNAResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy) – Update to an policy | Systems Manager added permissions to allow Systems Manager to tag IAM roles created for just-in-time node access. | April 30th, 2025 |
| [AWSSystemsManagerJustInTimeAccessTokenSessionPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenSessionPolicy) – New policy | Systems Manager added a new policy to allow Systems Manager to apply scoped down permissions to a just-in-time node access token. | April 30th, 2025 |
| [AWSSystemsManagerNotificationsServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerNotificationsServicePolicy) – New policy | Systems Manager added a new policy to allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers. | April 30th, 2025 |
| [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy) – New policy | Systems Manager added a new policy to allow Systems Manager to replicate approval policies to different Regions. | April 30th, 2025 |
| [AWSSystemsManagerJustInTimeAccessTokenPolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessTokenPolicy) – New policy | Systems Manager added a new policy to allow Systems Manager to generate access tokens used for just-in-time node access. | April 30th, 2025 |
| [AWSSystemsManagerJustInTimeAccessServicePolicy](#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy) – New policy | Systems Manager added a new policy to provide permissions to AWS resources managed or used by the Systems Manager just-in-time node access feature. | April 30th, 2025 |
| [AWSQuickSetupManageJITNAResourcesExecutionPolicy](#security-iam-awsmanpol-AWSQuickSetupManageJITNAResourcesExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup, a tool in Systems Manager, to create the IAM roles necessary for just-in-time node access. | April 30th, 2025 |
| [AWSQuickSetupJITNADeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupJITNADeploymentRolePolicy) – New policy | Systems Manager added a new policy that provides permissions that allow Quick Setup to deploy the configuration type required to set up just-in-time node access. | April 30th, 2025 |
| [`AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy`](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy) – New policy | Systems Manager added a new policy that provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions. | November 21, 2024 |
| [`AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy`](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy) – New policy | Systems Manager added a new policy that provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions. | November 21, 2024 |
| [`AWS-SSM-Automation-DiagnosisBucketPolicy`](#security-iam-awsmanpol-AWS-SSM-Automation-DiagnosisBucketPolicy) – New policy | Systems Manager added a new policy to support starting Automation workflows that diagnose issues with managed nodes in targeted accounts and Regions. | November 21, 2024 |
| [`AmazonSSMServiceRolePolicy`](#security-iam-awsmanpol-AmazonSSMServiceRolePolicy) – Update to an existing policy | Systems Manager added new permissions to allow AWS Resource Explorer to gather details about Amazon EC2 instances and display the results in widgets in the new Systems Manager Dashboard. | November 21, 2024 |
| [`SSMQuickSetupRolePolicy`](#security-iam-awsmanpol-SSMQuickSetupRolePolicy) – Update to an existing policy | Systems Manager has updated the managed policy SSMQuickSetupRolePolicy. This updates allows the associated service-linked role AWSServiceRoleForSSMQuickSetup to manage resource data syncs. | November 21, 2024 |
| [`AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy `](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy) – New policy | Systems Manager added a new policy to support starting Automation workflows that diagnose issues with managed nodes in targeted account and Regions. | November 21, 2024 |
| [`AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy`](#security-iam-awsmanpol-AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy) – New policy | Systems Manager added a new policy to support starting Automation workflows that diagnose issues with managed nodes in a targeted account and Region. | November 21, 2024 |
| [`AWS-SSM-RemediationAutomation-AdministrationRolePolicy`](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-AdministrationRolePolicy) – New policy | Systems Manager added a new policy to support starting Automation workflows that remediate issues in managed nodes in targeted accounts and Regions. | November 21, 2024 |
| [`AWS-SSM-RemediationAutomation-ExecutionRolePolicy`](#security-iam-awsmanpol-AWS-SSM-RemediationAutomation-ExecutionRolePolicy) – New policy | Systems Manager added a new policy to support starting Automation workflows that remediate issues in managed nodes in a targeted account and Region. | November 21, 2024 |
| [AWSQuickSetupSSMDeploymentRolePolicy](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentRolePolicy) – Update to an policy | Systems Manager added permissions to allow Systems Manager to tag IAM roles and Lambda created for the unified console. | May 7th, 2025 |
| [`AWSQuickSetupSSMManageResourcesExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupSSMManageResourcesExecutionPolicy) – New policy | Systems Manager added a new policy to support running an operation in Quick Setup that creates IAM roles for Quick Setup associations, which in turn are created by a AWSQuickSetupType-SSM deployment. | November 21, 2024 |
| [`AWSQuickSetupSSMLifecycleManagementExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupSSMLifecycleManagementExecutionPolicy) – New policy | Systems Manager added a new policy to support Quick Setup running a CloudFormation custom resource on lifecycle events during a Quick Setup deployment. | November 21, 2024 |
| [`AWSQuickSetupSSMDeploymentRolePolicy`](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentRolePolicy) – New policy | Systems Manager added a new policy to support granting administrative permissions that allow Quick Setup to create resources that are using during the Systems Manager onboarding process. | November 21, 2024 |
| [`AWSQuickSetupSSMDeploymentS3BucketRolePolicy`](#security-iam-awsmanpol-AWSQuickSetupSSMDeploymentS3BucketRolePolicy) – New policy | Systems Manager added a new policy to support managing and retrieving information about specific buckets in the principal account that are managed through CloudFormation templates | November 21, 2024 |
| [`AWSQuickSetupEnableDHMCExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupEnableDHMCExecutionPolicy) – New policy | Systems Manager is introducing a new policy to allow Quick Setup to create an IAM role that itself uses the existing [`AmazonSSMManagedEC2InstanceDefaultPolicy`](#security-iam-awsmanpol-AmazonSSMManagedEC2InstanceDefaultPolicy). This policy contains all the permissions required for SSM Agent to communicate with Systems Manager service. The new policy also allows modifications to the Systems Manager service settings. | November 21, 2024 |
| [`AWSQuickSetupEnableAREXExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupEnableAREXExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to create a service-linked role for AWS Resource Explorer, for accessing Resource Explorer views and aggregator indexes. | November 21, 2024 |
| [`AWSQuickSetupManagedInstanceProfileExecutionPolicy`](#security-iam-awsmanpol-AWSQuickSetupManagedInstanceProfileExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to create a default Quick Setup instance profile and to attach it to any Amazon EC2 instances that lack an associated instance profile. This new policy also allows Quick Setup to attach permissions to existing profiles to ensure that all required Systems Manager permissions have been granted. | November 21, 2024 |
| [`SSMQuickSetupRolePolicy`](#security-iam-awsmanpol-SSMQuickSetupRolePolicy) – Update to an existing policy | Systems Manager added new permissions to allow Quick Setup to check the health of additional AWS CloudFormation stack sets that it has created. | August 13, 2024 |
| [`AmazonSSMManagedEC2InstanceDefaultPolicy`](#security-iam-awsmanpol-AmazonSSMManagedEC2InstanceDefaultPolicy) – Update to an existing policy | Systems Manager has added statement IDs (Sids) to the JSON policy for AmazonSSMManagedEC2InstanceDefaultPolicy. These Sids provide inline descriptions of the purpose of each policy statement. | July 18, 2024 |
| [`SSMQuickSetupRolePolicy`](#security-iam-awsmanpol-SSMQuickSetupRolePolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to check the health of deployed resources and remediate instances that have drifted from the original configuration. | July 3, 2024 |
| [`AWSQuickSetupDeploymentRolePolicy`](#security-iam-awsmanpol-SSMQuickSetupRolePolicy) – New policy | Systems Manager added a new policy to support multiple Quick Setup configuration types that create IAM roles and automations, which in turn configure frequently used Amazon Web Services services and features with recommended best practices. | July 3, 2024 |
| [`AWSQuickSetupPatchPolicyDeploymentRolePolicy`](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyDeploymentRolePolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to create resources associated with Patch Manager patch policy Quick Setup configurations. | July 3, 2024 |
| [AWSQuickSetupPatchPolicyBaselineAccess](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyBaselineAccess) – New policy | Systems Manager added a new policy to allow Quick Setup to access patch baselines in Patch Manager with read-only permissions. | July 3, 2024 |
