AWS managed policies for AWS Systems Manager
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy: AmazonSSMServiceRolePolicy
This policy provides access to a number of AWS resources that are managed by AWS Systems Manager or used in Systems Manager operations.
You can't attach AmazonSSMServiceRolePolicy to your AWS Identity and Access Management (IAM)
entities. This policy is attached to a service-linked role that allows AWS Systems Manager to
perform actions on your behalf. For more information, see Using roles to collect inventory and view OpsData.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to start and step executions for both Run Command and Automation; and to retrieve information about Run Command and Automation operations; to retrieve information about Parameter Store parameters Change Calendar calendars; to update and retrieve information about Systems Manager service settings for OpsCenterresources; and to read information about tags that have have applied to resources. -
cloudformation– Allows principals to retrieve information about stackset operations and stackset instances, and to delete stacksets on the resourcearn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*. Allows principals to delete stack instances that are associated with the following resources:arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:type/resource/*
-
cloudwatch– Allows principals to retrieve information about Amazon CloudWatch alarms. -
compute-optimizer– Allows principals to retrieve the enrollment (opt in) status of an account to the AWS Compute Optimizer service, and to retrieve recommendations for Amazon EC2 instances that meet a specific set of stated requirements. -
config– Allows principals to retrieve information remediation configurations and configuration recorders in AWS Config, and to determine whether specified AWS Config rules and AWS resources are compliant. -
events– Allows principals retrieve information about EventBridge rules; to create EventBridge rules and targets exclusively for the the Systems Manager service (ssm.amazonaws.com); and to delete rules and targets for the resourcearn:aws:events:*:*:rule/SSMExplorerManagedRule. -
ec2– Allows principals to retrieve information about Amazon EC2 instances.. -
iam– Allows principals to pass roles permissions for the Systems Manager service (ssm.amazonaws.com). -
lambda– Allows principals to invoke Lambda functions that are configured specifically for use by Systems Manager. -
resource-explorer-2– Allows principals to retrieve data about EC2 instances to determine whether or not each instance is currently managed by Systems Manager.The action
resource-explorer-2:CreateManagedViewis allowed for thearn:aws:resource-explorer-2:*:*:managed-view/AWSManagedViewForSSM*resource. -
resource-groups– Allows principals to retrieve list resource groups and their members from AWS Resource Groups of resources that belong to a resource group. -
securityhub– Allows principals to retrieve information about AWS Security Hub hub resources in the current account. -
states– Allows principals to start and retrieve information for AWS Step Functions that are configured specifically for use by Systems Manager. -
support– Allows principals to retrieve information about checks and cases in AWS Trusted Advisor. -
tag– Allows principals to retrieve information about all the tagged or previously tagged resources that are located in a specified AWS Region for an account.
To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMServiceRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AmazonSSMReadOnlyAccess
You can attach the AmazonSSMReadOnlyAccess policy to your IAM
identities. This policy grants read-only access to AWS Systems Manager API operations including
Describe*, Get*, and List*.
To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMReadOnlyAccess in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSSystemsManagerOpsDataSyncServiceRolePolicy
You can't attach AWSSystemsManagerOpsDataSyncServiceRolePolicy to your
IAM entities. This policy is attached to a service-linked role that allows
Systems Manager to perform actions on your behalf. For more information, see Using roles to create OpsData and OpsItems for Explorer.
AWSSystemsManagerOpsDataSyncServiceRolePolicy allows the
AWSServiceRoleForSystemsManagerOpsDataSync service-linked role to
create and update OpsItems and OpsData from AWS Security Hub findings.
The policy allows Systems Manager to complete the following actions on all related
resources ("Resource": "*"), except where indicated:
-
ssm:GetOpsItem[1] -
ssm:UpdateOpsItem[1] -
ssm:CreateOpsItem -
ssm:AddTagsToResource[2] -
ssm:UpdateServiceSetting[3] -
ssm:GetServiceSetting[3] -
securityhub:GetFindings -
securityhub:GetFindings -
securityhub:BatchUpdateFindings[4]
[1] The ssm:GetOpsItem and ssm:UpdateOpsItem actions are
allowed permissions by the following condition for the Systems Manager service
only.