| [AWSSystemsManagerEnableExplorerExecutionPolicy](#security-iam-awsmanpol-AWSSystemsManagerEnableExplorerExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to grant administrative permissions for enabling Explorer. | July 3, 2024 |
| [AWSSystemsManagerEnableConfigRecordingExecutionPolicy](#security-iam-awsmanpol-AWSSystemsManagerEnableConfigRecordingExecutionPolicy) – New policy | Systems Manager added a new policy to allow Quick Setup to enable and configure AWS Config configuration recording. | July 3, 2024 |
| [AWSQuickSetupDevOpsGuruPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupDevOpsGuruPermissionsBoundary) – New policy | Systems Manager added a new policy to allow Quick Setup to enable and configure Amazon DevOps Guru. | July 3, 2024 |
| [AWSQuickSetupDistributorPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupDistributorPermissionsBoundary) – New policy | Systems Manager added a new policy to allow Quick Setup to enable and configure Distributor, a tool in AWS Systems Manager. | July 3, 2024 |
| [AWSQuickSetupSSMHostMgmtPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupSSMHostMgmtPermissionsBoundary) – New policy | Systems Manager added a new policy to allow Quick Setup to enable and configure Systems Manager tools for securely managing Amazon EC2 instances. | July 3, 2024 |
| [AWSQuickSetupPatchPolicyPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupPatchPolicyPermissionsBoundary) – New policy | Systems Manager added a new policy to allow Quick Setup to enable and configure patch policies in Patch Manager, a tool in AWS Systems Manager. | July 3, 2024 |
| [AWSQuickSetupSchedulerPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupSchedulerPermissionsBoundary) – New policy | Systems Manager added a new policy to allow Quick Setup to enable and configure scheduled operations on Amazon EC2 instances and other resources. | July 3, 2024 |
| [AWSQuickSetupCFGCPacksPermissionsBoundary](#security-iam-awsmanpol-AWSQuickSetupCFGCPacksPermissionsBoundary) – New policy | Systems Manager added a new policy to allow Quick Setup to deploy AWS Config conformance packs. | July 3, 2024 |
| [`AWSSystemsManagerOpsDataSyncServiceRolePolicy`](#security-iam-awsmanpol-AWSSystemsManagerOpsDataSyncServiceRolePolicy) – Update to an existing policy | OpsCenter updated the policy to improve the security of the service code within the service-linked role for Explorer to manage OpsData-related operations. | July 3, 2023 |
| [`AmazonSSMManagedEC2InstanceDefaultPolicy`](#security-iam-awsmanpol-AmazonSSMManagedEC2InstanceDefaultPolicy) – New policy | Systems Manager added a new policy to allow Systems Manager functionality on Amazon EC2 instances without the use of an IAM instance profile. | August 18, 2022 |
| [AmazonSSMServiceRolePolicy](#security-iam-awsmanpol-AmazonSSMServiceRolePolicy) – Update to an existing policy | Systems Manager added new permissions to allow Explorer to create a managed rule when you turn on Security Hub CSPM from Explorer or OpsCenter. New permissions were added to check that config and the compute-optimizer meet the necessary requirements before allowing OpsData. | April 27, 2021 |
| [`AWSSystemsManagerOpsDataSyncServiceRolePolicy`](#security-iam-awsmanpol-AWSSystemsManagerOpsDataSyncServiceRolePolicy) – New policy | Systems Manager added a new policy to create and update OpsItems and OpsData from Security Hub CSPM findings in Explorer and OpsCenter. | April 27, 2021 |
| `AmazonSSMServiceRolePolicy` – Update to an existing policy | Systems Manager added new permissions to allow viewing aggregate OpsData and OpsItems details from multiple accounts and AWS Regions in Explorer. | March 24, 2021 |
| Systems Manager started tracking changes | Systems Manager started tracking changes for its AWS managed policies. | March 12, 2021 |
## Additional managed policies for Systems Manager
In addition to the managed policies described earlier in this topic, the following policies are also supported by Systems Manager.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMAutomationApproverAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMAutomationApproverAccess.html) – AWS managed policy that allows access to view automation executions and send approval decisions to automation that is waiting for approval.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMDirectoryServiceAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMDirectoryServiceAccess.html) – AWS managed policy that that allows SSM Agent to access Directory Service on behalf of the user for requests to join the domain by the managed node.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMFullAccess.html) – AWS managed policy that grants full access to the Systems Manager API and documents.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMMaintenanceWindowRole.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMMaintenanceWindowRole.html) – AWS managed policy that provides maintenance windows with permissions to the Systems Manager API.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) – AWS managed policy that allows a node to use Systems Manager service core functionality.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMPatchAssociation.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMPatchAssociation.html) – AWS managed policy that provides access to child instances for patch association operations.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMReadOnlyAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMReadOnlyAccess.html) – AWS managed policy that grants access to Systems Manager read-only API operations, such as `Get*` and `List*`.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSMOpsInsightsServiceRolePolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSSMOpsInsightsServiceRolePolicy.html) – AWS managed policy that provides permissions for creating and updating operational insight *OpsItems* in Systems Manager. Used to provide permissions through the service-linked role [`AWSServiceRoleForAmazonSSM_OpsInsights`](using-service-linked-roles-service-action-4.md).
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerAccountDiscoveryServicePolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerAccountDiscoveryServicePolicy.html) – AWS managed policy that grants Systems Manager permission to discover AWS account information.
+ [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2RoleforSSM.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2RoleforSSM.html) – This policy is no longer supported and should not be used. In its place, use the `AmazonSSMManagedInstanceCore` policy to allow Systems Manager service core functionality on EC2 instances. For information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md).
# Troubleshooting AWS Systems Manager identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with AWS Systems Manager and AWS Identity and Access Management (IAM).
**Topics**
+ [
## I am not authorized to perform an action in Systems Manager
](#security_iam_troubleshoot-no-permissions)
+ [
## I am not authorized to perform iam:PassRole
](#security_iam_troubleshoot-passrole)
+ [
## I want to allow people outside of my AWS account to access my Systems Manager resources
](#security_iam_troubleshoot-cross-account-access)
## I am not authorized to perform an action in Systems Manager
If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your sign-in credentials.
The following example error occurs when the `mateojackson` user tries to use the console to view details about a document but doesn't have `ssm:GetDocument` permissions.
```
User: arn:aws:ssm::123456789012:user/mateojackson isn't authorized to perform: ssm:GetDocument on resource: MyExampleDocument
```
In this case, Mateo asks his administrator to update his policies to allow him to access the `MyExampleDocument` resource using the `ssm:GetDocument` action.
## I am not authorized to perform iam:PassRole
If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Systems Manager.
Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.
The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Systems Manager. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I want to allow people outside of my AWS account to access my Systems Manager resources
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
To learn more, consult the following:
+ To learn whether Systems Manager supports these features, see [How AWS Systems Manager works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
# Using service-linked roles for Systems Manager
AWS Systems Manager uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Systems Manager. Service-linked roles are predefined by Systems Manager and include all the permissions that the service requires to call other AWS services on your behalf.
**Note**
A *service role* role differs from a service-linked role. A service role is a type of AWS Identity and Access Management (IAM) role that grants permissions to an AWS service so that the service can access AWS resources. Only a few Systems Manager scenarios require a service role. When you create a service role for Systems Manager, you choose the permissions to grant so that it can access or interact with other AWS resources.
A service-linked role makes setting up Systems Manager easier because you don’t have to manually add the necessary permissions. Systems Manager defines the permissions of its service-linked roles, and unless defined otherwise, only Systems Manager can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your Systems Manager resources because you can't inadvertently remove permission to access the resources.