"Condition": { "StringEquals": { "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true" } }
[2] The ssm:AddTagsToResource action is allowed permissions for the
following resource only.
arn:aws:ssm:*:*:opsitem/*
[3] The ssm:UpdateServiceSetting and ssm:GetServiceSetting
actions are allowed permissions for the following resources only.
arn:aws:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*
[4] The securityhub:BatchUpdateFindings are denied permissions by the
following condition for the Systems Manager service only.
{ "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Confidence": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Criticality": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Note.Text": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Note.UpdatedBy": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/RelatedFindings": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Types": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/UserDefinedFields.key": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/UserDefinedFields.value": false } } }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/VerificationState": false } }
To view more details about the policy, including the latest version of the JSON policy document, see AWSSystemsManagerOpsDataSyncServiceRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy
You should only attach AmazonSSMManagedEC2InstanceDefaultPolicy to IAM
roles for Amazon EC2 instances that you want to have permission to use Systems Manager
functionality. You shouldn't attached this role to other IAM entities, such as IAM
users and IAM groups, or to IAM roles that serve other purposes. For more
information, see Managing EC2
instances automatically with Default Host Management Configuration.
This policy grants permissions that allow SSM Agent on your Amazon EC2 instance to communicate with the Systems Manager service in the cloud in order to perform a variety of tasks. It also grants permissions for the two services that provide authorization tokens to ensure that operations are performed on the correct instance.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to retrieve Documents, execute commands using Run Command, establish sessions using Session Manager, collect an inventory of the instance, and scan for patches and patch compliance using Patch Manager. -
ssmmessages– Allows principals to access, for each instance, a personalized authorization token that was created by the Amazon Message Gateway Service. Systems Manager validates the personalized authorization token against the Amazon Resource Name (ARN) of the instance that was provided in the API operation. This access is necessary to ensure that SSM Agent performs the API operations on the correct instance. -
ec2messages– Allows principals to access, for each instance, a personalized authorization token that was created by the Amazon Message Delivery Service. Systems Manager validates the personalized authorization token against the Amazon Resource Name (ARN) of the instance that was provided in the API operation. This access is necessary to ensure that SSM Agent performs the API operations on the correct instance.
For related information about the ssmmessages and
ec2messages endpoints, including the differences between the two, see
Agent-related API operations
(ssmmessages and ec2messages endpoints).
To view more details about the policy, including the latest version of the JSON policy document, see AmazonSSMManagedEC2InstanceDefaultPolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: SSMQuickSetupRolePolicy
You can't attach SSMQuickSetupRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see Using roles to maintain Quick Setup-provisioned resource health and consistency.
This policy grants read-only permissions that allow Systems Manager to check configuration health, ensure consistent use of parameters and provisioned resources, and remediate resources when drift is detected. It also grants administrative permissions for creating a service-linked role.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to read information Resource Data Syncs and SSM Documents in Systems Manager, including in delegated administrator accounts. This is required so Quick Setup can determine the state that configured resources are intended to be in. -
organizations– Allows principals to read information about the member accounts that belong to an organization as configured in AWS Organizations. This is required so Quick Setup can identify all accounts in an organization where resource health checks are to be performed. -
cloudformation– Allows principals to read information from AWS CloudFormation. This is required so Quick Setup can gather data about the AWS CloudFormation stacks used to manage the state of resources and CloudFormation stackset operations.
To view more details about the policy, including the latest version of the JSON policy document, see SSMQuickSetupRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupDeploymentRolePolicy
The managed policy AWSQuickSetupDeploymentRolePolicy supports
multiple Quick Setup configuration types. These configuration types create IAM roles and
automations that configure frequently used Amazon Web Services services and features with
recommended best practices.
You can attach AWSQuickSetupDeploymentRolePolicy to your IAM
entities.
This policy grants administrative permissions needed to create resources associated with the following Quick Setup configurations:
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to manage and delete IAM roles required for Automation configuration tasks; and to manage Automation role policies. -
cloudformation– Allows principals to create and manage stack sets. -
config– Allows principals to create, manage, and delete conformance packs. -
events– Allows principals to create, update, and delete event rules for scheduled actions. -
resource-groups– Allows principals to retrieve resource queries that are associated with resource groups targeted by Quick Setup configurations. -
ssm– Allows principals to create Automation runbooks and associations that apply Quick Setup configurations.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupDeploymentRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupPatchPolicyDeploymentRolePolicy
The managed policy AWSQuickSetupPatchPolicyDeploymentRolePolicy
supports the Configure patching for instances in an
organization using Quick Setup Quick Setup type. This configuration type
helps automate patching of applications and nodes in a single account or across your
organization.