**Note**
For non-EC2 nodes in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment , you need an additional IAM role that allows those machines to communicate with the Systems Manager service. This is the IAM service role for Systems Manager. This role grants AWS Security Token Service (AWS STS) *AssumeRole* trust to the Systems Manager service. The `AssumeRole` action returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token). You use these temporary credentials to access AWS resources that you might not normally have access to. For more information, see [Create the IAM service role required for Systems Manager in hybrid and multicloud environments](hybrid-multicloud-service-role.md) and [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) in the *[AWS Security Token Service API Reference](https://docs.aws.amazon.com/STS/latest/APIReference/)*.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
**Topics**
+ [
# Using roles to collect inventory and view OpsData
](using-service-linked-roles-service-action-1.md)
+ [
# Using roles to collect AWS account information for OpsCenter and Explorer
](using-service-linked-roles-service-action-2.md)
+ [
# Using roles to create OpsData and OpsItems for Explorer
](using-service-linked-roles-service-action-3.md)
+ [
# Using roles to create operational insight OpsItems in Systems Manager OpsCenter
](using-service-linked-roles-service-action-4.md)
+ [
# Using roles to maintain Quick Setup-provisioned resource health and consistency
](using-service-linked-roles-service-action-5.md)
+ [
# Using roles to export Explorer OpsData
](using-service-linked-roles-service-action-6.md)
+ [
# Using roles to enable just-in-time node access
](using-service-linked-roles-service-action-8.md)
+ [
# Using roles to send just-in-time node access request notifications
](using-service-linked-roles-service-action-9.md)
# Using roles to collect inventory and view OpsData
Systems Manager uses the service-linked role named **`AWSServiceRoleForAmazonSSM`**. AWS Systems Manager uses this IAM service role to manage AWS resources on your behalf.
## Service-linked role permissions for inventory, OpsData, and OpsItems
The `AWSServiceRoleForAmazonSSM` service-linked role trusts only `ssm.amazonaws.com` to assume this role.
You can use the Systems Manager service-linked role `AWSServiceRoleForAmazonSSM` for the following:
+ The Systems Manager Inventory tool uses the service-linked role `AWSServiceRoleForAmazonSSM` to collect inventory metadata from tags and resource groups.
+ The Explorer tool uses the service-linked role `AWSServiceRoleForAmazonSSM` to enable viewing OpsData and OpsItems from multiple accounts. This service-linked role also allows Explorer to create a managed rule when you enable Security Hub CSPM as a data source from Explorer or OpsCenter.
**Important**
Previously, the Systems Manager console provided you with the ability to choose the AWS managed IAM service-linked role `AWSServiceRoleForAmazonSSM` to use as the maintenance role for your tasks. Using this role and its associated policy, `AmazonSSMServiceRolePolicy`, for maintenance window tasks is no longer recommended. If you're using this role for maintenance window tasks now, we encourage you to stop using it. Instead, create your own IAM role that enables communication between Systems Manager and other AWS services when your maintenance window tasks run.
For more information, see [Setting up Maintenance Windows](setting-up-maintenance-windows.md).
The managed policy that is used to provide permissions for the `AWSServiceRoleForAmazonSSM` role is `AmazonSSMServiceRolePolicy`. For details about the permissions it grants, see [AWS managed policy: AmazonSSMServiceRolePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonSSMServiceRolePolicy).
## Creating the `AWSServiceRoleForAmazonSSM` service-linked role for Systems Manager
You can use the IAM console to create a service-linked role with the **EC2** use case. Using commands for IAM in the AWS Command Line Interface (AWS CLI) or using the IAM API, create a service-linked role with the `ssm.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account.
## Editing the `AWSServiceRoleForAmazonSSM` service-linked role for Systems Manager
Systems Manager doesn't allow you to edit the `AWSServiceRoleForAmazonSSM` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting the `AWSServiceRoleForAmazonSSM` service-linked role for Systems Manager
If you no longer need to use any feature or service that requires a service-linked role, then we recommend that you delete that role. That way you don’t have an unused entity that isn't actively monitored or maintained. You can use the IAM console, the AWS CLI, or the IAM API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role, and then you can manually delete it.
Because the `AWSServiceRoleForAmazonSSM` service-linked role can be used by multiple tools, ensure that none are using the role before attempting to delete it.
+ **Inventory:** If you delete the service-linked role used by the Inventory tool, then the Inventory data for tags and resource groups will no longer be synchronized. You must clean up the resources for your service-linked role before you can manually delete it.
+ **Explorer:** If you delete the service-linked role used by the Explorer tool, then the cross-account and cross-Region OpsData and OpsItems are no longer viewable.
**Note**
If the Systems Manager service is using the role when you try to delete tags or resource groups, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete Systems Manager resources used by the `AWSServiceRoleForAmazonSSM`**
1. To delete tags, see [Add and delete tags on an individual resource](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).
1. To delete resource groups, see [Delete groups from AWS Resource Groups](https://docs.aws.amazon.com/ARG/latest/userguide/deleting-resource-groups.html).
**To manually delete the `AWSServiceRoleForAmazonSSM` service-linked role using IAM**
Use the IAM console, the AWS CLI, or the IAM API to delete the `AWSServiceRoleForAmazonSSM` service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for the Systems Manager `AWSServiceRoleForAmazonSSM` service-linked role
Systems Manager supports using the `AWSServiceRoleForAmazonSSM` service-linked role in all of the AWS Regions where the service is available. For more information, see [AWS Systems Manager endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/ssm.html).
# Using roles to collect AWS account information for OpsCenter and Explorer
Systems Manager uses the service-linked role named **`AWSServiceRoleForAmazonSSM_AccountDiscovery`**. AWS Systems Manager uses this IAM service role to call other AWS services to discover AWS account information.
## Service-linked role permissions for Systems Manager account discovery
The `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role trusts the following services to assume the role:
+ `accountdiscovery.ssm.amazonaws.com`
The role permissions policy allows Systems Manager to complete the following actions on the specified resources:
+ `organizations:DescribeAccount`
+ `organizations:DescribeOrganizationalUnit`
+ `organizations:DescribeOrganization`
+ `organizations:ListAccounts`
+ `organizations:ListAWSServiceAccessForOrganization`
+ `organizations:ListChildren`
+ `organizations:ListParents`
+ `organizations:ListDelegatedServicesForAccount`
+ `organizations:ListDelegatedAdministrators`
+ `organizations:ListRoots`
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role for Systems Manager
You must create a service-linked role if you want to use Explorer and OpsCenter, tools in Systems Manager, across multiple AWS accounts. For OpsCenter, you must manually create the service-linked role. For more information, see [(Optional) Manually set up OpsCenter to centrally manage OpsItems across accounts](OpsCenter-getting-started-multiple-accounts.md).
For Explorer, if you create a resource data sync by using Systems Manager in the AWS Management Console, you can create the service-linked role by choosing the **Create role** button. If you want to create a resource data sync programmatically, then you must create the role before you create the resource data sync. You can create the role by using the [CreateServiceLinkedRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html) API operation.
## Editing the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role for Systems Manager
Systems Manager doesn't allow you to edit the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role for Systems Manager
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that isn't actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.
### Cleaning up the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role
Before you can use IAM to delete the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role, you must first delete all Explorer resource data syncs.
**Note**
If the Systems Manager service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
### Manually delete the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for the Systems Manager `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role
Systems Manager supports using service-linked roles in all of the regions where the service is available. For more information, see [AWS Systems Manager endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/ssm.html).
## Updates to the AWSServiceRoleForAmazonSSM\$1AccountDiscovery service-linked role
View details about updates to the AWSServiceRoleForAmazonSSM\$1AccountDiscovery service-linked role since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Systems Manager [Document history](systems-manager-release-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| New permissions added | This service-linked role now includes `organizations:DescribeOrganizationalUnit` and `organizations:ListRoots` permissions. These permissions enable an AWS Organizations management account or a Systems Manager delegated administrator account to work with OpsItems across accounts. For more information, see [(Optional) Manually set up OpsCenter to centrally manage OpsItems across accounts](OpsCenter-getting-started-multiple-accounts.md). | October 17, 2022 |
# Using roles to create OpsData and OpsItems for Explorer
Systems Manager uses the service-linked role named **`AWSServiceRoleForSystemsManagerOpsDataSync`**. AWS Systems Manager uses this IAM service role for Explorer to create OpsData and OpsItems.
## Service-linked role permissions for Systems Manager OpsData sync
The `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role trusts the following services to assume the role:
+ `opsdatasync.ssm.amazonaws.com`
The role permissions policy allows Systems Manager to complete the following actions on the specified resources:
+ Systems Manager Explorer requires that a service-linked role grant permission to update a security finding when an OpsItem is updated, create and update an OpsItem, and turn off the Security Hub CSPM data source when an SSM managed rule is deleted by customers.
The managed policy that is used to provide permissions for the `AWSServiceRoleForSystemsManagerOpsDataSync` role is `AWSSystemsManagerOpsDataSyncServiceRolePolicy`. For details about the permissions it grants, see [AWS managed policy: AWSSystemsManagerOpsDataSyncServiceRolePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSSystemsManagerOpsDataSyncServiceRolePolicy).
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating the `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role for Systems Manager
You don't need to manually create a service-linked role. When you enable Explorer in the AWS Management Console, Systems Manager creates the service-linked role for you.
**Important**
This service-linked role can be displayed in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the Systems Manager service before January 1, 2017, when it began supporting service-linked roles, then Systems Manager created the `AWSServiceRoleForSystemsManagerOpsDataSync` role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you enable Explorer in the AWS Management Console, Systems Manager creates the service-linked role for you again.
You can also use the IAM console to create a service-linked role with the **AWS service role that allows Explorer to create OpsData and OpsItems** use case. In the AWS CLI or the AWS API, create a service-linked role with the `opsdatasync.ssm.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing the `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role for Systems Manager
Systems Manager doesn't allow you to edit the `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting the `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role for Systems Manager
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that isn't actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the Systems Manager service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
The procedure for deleting Systems Manager resources used by the `AWSServiceRoleForSystemsManagerOpsDataSync` role depends on if you've configured Explorer or OpsCenter to integrate with Security Hub CSPM.
**To delete Systems Manager resources used by the `AWSServiceRoleForSystemsManagerOpsDataSync` role**
+ To stop Explorer from creating new OpsItems for Security Hub CSPM findings, see [How to stop receiving findings](explorer-securityhub-integration.md#explorer-securityhub-integration-disable-receive).
+ To stop OpsCenter from creating new OpsItems for Security Hub CSPM findings, see
**To manually delete the `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for the Systems Manager `AWSServiceRoleForSystemsManagerOpsDataSync` service-linked role
Systems Manager supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Systems Manager endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/ssm.html).
Systems Manager doesn't support using service-linked roles in every Region where the service is available. You can use the `AWSServiceRoleForSystemsManagerOpsDataSync` role in the following Regions.
****
| AWS Region name | Region identity | Support in Systems Manager |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | Yes |
| US East (Ohio) | us-east-2 | Yes |
| US West (N. California) | us-west-1 | Yes |
| US West (Oregon) | us-west-2 | Yes |
| Asia Pacific (Mumbai) | ap-south-1 | Yes |
| Asia Pacific (Osaka) | ap-northeast-3 | Yes |
| Asia Pacific (Seoul) | ap-northeast-2 | Yes |
| Asia Pacific (Singapore) | ap-southeast-1 | Yes |
| Asia Pacific (Sydney) | ap-southeast-2 | Yes |
| Asia Pacific (Tokyo) | ap-northeast-1 | Yes |
| Canada (Central) | ca-central-1 | Yes |
| Europe (Frankfurt) | eu-central-1 | Yes |
| Europe (Ireland) | eu-west-1 | Yes |
| Europe (London) | eu-west-2 | Yes |
| Europe (Paris) | eu-west-3 | Yes |
| Europe (Stockholm) | eu-north-1 | Yes |
| South America (São Paulo) | sa-east-1 | Yes |
| AWS GovCloud (US) | us-gov-west-1 | No |
# Using roles to create operational insight OpsItems in Systems Manager OpsCenter
Systems Manager uses the service-linked role named **`AWSServiceRoleForAmazonSSM_OpsInsights`**. AWS Systems Manager uses this IAM service role to create and update operational insight OpsItems in Systems Manager OpsCenter.
## `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role permissions for Systems Manager operational insight OpsItems
The `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role trusts the following services to assume the role:
+ `opsinsights.ssm.amazonaws.com`
The role permissions policy allows Systems Manager to complete the following actions on the specified resources:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCreateOpsItem",
"Effect": "Allow",
"Action": [
"ssm:CreateOpsItem",
"ssm:AddTagsToResource"
],
"Resource": "*"
},
{
"Sid": "AllowAccessOpsItem",
"Effect": "Allow",
"Action": [
"ssm:UpdateOpsItem",
"ssm:GetOpsItem"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SsmOperationalInsight": "true"
}
}
}
]
}
```
------
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating the `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role for Systems Manager
You must create a service-linked role. If you enable operational insights by using Systems Manager in the AWS Management Console, you can create the service-linked role by choosing the **Enable** button.
## Editing the `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role for Systems Manager
Systems Manager does not allow you to edit the `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting the `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role for Systems Manager
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.
### Cleaning up the `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role
Before you can use IAM to delete the `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role, you must first deactivate operational insights in Systems Manager OpsCenter. For more information, see [Analyzing operational insights to reduce OpsItems](OpsCenter-working-operational-insights.md).
### Manually delete the `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for the Systems Manager `AWSServiceRoleForAmazonSSM_OpsInsights` service-linked role
Systems Manager does not support using service-linked roles in every Region where the service is available. You can use the AWSServiceRoleForAmazonSSM\$1OpsInsights role in the following Regions.
****
| Region name | Region identity | Support in Systems Manager |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | Yes |
| US East (Ohio) | us-east-2 | Yes |
| US West (N. California) | us-west-1 | Yes |
| US West (Oregon) | us-west-2 | Yes |
| Asia Pacific (Mumbai) | ap-south-1 | Yes |
| Asia Pacific (Tokyo) | ap-northeast-1 | Yes |
| Asia Pacific (Seoul) | ap-northeast-2 | Yes |
| Asia Pacific (Singapore) | ap-southeast-1 | Yes |
| Asia Pacific (Sydney) | ap-southeast-2 | Yes |
| Asia Pacific (Hong Kong) | ap-east-1 | Yes |
| Canada (Central) | ca-central-1 | Yes |
| Europe (Frankfurt) | eu-central-1 | Yes |
| Europe (Ireland) | eu-west-1 | Yes |
| Europe (London) | eu-west-2 | Yes |
| Europe (Paris) | eu-west-3 | Yes |
| Europe (Stockholm) | eu-north-1 | Yes |
| Europe (Milan) | eu-south-1 | Yes |
| South America (São Paulo) | sa-east-1 | Yes |
| Middle East (Bahrain) | me-south-1 | Yes |
| Africa (Cape Town) | af-south-1 | Yes |
| AWS GovCloud (US) | us-gov-west-1 | Yes |
| AWS GovCloud (US) | us-gov-east-1 | Yes |
# Using roles to maintain Quick Setup-provisioned resource health and consistency
Systems Manager uses the service-linked role named **`AWSServiceRoleForSSMQuickSetup`**.
## `AWSServiceRoleForSSMQuickSetup` service-linked role permissions for Systems Manager
The `AWSServiceRoleForSSMQuickSetup` service-linked role trusts the following services to assume the role:
+ `ssm-quicksetup.amazonaws.com`
AWS Systems Manager uses this IAM service role to check configuration health, ensure consistent use of parameters and provisioned resources, and remediate resources when drift is detected.
The role permissions policy allows Systems Manager to complete the following actions on the specified resources:
+ `ssm` (Systems Manager) – Reads information about the state that configured resources are intended to be in, including in delegated administrator accounts.
+ `iam` (AWS Identity and Access Management) – This is required for resource data syncs to be accessible across entire organizations in AWS Organizations.
+ `organizations` (AWS Organizations) – Reads information about the member accounts that belong to an organization as configured in Organizations.
+ `cloudformation` (CloudFormation) – Reads information about CloudFormation stacks used to manage the state of resources and CloudFormation stackset operations.