You can attach AWSQuickSetupPatchPolicyDeploymentRolePolicy to
your IAM entities. Systems Manager also attaches this policy to a service role that allows
Systems Manager to perform actions on your behalf.
This policy grants administrative permissions that allow Quick Setup to create resources associated with a patch policy configuration.
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to manage and delete IAM roles required for Automation configuration tasks; and to manage Automation role policies. -
cloudformation– Allows principals to read AWS CloudFormation stack information; and to control AWS CloudFormation stacks that were created by Quick Setup using AWS CloudFormation stack sets. -
ssm– Allows principals to create, update, read, and delete Automation runbooks required for configuration tasks; and to create, update, and delete State Manager associations.
-
resource-groups– Allows principals to retrieve resource queries that are associated with resource groups targeted by Quick Setup configurations.
-
s3– Allows principals to list Amazon S3 buckets; and to manage the buckets for storing patch policy access logs. -
lambda– Allows principals to manage AWS Lambda remediation functions that maintain configurations in the correct state. -
logs– Allows principals to describe and manage log groups for Lambda configuration resources.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupPatchPolicyDeploymentRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupPatchPolicyBaselineAccess
The managed policy AWSQuickSetupPatchPolicyBaselineAccess
supports the Configure patching for instances in an
organization using Quick Setup Quick Setup type. This configuration type
helps automate patching of applications and nodes in a single account or across your
organization.
You can attach AWSQuickSetupPatchPolicyBaselineAccess to your
IAM entities. Systems Manager also attaches this policy to a service role that allows
Systems Manager to perform actions on your behalf.
This policy provides read-only permissions to access patch baselines that have been configured by an administrator in the current AWS account or organization using Quick Setup. The patch baselines are stored in an Amazon S3 bucket and can be used for patching instances in a single account or across an entire organization.
Permissions details
This policy includes the following permission.
-
s3– Allows principals to read patch baseline overrides stored in Amazon S3 buckets.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupPatchPolicyBaselineAccess in the AWS Managed Policy Reference Guide.
AWS managed policy:
AWSSystemsManagerEnableExplorerExecutionPolicy
The managed policy AWSSystemsManagerEnableExplorerExecutionPolicy
supports enabling Explorer, a tool in AWS Systems Manager.
You can attach AWSSystemsManagerEnableExplorerExecutionPolicy to
your IAM entities. Systems Manager also attaches this policy to a service role that allows
Systems Manager to perform actions on your behalf.
This policy grants administrative permissions for enabling Explorer. This includes permissions to update related Systems Manager service settings, and to create a service-linked role for Systems Manager.
Permissions details
This policy includes the following permissions.
-
config– Allows principals to help enable Explorer by providing read-only access to configuration recorder details. -
iam– Allows principals to help enable Explorer. -
ssm– Allows principals to start an Automation workflow that enables Explorer.
To view more details about the policy, including the latest version of the JSON policy document, see AWSSystemsManagerEnableExplorerExecutionPolicy in the AWS Managed Policy Reference Guide.
AWS managed policy:
AWSSystemsManagerEnableConfigRecordingExecutionPolicy
The managed policy
AWSSystemsManagerEnableConfigRecordingExecutionPolicy supports
the Create an AWS Config configuration recorder
using Quick Setup Quick Setup
configuration type. This configuration type enables Quick Setup to track and record changes
to the AWS resource types you choose for AWS Config. It also enables Quick Setup to configure
delivery and notifications options for the recorded data.
You can attach
AWSSystemsManagerEnableConfigRecordingExecutionPolicy to your
IAM entities. Systems Manager also attaches this policy to a service role that allows
Systems Manager to perform actions on your behalf.
This policy grants administrative permissions that allow Quick Setup to enable and configure AWS Config configuration recording.
Permissions details
This policy includes the following permissions.