The managed policy that is used to provide permissions for the `AWSServiceRoleForSSMQuickSetup` role is `SSMQuickSetupRolePolicy`. For details about the permissions it grants, see [AWS managed policy: SSMQuickSetupRolePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-SSMQuickSetupRolePolicy).
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating the `AWSServiceRoleForSSMQuickSetup` service-linked role for Systems Manager
You don't need to manually create the AWSServiceRoleForSSMQuickSetup service-linked role. When you create a Quick Setup configuration in the AWS Management Console, Systems Manager creates the service-linked role for you.
## Editing the `AWSServiceRoleForSSMQuickSetup` service-linked role for Systems Manager
Systems Manager does not allow you to edit the `AWSServiceRoleForSSMQuickSetup` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting the `AWSServiceRoleForSSMQuickSetup` service-linked role for Systems Manager
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.
### Cleaning up the `AWSServiceRoleForSSMQuickSetup` service-linked role
Before you can use IAM to delete the `AWSServiceRoleForSSMQuickSetup` service-linked role, you must first delete the Quick Setup configurations that are using the role. For more information, see [Editing and deleting your configuration](quick-setup-using.md#quick-setup-edit-delete).
### Manually delete the `AWSServiceRoleForSSMQuickSetup` service-linked role
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForSSMQuickSetup` service-linked role. For more information, see the following topics:
+ [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*
+ [https://docs.aws.amazon.com/cli/latest/reference/ssm-quicksetup/delete-configuration-manager.html](https://docs.aws.amazon.com/cli/latest/reference/ssm-quicksetup/delete-configuration-manager.html) in the Quick Setup section of the *AWS CLI Reference*
+ [https://docs.aws.amazon.com/quick-setup/latest/APIReference/API_DeleteConfigurationManager.html](https://docs.aws.amazon.com/quick-setup/latest/APIReference/API_DeleteConfigurationManager.html) in the *Quick Setup API Reference*
## Supported Regions for the Systems Manager `AWSServiceRoleForSSMQuickSetup` service-linked role
Systems Manager does not support using service-linked roles in every Region where the service is available. You can use the AWSServiceRoleForSSMQuickSetup role in the following Regions.
+ US East (Ohio)
+ US East (N. Virginia)
+ US West (N. California)
+ US West (Oregon)
+ Asia Pacific (Mumbai)
+ Asia Pacific (Seoul)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Asia Pacific (Tokyo)
+ Canada (Central)
+ Europe (Frankfurt)
+ Europe (Stockholm)
+ Europe (Ireland)
+ Europe (London)
+ Europe (Paris)
+ South America (São Paulo)
# Using roles to export Explorer OpsData
AWS Systems Manager Explorer uses the **AmazonSSMExplorerExportRole** service role to export operations data (OpsData) using the `AWS-ExportOpsDataToS3` automation runbook.
## Service-linked role permissions for Explorer
The `AmazonSSMExplorerExportRole` service-linked role trusts only `ssm.amazonaws.com` to assume this role.
You can use the `AmazonSSMExplorerExportRole` service-linked role to export operations data (OpsData) using the `AWS-ExportOpsDataToS3` automation runbook. You can export 5,000 OpsData items from Explorer as a comma separated value (.csv) file to an Amazon Simple Storage Service (Amazon S3) bucket.
The role permissions policy allows Systems Manager to complete the following actions on the specified resources:
+ `s3:PutObject`
+ `s3:GetBucketAcl`
+ `s3:GetBucketLocation`
+ `sns:Publish`
+ `logs:DescribeLogGroups`
+ `logs:DescribeLogStreams`
+ `logs:CreateLogGroup`
+ `logs:PutLogEvents`
+ `logs:CreateLogStream`
+ `ssm:GetOpsSummary`
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating the `AmazonSSMExplorerExportRole` service-linked role for Systems Manager
Systems Manager creates the `AmazonSSMExplorerExportRole` service-linked role when you export OpsData using Explorer in the Systems Manager console. For more information, see [Exporting OpsData from Systems Manager Explorer](Explorer-exporting-OpsData.md).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account.
## Editing the `AmazonSSMExplorerExportRole` service-linked role for Systems Manager
Systems Manager doesn't allow you to edit the `AmazonSSMExplorerExportRole` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting the `AmazonSSMExplorerExportRole` service-linked role for Systems Manager
If you no longer need to use any feature or service that requires a service-linked role, then we recommend that you delete that role. That way you don’t have an unused entity that isn't actively monitored or maintained. You can use the IAM console, the AWS CLI, or the IAM API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role, and then you can manually delete it.
**Note**
If the Systems Manager service is using the role when you try to delete tags or resource groups, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete Systems Manager resources used by the `AmazonSSMExplorerExportRole`**
1. To delete tags, see [Add and delete tags on an individual resource](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags).
1. To delete resource groups, see [Delete groups from AWS Resource Groups](https://docs.aws.amazon.com/ARG/latest/userguide/deleting-resource-groups.html).
**To manually delete the `AmazonSSMExplorerExportRole` service-linked role using IAM**
Use the IAM console, the AWS CLI, or the IAM API to delete the `AmazonSSMExplorerExportRole` service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for the Systems Manager `AmazonSSMExplorerExportRole` service-linked role
Systems Manager supports using the `AmazonSSMExplorerExportRole` service-linked role in all of the AWS Regions where the service is available. For more information, see [AWS Systems Manager endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/ssm.html).
# Using roles to enable just-in-time node access
Systems Manager uses the service-linked role named **`AWSServiceRoleForSystemsManagerJustInTimeAccess`**. AWS Systems Manager uses this IAM service role to enable just-in-time node access.
## Service-linked role permissions for Systems Manager just-in-time node access
The `AWSServiceRoleForSystemsManagerJustInTimeAccess` service-linked role trusts the following services to assume the role:
+ `ssm.amazonaws.com`
The role permissions policy allows Systems Manager to complete the following actions on the specified resources:
+ `ssm:CreateOpsItem`
+ `ssm:GetOpsItem`
+ `ssm:UpdateOpsItem`
+ `ssm:DescribeOpsItems`
+ `ssm:DescribeSessions`
+ `ssm:ListTagsForResource`
+ `ssm-guiconnect:ListConnections`
+ `identitystore:ListGroupMembershipsForMember`
+ `identitystore:DescribeUser`
+ `identitystore:GetGroupId`
+ `identitystore:GetUserId`
+ `sso-directory:DescribeUsers`
+ `sso-directory:IsMemberInGroup`
+ `sso:ListInstances`
+ `sso:DescribeRegisteredRegions`
+ `sso:ListDirectoryAssociations`
+ `ec2:DescribeTags`
The managed policy that is used to provide permissions for the `AWSServiceRoleForSystemsManagerJustInTimeAccess` role is `AWSSystemsManagerEnableJustInTimeAccessPolicy`. For details about the permissions it grants, see [AWS managed policy: AWSSystemsManagerJustInTimeAccessServicePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSSystemsManagerJustInTimeAccessServicePolicy).
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating the `AWSServiceRoleForSystemsManagerJustInTimeAccess` service-linked role for Systems Manager
You don't need to manually create a service-linked role. When you enable just-in-time node access in the AWS Management Console, Systems Manager creates the service-linked role for you.
**Important**
This service-linked role can be displayed in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the Systems Manager service before November 19, 2024, when it began supporting service-linked roles, then Systems Manager created the `AWSServiceRoleForSystemsManagerJustInTimeAccess` role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you enable just-in-time node access in the AWS Management Console, Systems Manager creates the service-linked role for you again.