-
s3– Allows principals to create and configure Amazon S3 buckets for delivery of configuration recordings. -
sns– Allows principals to list and create Amazon SNS topics. -
config– Allows principals to configure and start the configuration recorder; and to help enable Explorer. -
iam– Allows principals to create, get, and pass a service-linked role for AWS Config; and to create a service-linked role for Systems Manager; and to help enable Explorer. -
ssm– Allows principals to start an Automation workflow that enables Explorer. -
compute-optimizer– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer. -
support– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see AWSSystemsManagerEnableConfigRecordingExecutionPolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupDevOpsGuruPermissionsBoundary
Note
This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.
The managed policy AWSQuickSetupDevOpsGuruPermissionsBoundary
supports the Set up DevOps Guru using Quick Setup
type. The configuration type enables the machine learning-powered Amazon DevOps Guru. The DevOps Guru
service can help improve an application’s operational performance and availability.
When you create an AWSQuickSetupDevOpsGuruPermissionsBoundary
configuration using Quick Setup, the system applies this permissions boundary to the IAM
roles that are created when the configuration is deployed. The permissions boundary
limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable and configure Amazon DevOps Guru.
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to create service-linked roles for DevOps Guru and Systems Manager; and to list roles that help enable Explorer. -
cloudformation– Allows principals to list and describe AWS CloudFormation stacks. -
sns– Allows principals to list and create Amazon SNS topics. -
devops-guru– Allows principals to configure DevOps Guru; and to add a notification channel. -
config– – Allows principals to help enable Explorer by providing read-only access to configuration recorder details. -
ssm– Allows principals to start an Automation workflow that enables Explorer; and to read and update Explorer service settings. -
compute-optimizer– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer. -
support– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupDevOpsGuruPermissionsBoundary in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupDistributorPermissionsBoundary
Note
This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.
The managed policy AWSQuickSetupDistributorPermissionsBoundary
supports the Deploy Distributor packages using
Quick Setup Quick Setup configuration type. The
configuration type helps enable the distribution of software packages, such as agents,
to your Amazon Elastic Compute Cloud (Amazon EC2) instances, using Distributor, a tool in AWS Systems Manager.
When you create an AWSQuickSetupDistributorPermissionsBoundary
configuration using Quick Setup, the system applies this permissions boundary to the IAM
roles that are created when the configuration is deployed. The permissions boundary
limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable the distribution of software packages, such as agents, to your Amazon EC2 instances using Distributor.
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to get and pass the Distributor automation role; to create, read, update, and delete the default instance role; to pass the default instance role to Amazon EC2 and Systems Manager; to attach instance management policies to instance roles; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about IAM roles and instance profiles; and to create the default instance profile. -
ec2– Allows principals to associate the default instance profile with EC2 instances; and to help enable Explorer. -
ssm– Allows principals to start automation workflows that which configure instances and install packages; and to help start the automation workflow that enables Explorer; and to read and update Explorer service settings. -
config– Allows principals to help enable Explorer by providing read-only access to configuration recorder details. -
compute-optimizer– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer. -
support– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupDistributorPermissionsBoundary in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupSSMHostMgmtPermissionsBoundary
Note
This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.
The managed policy AWSQuickSetupSSMHostMgmtPermissionsBoundary
supports the Set up Amazon EC2 host management using
Quick Setup Quick Setup configuration type. This
configuration type configures IAM roles and enables commonly used Systems Manager tools to
securely manage your Amazon EC2 instances.
When you create an AWSQuickSetupSSMHostMgmtPermissionsBoundary
configuration using Quick Setup, the system applies this permissions boundary to the IAM
roles that are created when the configuration is deployed. The permissions boundary
limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable and configure Systems Manager tools needed for securely managing EC2 instances.
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to get and pass the service role to Automation. Allows principals to create, read, update, and delete the default instance role; to pass the default instance role to Amazon EC2 and Systems Manager; to attach instance management policies to instance roles; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about IAM roles and instance profiles; and to create the default instance profile. -
ec2– Allows principals to associate and disassociate the default instance profile with EC2 instances. -
ssm– Allows principals to start Automation workflows that enable Explorer; to read and update Explorer service settings; to configure instances; and to enable Systems Manager tools on instances. -
compute-optimizer– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer. -
support– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupSSMHostMgmtPermissionsBoundary in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupPatchPolicyPermissionsBoundary
Note
This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.
The managed policy AWSQuickSetupPatchPolicyPermissionsBoundary
supports the Configure patching for instances in an
organization using Quick Setup Quick Setup type. This configuration type
helps automate patching of applications and nodes in a single account or across your
organization.
When you create an AWSQuickSetupPatchPolicyPermissionsBoundary
configuration using Quick Setup, the system applies this permissions boundary to the IAM
roles that are created when the configuration is deployed. The permissions boundary
limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable and configure patch policies in Patch Manager, a tool in AWS Systems Manager.
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to get the Patch Manager Automation role; to pass Automation roles to Patch Manager patching operations; to create the default instance role,AmazonSSMRoleForInstancesQuickSetup; to pass the default instance role to Amazon EC2 and Systems Manager; to attach selected AWS managed policies to the instance role; to create a service-linked role for Systems Manager; to add the default instance role to instance profiles; to read information about instance profiles and roles; to create a default instance profile; and to tag roles that have permissions to read patch baseline overrides. -
ssm– Allows principals to update the instance role this is managed by Systems Manager; to manage associations created by Patch Manager patch policies created in Quick Setup; to tag instances targeted by a patch policy configuration; to read information about instances and patching status; to start Automation workflows that configure, enable and remediate instance patching; to start automation workflows that enable Explorer; to help enable Explorer; and to read and update Explorer service settings. -
ec2– Allows principals to associate and disassociate the default instance profile with EC2 instances; to tag instances targeted by a patch policy configuration; to tag instances targeted by a patch policy configuration; and to help enable Explorer. -
s3– Allows principals to create and configure S3 buckets to store patch baseline overrides. -
lambda– Allows principals to invoke AWS Lambda functions that configure patching and to perform clean-up operations after a Quick Setup patch policy configuration is deleted. -
logs– Allows principals to configure logging for Patch Manager Quick Setup AWS Lambda functions. -
config– Allows principals to help enable Explorer by providing read-only access to configuration recorder details. -
compute-optimizer– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer. -
support– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupPatchPolicyPermissionsBoundary in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupSchedulerPermissionsBoundary
Note
This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.
The managed policy AWSQuickSetupSchedulerPermissionsBoundary
supports the Stop and start EC2 instances automatically
on a schedule using Quick Setup Quick Setup configuration type. This configuration type lets you stop and start your EC2
instances and other resources at the times you specify.
When you create an AWSQuickSetupSchedulerPermissionsBoundary
configuration using Quick Setup, the system applies this permissions boundary to the IAM
roles that are created when the configuration is deployed. The permissions boundary
limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to enable and configure scheduled operations on EC2 instances and other resources.
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to retrieve and pass roles for instance management automation actions; to manage, pass, and attach default instance roles for EC2 instance management; to create default instance profiles; to add default instance roles to instance profiles; to create a service-linked role for Systems Manager; to read information about IAM roles and instance profiles; to associate a default instance profile with EC2 instances; and to start Automation workflows to configure instances and enable Systems Manager tools on them. -
ssm– Allows principals to start Automation workflows that enable Explorer; and to read and update Explorer service settings. -
ec2 – Allows principals to locate targeted instances and to start and stop them on a schedule.
-
config– Allows principals to help enable Explorer by providing read-only access to configuration recorder details. -
compute-optimizer– Allows principals to help enable Explorer by providing read-only access to determine whether a resource is enrolled with AWS Compute Optimizer. -
support– Allows principals to help enable Explorer by providing read-only access to AWS Trusted Advisor checks for an account.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupSchedulerPermissionsBoundary in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupCFGCPacksPermissionsBoundary
Note
This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM entity. You should not use and attach Quick Setup permissions boundary policies on your own. Quick Setup permissions boundary policies should only be attached to Quick Setup managed roles. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.
The managed policy
AWSQuickSetupCFGCPacksPermissionsBoundarysupports the Deploy AWS Config conformance pack using
Quick Setup Quick Setup
configuration type. This configuration type deploys AWS Config conformance packs.
Conformance packs are collections of AWS Config rules and remediation actions that can be
deployed as a single entity.
When you create an AWSQuickSetupCFGCPacksPermissionsBoundary
configuration using Quick Setup, the system applies this permissions boundary to the IAM
roles that are created when the configuration is deployed. The permissions boundary
limits the scope of the roles that Quick Setup creates.