You can also use the IAM console to create a service-linked role with the **AWS service role that allows Systems Manager to enable just-in-time node access.** use case. In the AWS CLI or the AWS API, create a service-linked role with the `ssm.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing the `AWSServiceRoleForSystemsManagerJustInTimeAccess` service-linked role for Systems Manager
Systems Manager doesn't allow you to edit the `AWSServiceRoleForSystemsManagerJustInTimeAccess` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting the `AWSServiceRoleForSystemsManagerJustInTimeAccess` service-linked role for Systems Manager
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that isn't actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the Systems Manager service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To manually delete the `AWSServiceRoleForSystemsManagerJustInTimeAccess` service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForSystemsManagerJustInTimeAccess` service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for the Systems Manager `AWSServiceRoleForSystemsManagerJustInTimeAccess` service-linked role
****
| AWS Region name | Region identity | Support in Systems Manager |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | Yes |
| US East (Ohio) | us-east-2 | Yes |
| US West (N. California) | us-west-1 | Yes |
| US West (Oregon) | us-west-2 | Yes |
| Asia Pacific (Mumbai) | ap-south-1 | Yes |
| Asia Pacific (Osaka) | ap-northeast-3 | Yes |
| Asia Pacific (Seoul) | ap-northeast-2 | Yes |
| Asia Pacific (Singapore) | ap-southeast-1 | Yes |
| Asia Pacific (Sydney) | ap-southeast-2 | Yes |
| Asia Pacific (Tokyo) | ap-northeast-1 | Yes |
| Canada (Central) | ca-central-1 | Yes |
| Europe (Frankfurt) | eu-central-1 | Yes |
| Europe (Ireland) | eu-west-1 | Yes |
| Europe (London) | eu-west-2 | Yes |
| Europe (Paris) | eu-west-3 | Yes |
| Europe (Stockholm) | eu-north-1 | Yes |
| South America (São Paulo) | sa-east-1 | Yes |
| AWS GovCloud (US) | us-gov-west-1 | No |
# Using roles to send just-in-time node access request notifications
Systems Manager uses the service-linked role named **`AWSServiceRoleForSystemsManagerNotifications`**. AWS Systems Manager uses this IAM service role to send notifications to access request approvers.
## Service-linked role permissions for Systems Manager just-in-time node access notifications
The `AWSServiceRoleForSystemsManagerNotifications` service-linked role trusts the following services to assume the role:
+ `ssm.amazonaws.com`
The role permissions policy allows Systems Manager to complete the following actions on the specified resources:
+ `identitystore:ListGroupMembershipsForMember`
+ `identitystore:ListGroupMemberships`
+ `identitystore:DescribeUser`
+ `sso:ListInstances`
+ `sso:DescribeRegisteredRegions`
+ `sso:ListDirectoryAssociations`
+ `sso-directory:DescribeUser`
+ `sso-directory:ListMembersInGroup`
+ `iam:GetRole`
The managed policy that is used to provide permissions for the `AWSServiceRoleForSystemsManagerNotifications` role is `AWSSystemsManagerNotificationsServicePolicy`. For details about the permissions it grants, see [AWS managed policy: AWSSystemsManagerNotificationsServicePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSSystemsManagerNotificationsServicePolicy).
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating the `AWSServiceRoleForSystemsManagerNotifications` service-linked role for Systems Manager
You don't need to manually create a service-linked role. When you enable just-in-time node access in the AWS Management Console, Systems Manager creates the service-linked role for you.
**Important**
This service-linked role can be displayed in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the Systems Manager service before November 19, 2024, when it began supporting service-linked roles, then Systems Manager created the `AWSServiceRoleForSystemsManagerNotifications` role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you enable just-in-time node access in the AWS Management Console, Systems Manager creates the service-linked role for you again.
You can also use the IAM console to create a service-linked role with the **AWS service role that allows Systems Manager to send notifications to access request approvers.** use case. In the AWS CLI or the AWS API, create a service-linked role with the `ssm.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing the `AWSServiceRoleForSystemsManagerNotifications` service-linked role for Systems Manager
Systems Manager doesn't allow you to edit the `AWSServiceRoleForSystemsManagerNotifications` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting the `AWSServiceRoleForSystemsManagerNotifications` service-linked role for Systems Manager
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that isn't actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the Systems Manager service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To manually delete the `AWSServiceRoleForSystemsManagerNotifications` service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForSystemsManagerNotifications` service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for the Systems Manager `AWSServiceRoleForSystemsManagerNotifications` service-linked role
****
| AWS Region name | Region identity | Support in Systems Manager |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | Yes |
| US East (Ohio) | us-east-2 | Yes |
| US West (N. California) | us-west-1 | Yes |
| US West (Oregon) | us-west-2 | Yes |
| Asia Pacific (Mumbai) | ap-south-1 | Yes |
| Asia Pacific (Osaka) | ap-northeast-3 | Yes |
| Asia Pacific (Seoul) | ap-northeast-2 | Yes |
| Asia Pacific (Singapore) | ap-southeast-1 | Yes |
| Asia Pacific (Sydney) | ap-southeast-2 | Yes |
| Asia Pacific (Tokyo) | ap-northeast-1 | Yes |
| Canada (Central) | ca-central-1 | Yes |
| Europe (Frankfurt) | eu-central-1 | Yes |
| Europe (Ireland) | eu-west-1 | Yes |
| Europe (London) | eu-west-2 | Yes |
| Europe (Paris) | eu-west-3 | Yes |
| Europe (Stockholm) | eu-north-1 | Yes |
| South America (São Paulo) | sa-east-1 | Yes |
| AWS GovCloud (US) | us-gov-west-1 | No |
# Logging and monitoring in AWS Systems Manager
Monitoring is an important part of maintaining the reliability, availability, and performance of AWS Systems Manager and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution so that you can more debug a multi-point failure if one occurs. AWS provides several tools for monitoring your Systems Manager and other resources and responding to potential incidents.
**AWS CloudTrail logs**
CloudTrail provides a record of actions taken by a user, role, or an AWS service in Systems Manager. Using the information collected by CloudTrail, you can determine the request that was made to Systems Manager, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see [Logging AWS Systems Manager API calls with AWS CloudTrail](monitoring-cloudtrail-logs.md).
**Amazon CloudWatch alarms**
Using Amazon CloudWatch alarms, you watch a single metric over a time period that you specify for your Amazon Elastic Compute Cloud (Amazon EC2) instances and other resources. If the metric exceeds a given threshold, a notification is sent to an Amazon Simple Notification Service (Amazon SNS) topic or AWS Auto Scaling policy. CloudWatch alarms don't invoke actions because they're in a particular state. Rather the state must have changed and been maintained for a specified number of periods. For more information, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the *Amazon CloudWatch User Guide*.
**Amazon CloudWatch dashboards**
CloudWatch dashboards are customizable home pages in the CloudWatch console that you can use to monitor your resources in a single view, even those resources that are spread across different AWS Regions. You can use CloudWatch dashboards to create customized views of the metrics and alarms for your AWS resources. For more information, see [Using Amazon CloudWatch dashboards hosted by Systems Manager](systems-manager-cloudwatch-dashboards.md).
**Amazon EventBridge**
Using Amazon EventBridge, you can configure rules to alert you to changes in Systems Manager resources, and to direct EventBridge to take actions based on the content of those events. EventBridge provides support for a number of events that are emitted by various Systems Manager tools. For more information, see [Monitoring Systems Manager events with Amazon EventBridge](monitoring-eventbridge-events.md).
**Amazon CloudWatch Logs and SSM Agent logs**
SSM Agent writes information about executions, scheduled actions, errors, and health statuses to log files on each node. You can view log files by manually connecting to a node. We recommend automatically sending agent log data to a log group in CloudWatch Logs for analysis. For more information, see [Sending node logs to unified CloudWatch Logs (CloudWatch agent)](monitoring-cloudwatch-agent.md) and [Viewing SSM Agent logs](ssm-agent-logs.md).
**AWS Systems Manager Compliance**
You can use Compliance, a tool in AWS Systems Manager, to scan your fleet of managed nodes for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and AWS Regions, and then drill down into specific resources that aren’t compliant. By default, Compliance displays current compliance data about patching in Patch Manager, a tool in AWS Systems Manager, and associations in State Manager, a tool in AWS Systems Manager. For more information, see [AWS Systems Manager Compliance](systems-manager-compliance.md).