This policy grants administrative permissions that allow Quick Setup to deploy AWS Config conformance packs.
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to create, get, and pass a service-linked role for AWS Config. -
sns– Allows principals to list platform applications in Amazon SNS. -
config– Allows principals to deploy AWS Config conformance packs; to get the status of conformance packs; and to get information about configuration recorders. -
ssm– Allows principals to get information about SSM documents and Automation workflows; to get information about resource tags; and to get information about and update service settings. -
compute-optimizer– Allows principals to get the opt-in status of an account. -
support– Allows principals to get information about AWS Trusted Advisor checks.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupCFGCPacksPermissionsBoundary in the AWS Managed Policy Reference Guide.
AWS managed policy: AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy
The policy AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy provides
permissions for diagnosing issues with nodes that interact with Systems Manager services by
starting Automation workflows in accounts and Regions where nodes are managed.
You can attach AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy to
your IAM entities. Systems Manager also attaches this policy to a service role that allows
Systems Manager to perform diagnosis actions on your behalf.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to run Automation runbooks that diagnose node issues and access the execution status for a workflow. -
kms– Allows principals to use customer-specified AWS Key Management Service keys that are used to encrypt objects in S3 bucket to decrypt and access the content of objects in the bucket. -
sts– Allows principals to assume diagnosis execution roles to run Automation runbooks in the same account. -
iam– Allows principals to pass the diagnosis administration role (for example, self) to Systems Manager to run Automation runbooks. -
s3– Allows principals to access and write objects to an S3 bucket.
To view more details about the policy, including the latest version of the JSON policy document, see AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy
The managed policy AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy
provides administrative permission for running Automation runbooks in a targeted
AWS account and Region to diagnose issues with managed nodes that interact with Systems Manager
services.
You can attach AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy to your
IAM entities. Systems Manager also attaches this policy to a service role that allows
Systems Manager to perform actions on your behalf.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to run diagnosis-specific Automation runbooks and access the automation workflow status and execution metadata. -
ec2– Allows principals to describe Amazon EC2 and Amazon VPC resources and their configurations, to diagnose issues with Systems Manager services. -
kms– Allows principals to use customer-specified AWS Key Management Service keys that are used to encrypt objects in an S3 bucket to decrypt and access the content of objects in the bucket. -
iam– Allows principals to pass the diagnosis execution role (for example, self) to Systems Manager to run Automation documents.
To view more details about the policy, including the latest version of the JSON policy document, see AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWS-SSM-RemediationAutomation-AdministrationRolePolicy
The managed policy AWS-SSM-RemediationAutomation-AdministrationRolePolicy
provides permission for remediating issues in managed nodes that interact with Systems Manager
services by starting Automation workflows in accounts and Regions where nodes are
managed.
You can attach this policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform remediation actions on your behalf.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to run specific Automation runbooks and access the automation workflow status and execution status. -
kms– Allows principals to use customer-specified AWS Key Management Service keys that are used to encrypt objects in an S3 bucket to decrypt and access the content of objects in the bucket. -
sts– Allows principals to assume remediation execution roles to run SSM Automation documents in the same account. -
iam– Allows principals to pass the remediation administrator role (for example, self) to Systems Manager to run Automation documents. -
s3– Allows principals to access and write objects to an S3 bucket.
To view more details about the policy, including the latest version of the JSON policy document, see AWS-SSM-RemediationAutomation-AdministrationRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWS-SSM-RemediationAutomation-ExecutionRolePolicy
The managed policy AWS-SSM-RemediationAutomation-ExecutionRolePolicy
provides permission for running Automation runbooks in a specific target account and
Region to remediate issues with managed nodes that interact with Systems Managerservices.
You can attach the policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform remediation actions on your behalf.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to run specific Automation runbooks and access execution metadata and status. -
ec2– Allows principals to create, access, and modify Amazon EC2 resources and Amazon VPC resources and their configurations in order to remediate issues with Systems Manager services and associated resources, such as security groups; and to attach tags to resources. -
kms– Allows principals to use customer-specified AWS Key Management Service keys that are used to encrypt objects in S3 bucket to decrypt and access the content of objects in the bucket. -
iam– Allows principals to pass the remediation execution role (for example, self) to the SSM service to run Automation documents.