**AWS Systems Manager Explorer**
Explorer, a tool in AWS Systems Manager, is a customizable operations dashboard that reports information about your AWS resources. Explorer displays an aggregated view of operations data (OpsData) for your AWS accounts and across AWS Regions. In Explorer, OpsData includes metadata about your EC2 instances, patch compliance details, and operational work items (OpsItems). Explorer provides context about how OpsItems are distributed across your business units or applications, how they trend over time, and how they vary by category. You can group and filter information in Explorer to focus on items that are relevant to you and that require action. For more information, see [AWS Systems Manager Explorer](Explorer.md).
**AWS Systems Manager OpsCenter**
OpsCenter, a tool in AWS Systems Manager, provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to AWS resources. OpsCenter aggregates and standardizes OpsItems across services while providing contextual investigation data about each OpsItem, related OpsItems, and related resources. OpsCenter also provides runbooks in Automation, a tool in AWS Systems Manager, that you can use to quickly resolve issues. OpsCenter is integrated with Amazon EventBridge. This means you can create EventBridge rules that automatically create OpsItems for any AWS service that publishes events to EventBridge. For more information, see [AWS Systems Manager OpsCenter](OpsCenter.md).
**Amazon Simple Notification Service**
You can configure Amazon Simple Notification Service (Amazon SNS) to send notifications about the status of commands that you send using Run Command or Maintenance Windows, tools in AWS Systems Manager. Amazon SNS coordinates and manages sending and delivering notifications to clients or endpoints that are subscribed to Amazon SNS topics. You can receive a notification whenever a command changes to a new state or to a specific state, such as `Failed` or `Timed Out`. In cases where you send a command to multiple nodes, you can receive a notification for each copy of the command sent to a specific node. For more information, see [Monitoring Systems Manager status changes using Amazon SNS notifications](monitoring-sns-notifications.md).
**AWS Trusted Advisor and AWS Health Dashboard**
Trusted Advisor draws upon best practices learned from serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS environment and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps. All AWS customers have access to five Trusted Advisor checks. Customers with either an AWS Support Business or Enterprise plan can view all Trusted Advisor checks. For more information, see [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html) in the *AWS Support User Guide* and the *[AWS Health User Guide](https://docs.aws.amazon.com/health/latest/ug/)*.
**More info**
+ [Logging and monitoring in AWS Systems Manager](monitoring.md)
# Compliance validation for AWS Systems Manager
This topic addresses AWS Systems Manager compliance with third-party assurance programs. For information about viewing compliance data for your managed nodes, see [AWS Systems Manager Compliance](systems-manager-compliance.md).
Third-party auditors assess the security and compliance of Systems Manager as part of multiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others.
For a list of AWS services in scope of specific compliance programs, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using Systems Manager is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. AWS provides the following resources to help with compliance:
+ [Security and Compliance Quick Start Guides](https://aws.amazon.com/quickstart/?awsf.quickstart-homepage-filter=categories%23security-identity-compliance) – These deployment guides discuss architectural considerations and provide steps for deploying security- and compliance-focused baseline environments on AWS.
+ [Architecting for HIPAA Security and Compliance Whitepaper](https://docs.aws.amazon.com/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/introduction.html) – This whitepaper describes how companies can use AWS to create HIPAA-compliant applications.
+ [AWS Compliance Resources](https://aws.amazon.com/compliance/resources/) – This collection of workbooks and guides might apply to your industry and location.
+ [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide* – The AWS Config service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – This AWS service provides a comprehensive view of your security state within AWS that helps you check your compliance with security industry standards and best practices.
# Resilience in AWS Systems Manager
The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
# Infrastructure security in AWS Systems Manager
As a managed service, AWS Systems Manager is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access Systems Manager through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
# Configuration and vulnerability analysis in AWS Systems Manager
AWS handles basic security tasks such as firewall configuration and disaster recovery. These procedures have been reviewed and certified by the appropriate third parties. For more details, see the following resources:
+ [Compliance validation for AWS Systems Manager](compliance-validation.md)
+ [Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/)
+ [Best Practices for Security, Identity, & Compliance](https://aws.amazon.com/architecture/security-identity-compliance/)
# Security best practices for Systems Manager
AWS Systems Manager provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.
**Topics**
+ [
## Systems Manager preventative security best practices
](#security-best-practices-prevent)
+ [
## SSM Agent installation best practices
](#security-best-practices-ssm-agent)
+ [
## Systems Manager monitoring and auditing best practices
](#security-best-practices-detect)
## Systems Manager preventative security best practices
The following best practices for Systems Manager can help prevent security incidents.
**Implement least privilege access**
When granting permissions, you decide who is getting what permissions to which Systems Manager resources. You allow specific actions that you want to allow on those resources. Therefore you should grant only the permissions that are required to perform a task. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
The following tools are available to implement least privilege access:
+ [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html) and [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+ [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
**Use recommended settings for SSM Agent when configured to use a proxy**
If you configure SSM Agent to use a proxy, use the `no_proxy` variable with the IP address of the Systems Manager instance metadata service to ensure that calls to Systems Manager don't take on the identity of the proxy service.
For more information, see [Configuring SSM Agent to use a proxy on Linux nodes](configure-proxy-ssm-agent.md) and [Configure SSM Agent to use a proxy for Windows Server instances](configure-proxy-ssm-agent-windows.md).
**Use SecureString parameters to encrypt and protect secret data**
In Parameter Store, a tool in AWS Systems Manager, a `SecureString` parameter is any sensitive data that needs to be stored and referenced in a secure manner. If you have data that you don't want users to alter or reference in plaintext, such as passwords or license keys, create those parameters using the `SecureString` data type. Parameter Store uses an AWS KMS key in AWS Key Management Service (AWS KMS) to encrypt the parameter value. AWS KMS uses either a customer managed key or an AWS managed key when encrypting the parameter value. For maximum security, we recommend using your own KMS key. If you use the AWS managed key, any user with permission to run the [https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html) and [https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameters.html](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameters.html) actions in your account can view or retrieve the content of all `SecureString` parameters. If you're using customer managed keys to encrypt your secure `SecureString` values, you can use IAM policies and key policies to manage permissions for encrypting and decrypting parameters.
It's more difficult to establish access control policies for these operations when using an AWS managed key. For example, you if you use an AWS managed key to encrypt `SecureString` parameters and don't want users to work with `SecureString` parameters, the user's IAM policies must explicitly deny access to the default key.
For more information, see [Restricting access to Parameter Store parameters using IAM policies](sysman-paramstore-access.md) and [How AWS Systems Manager Parameter Store Uses AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html) in the *AWS Key Management Service Developer Guide*.
**Define allowedValues and allowedPattern for document parameters**
You can validate user input for parameters in Systems Manager documents (SSM documents) by defining `allowedValues` and `allowedPattern`. For `allowedValues`, you define an array of values allowed for the parameter. If a user inputs a value that isn't allowed, the execution fails to start. For `allowedPattern`, you define a regular expression that validates whether the user input matches the defined pattern for the parameter. If the user input doesn't match the allowed pattern, the execution fails to start.
For more information about `allowedValues` and `allowedPattern`, see [Data elements and parameters](documents-syntax-data-elements-parameters.md).
**Block public sharing for documents**
Unless your use case requires public sharing to be allowed, we recommend turning on the block public sharing setting for your SSM documents in the **Preferences** section of the Systems Manager Documents console.
**Use an Amazon Virtual Private Cloud (Amazon VPC) and VPC endpoints**
You can use Amazon VPC to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
By implementing a VPC endpoint, you can privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service doesn't leave the Amazon network.
For more information about Amazon VPC security, see [Improve the security of EC2 instances by using VPC endpoints for Systems Manager](setup-create-vpc.md) and [Internetwork traffic privacy in Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html) in the *Amazon VPC User Guide*.
**Restrict Session Manager users to sessions using interactive commands and specific SSM session documents**
Session Manager, a tool in AWS Systems Manager, provides [several methods for starting sessions](session-manager-working-with-sessions-start.md) to your managed nodes. For the most secure connections, you can require users to connect using the *interactive commands* method to limit user interaction to a specific command or command sequence. This helps you manage the interactive actions a user can take. For more information, see [Starting a session (interactive and noninteractive commands)](session-manager-working-with-sessions-start.md#sessions-start-interactive-commands).