To view more details about the policy, including the latest version of the JSON policy document, see AWS-SSM-RemediationAutomation-ExecutionRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupSSMManageResourcesExecutionPolicy
This policy grants permissions that allow Quick Setup to run the
AWSQuickSetupType-SSM-SetupResources Automation runbook. This runbook
creates IAM roles for Quick Setup associations, which in turn are created by a
AWSQuickSetupType-SSM deployment. It also grants permissions to clean
up an associated Amazon S3 bucket on during a Quick Setup delete operation.
You can attach the policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to list and manage IAM roles for use with Quick Setup Systems Manager Explorer operations; to view, attach, and detach IAM policies for use with Quick Setup and Systems Manager Explorer These permissions are required so Quick Setup can create the roles needed for some of its configuration operations. -
s3– Allows principals to retrieve information about objects in, and to delete objects from Amazon S3 buckets, in the principal account, that are used specifically in Quick Setup configuration operations. This is required so that S3 objects that are no longer needed after configuration can be removed.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupSSMManageResourcesExecutionPolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupSSMLifecycleManagementExecutionPolicy
The AWSQuickSetupSSMLifecycleManagementExecutionPolicy policy grants
administrative permissions that allow Quick Setup to run the a AWS CloudFormation custom resource on
lifecycle events during Quick Setup deployment in Systems Manager.
You can attach this policy to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to get information about automation executions and start automation executions for setting up certain Quick Setup operations. -
iam– Allows principals to pass roles from IAM for setting up certain Quick Setup resources.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupSSMLifecycleManagementExecutionPolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupSSMDeploymentRolePolicy
The managed policy AWSQuickSetupSSMDeploymentRolePolicy grants
administrative permissions that allow Quick Setup to create resources that are used during
the Systems Manager onboarding process.
Though you can manually attach this policy to your IAM entities, this is not recommended. Quick Setup creates entities that attach this policy to a service role that allows Systems Manager to perform actions on your behalf.
This policy is not related to the SSMQuickSetupRolePolicy policy, which is used to provide
permissions for the AWSServiceRoleForSSMQuickSetup service-linked
role.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to manage associations for certain resources that are created using AWS CloudFormation templates and a specific set of SSM documents; to manage roles and role policies using for diagnosing and remediating managed nodes through AWS CloudFormation templates; and to attach and delete policies for Quick Setup lifecycle events -
iam– Allows principals to pass roles permissions for the Systems Manager service and Lambda service; and to pass role permissions for diagnosis operations. -
lambda– Allows principals to manage functions for the Quick Setup lifecycle in the principal account using AWS CloudFormation templates. -
cloudformation– Allows principals to read information from AWS CloudFormation. This is required so Quick Setup can gather data about the AWS CloudFormation stacks used to manage the state of resources and CloudFormation stackset operations.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupSSMDeploymentRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupSSMDeploymentS3BucketRolePolicy
The AWSQuickSetupSSMDeploymentS3BucketRolePolicy policy grants
permissions for listing all S3 buckets in an account; and for managing and retrieving
information about specific buckets in the principal account that are managed through
AWS CloudFormation templates.
You can attach AWSQuickSetupSSMDeploymentS3BucketRolePolicy to your IAM
entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to
perform actions on your behalf.
Permissions details
This policy includes the following permissions.
-
s3– Allows principals list all S3 buckets in an account; and to manage and retrieve information about specific buckets in the principal account that are managed through AWS CloudFormation templates.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupSSMDeploymentS3BucketRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupEnableDHMCExecutionPolicy
This policy grants administrative permissions that allow principals to run the
AWSQuickSetupType-EnableDHMC Automation runbook, which enables
Default Host Management Configuration. The Default Host Management Configuration setting
allows Systems Manager to automatically manage Amazon EC2 instances as managed
instances. A managed instance is an EC2 instance that is configured for
use with Systems Manager. This policy also grants permissions for creating IAM roles that are
specified in Systems Manager service settings as the default roles for SSM Agent.