For added security, you can limit Session Manager access to specific Amazon EC2 instances and specific Session Manager session documents. You grant or revoke Session Manager access in this way by using AWS Identity and Access Management (IAM) policies. For more information, see [Step 3: Control session access to managed nodes](session-manager-getting-started-restrict-access.md).
**Provide temporary node permissions for Automation workflows**
During a workflow in Automation, a tool in AWS Systems Manager, your nodes might need permissions that are needed for that execution only but not for other Systems Manager operations. For example, an Automation workflow might require a node to call a particular API operation or access an AWS resource specifically during the workflow. If these calls or resources are ones that you want to limit access to, you can provide temporary, supplemental permissions for your nodes within the Automation runbook itself instead of adding the permissions to your IAM instance profile. At the end of the Automation workflow, the temporary permissions are removed. For more information, see [Providing temporary instance permissions with AWS Systems Manager Automations](https://aws.amazon.com/blogs/mt/providing-temporary-instance-permissions-with-aws-systems-manager-automations/) on the *AWS Management and Governance Blog*.
**Keep AWS and Systems Manager tools up to date**
AWS regularly releases updated versions of tools and plugins that you can use in your AWS and Systems Manager operations. Keeping these resources up to date ensures that users and nodes in your account have access to the latest functionality and security features in these tools.
+ SSM Agent – AWS Systems Manager Agent (SSM Agent) is Amazon software that can be installed and configured on an Amazon Elastic Compute Cloud (Amazon EC2) instance, an on-premises server, or a virtual machine (VM). SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources. We recommend checking for new versions, or automating updates to the agent, at least every two weeks. For information, see [Automating updates to SSM Agent](ssm-agent-automatic-updates.md). We also recommend verifying the signature of SSM Agent as part of your update process. For information, see [Verifying the signature of SSM Agent](verify-agent-signature.md).
+ AWS CLI – The AWS Command Line Interface (AWS CLI) is an open source tool that allows you to interact with AWS services using commands in your command-line shell. To update the AWS CLI, you run the same command used to install the AWS CLI. We recommend creating a scheduled task on your local machine to run the command appropriate to your operating system at least once every two weeks. For information about installation commands, see [Installing the AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
+ AWS Tools for Windows PowerShell – The Tools for Windows PowerShell are a set of PowerShell modules that are built on the functionality exposed by the AWS SDK for .NET. The AWS Tools for Windows PowerShell allow you to script operations on your AWS resources from the PowerShell command line. Periodically, as updated versions of the Tools for Windows PowerShell are released, you should update the version that you're running locally. For information, see [Updating the AWS Tools for Windows PowerShell on Windows](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up-windows.html#pstools-updating) or [Updating the AWS Tools for Windows PowerShell on Linux or macOS](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up-linux-mac.html#pstools-updating-linux) in the *IAM Policy Simulator User Guide*.
+ Session Manager plugin – If users in your organization with permissions to use Session Manager want to connect to a node using the AWS CLI, they must first install the Session Manager plugin on their local machines. To update the plugin, you run the same command used to install the plugin. We recommend creating a scheduled task on your local machine to run the command appropriate to your operating system at least once every two weeks. For information, see [Install the Session Manager plugin for the AWS CLI](session-manager-working-with-install-plugin.md).
+ CloudWatch agent – You can configure and use the CloudWatch agent to collect metrics and logs from your EC2 instances, on-premises instances, and virtual machines (VMs). These logs can be sent to Amazon CloudWatch Logs for monitoring and analysis. We recommend checking for new versions, or automating updates to the agent, at least every two weeks. For the simplest updates, use AWS Systems Manager Quick Setup. For information, see [AWS Systems Manager Quick Setup](systems-manager-quick-setup.md).
## SSM Agent installation best practices
When installing SSM Agent, use the appropriate installation method for your machine type. In particular, use the `ssm-setup-cli` tool for all non-EC2 installations in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment. This tool provides additional security protections for non-EC2 machines.
To install the agent on on-premises servers and virtual machines, use the `ssm-setup-cli` tool as described in the following topics:
+ [Install SSM Agent on hybrid Linux nodes](hybrid-multicloud-ssm-agent-install-linux.md)
+ [Install SSM Agent on hybrid Windows Server nodes](hybrid-multicloud-ssm-agent-install-windows.md)
To install the agent on EC2 instances, use the appropriate installation procedure for your operating system type:
+ [Manually installing and uninstalling SSM Agent on EC2 instances for Linux](manually-install-ssm-agent-linux.md)
+ [Manually installing and uninstalling SSM Agent on EC2 instances for macOS](manually-install-ssm-agent-macos.md)
+ [Manually installing and uninstalling SSM Agent on EC2 instances for Windows Server](manually-install-ssm-agent-windows.md)
## Systems Manager monitoring and auditing best practices
The following best practices for Systems Manager can help detect potential security weaknesses and incidents.
**Identify and audit all your Systems Manager resources**
Identification of your IT assets is a crucial aspect of governance and security. You need to identify all of your Systems Manager resources to assess their security posture and take action on potential areas of weakness.
Use Tag Editor to identify security-sensitive or audit-sensitive resources, then use those tags when you need to search for these resources. For more information, see [Find resources to tag](https://docs.aws.amazon.com/ARG/latest/userguide/find-resources-to-tag.html) in the *AWS Resource Groups User Guide*.
Create resource groups for your Systems Manager resources. For more information, see [What are resource groups?](https://docs.aws.amazon.com/ARG/latest/userguide/resource-groups.html)
**Implement monitoring using Amazon CloudWatch monitoring tools**
Monitoring is an important part of maintaining the reliability, security, availability, and performance of Systems Manager and your AWS solutions. Amazon CloudWatch provides several tools and services to help you monitor Systems Manager and your other AWS services. For more information, see [Sending node logs to unified CloudWatch Logs (CloudWatch agent)](monitoring-cloudwatch-agent.md) and [Monitoring Systems Manager events with Amazon EventBridge](monitoring-eventbridge-events.md).
**Use CloudTrail**
AWS CloudTrail provides a record of actions taken by a user, role, or an AWS service in Systems Manager. Using the information collected by CloudTrail, you can determine the request that was made to Systems Manager, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see [Logging AWS Systems Manager API calls with AWS CloudTrail](monitoring-cloudtrail-logs.md).
**Turn on AWS Config**
AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config monitors resource configurations, allowing you to evaluate the recorded configurations against the required secure configurations. Using AWS Config, you can review changes in configurations and relationships between AWS resources, investigate detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This can help you simplify compliance auditing, security analysis, change management, and operational troubleshooting. For more information, see [Setting Up AWS Config with the Console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html) in the *AWS Config Developer Guide*. When specifying the resource types to record, ensure that you include Systems Manager resources.
**Monitor AWS security advisories**
You should regularly check security advisories posted in Trusted Advisor for your AWS account. You can do this programmatically using [describe-trusted-advisor-checks](https://docs.aws.amazon.com/cli/latest/reference/support/describe-trusted-advisor-checks.html).
Further, actively monitor the primary email address registered to each of your AWS accounts. AWS will contact you, using this email address, about emerging security issues that might affect you.
AWS operational issues with broad impact are posted on the [AWS Service Health Dashboard](https://status.aws.amazon.com/). Operational issues are also posted to individual accounts through the Personal Health Dashboard. For more information, see the [AWS Health Documentation](https://docs.aws.amazon.com/health/).
**More info**
+ [Best Practices for Security, Identity, & Compliance](https://aws.amazon.com/architecture/security-identity-compliance/)
+ [Getting Started: Follow Security Best Practices as You Configure Your AWS Resources](https://aws.amazon.com/blogs/security/getting-started-follow-security-best-practices-as-you-configure-your-aws-resources/) (AWS Security Blog)
+ [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+ [Security best practices in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html)
+ [Security Best Practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)
+ [Security best practices for AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html)