You can attach AWSQuickSetupEnableDHMCExecutionPolicy to your
IAM entities. Systems Manager also attaches this policy to a service role that allows
Systems Manager to perform actions on your behalf.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to update and get information about Systems Manager service settings. -
iam– Allows principals to create and retrieve information about IAM roles for Quick Setup operations.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupEnableDHMCExecutionPolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupEnableAREXExecutionPolicy
This policy grants administrative permissions that allow Systems Manager to run the
AWSQuickSetupType-EnableAREX Automation runbook, which enables
AWS Resource Explorer for use with Systems Manager. Resource Explorer makes it possible to view resources in your
account with a search experience similar to an Internet search engine. The policy also
grants permissions for managing Resource Explorer indexes and views.
You can attach AWSQuickSetupEnableAREXExecutionPolicy to your IAM
entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to
perform actions on your behalf.
Permissions details
This policy includes the following permissions.
-
iam– Allows principals to to create a service-linked role in the AWS Identity and Access Management (IAM) service. -
resource-explorer-2– Allows principals to retrieve information about Resource Explorer views and indexes; to create Resource Explorer views and indexes; to change the index type for indexes displayed in Quick Setup.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupEnableAREXExecutionPolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupManagedInstanceProfileExecutionPolicy
THhis policy grants administrative permissions that allow Systems Manager to create a default IAM instance profile for the Quick Setup tool, and to attach it to Amazon EC2 instances that don't already have an instance profile attached. The policy also grants Systems Manager the ability to attach permissions to existing instance profiles. This is done to ensure that the permissions required for Systems Manager to communicate with .SSM Agent on EC2 instances are in place.
You can attach AWSQuickSetupManagedInstanceProfileExecutionPolicy
to your IAM entities. Systems Manager also attaches this policy to a service role that
allows Systems Manager to perform actions on your behalf.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to start automation workflows associated with Quick Setup processes. -
ec2– Allows principals to attach IAM instance profiles to EC2 instances that are managed by Quick Setup. -
iam– Allows principals to create, update, and retrieve information about roles from IAM that are used in Quick Setup processes; to create IAM instance profiles; to attach theAmazonSSMManagedInstanceCoremanaged policy to IAM instance profiles.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupManagedInstanceProfileExecutionPolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupFullAccess
This policy grants administrative permissions that allow full access to AWS Systems Manager Quick Setup API actions and data in the AWS Management Console and AWS SDKs, as well as limited access to other AWS service resources that are required for Quick Setup operations.
You can attach the AWSQuickSetupFullAccess policy to your IAM
identities.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to enable Explorer; to perform resource data sync operations in State Manager; and to perform operations using SSM Command documents and Automation runbooks.Explorer, State Manager, Documents, and Automation are all tools in Systems Manager.
-
cloudformation– Allows principals to perform the AWS CloudFormation operations that are necessary for provisioning resources across AWS Regions and AWS accounts. -
ec2– Allows principals to select the necessary parameters for a given configuration, and to provide validation in the AWS Management Console. -
iam– Allows principals to create the required service roles and service-linked roles for Quick Setup operations. -
organizations– Allows principals to read the status of accounts in an AWS Organizations organization; to retrieve an organization's structure; to enable trusted access; and to register a delegated administrator account from the management account. -
resource-groups– Allows principals to select the necessary parameters for a given configuration, and to provide validation in the AWS Management Console. -
s3– Allows principals to select the necessary parameters for a given configuration, and to provide validation in the AWS Management Console. -
ssm-quicksetup– Allows principals to perform read-only actions in Quick Setup.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupFullAccess in the AWS Managed Policy Reference Guide.
AWS managed policy: AWSQuickSetupReadOnlyAccess
This policy grants read-only permissions that allow principals to view AWS Systems Manager Quick Setup data and reports, including information from other AWS service resources that are required for Quick Setup operations.
You can attach the AWSQuickSetupReadOnlyAccess policy to your IAM
identities.
Permissions details
This policy includes the following permissions.
-
ssm– Allows principals to read SSM Command documents and Automation runbooks; and to retrieve the status of State Manager association executions. -
cloudformation– Allows principals to initiate operations that are required for retrieving the status of AWS CloudFormation deployments. -
organizations– Allows principals to read the status of accounts in an AWS Organizations organization. -
ssm-quicksetup– Allows principals to perform read-only actions in Quick Setup.
To view more details about the policy, including the latest version of the JSON policy document, see AWSQuickSetupReadOnlyAccess in the AWS Managed Policy Reference Guide.
AWS managed policy: AWS-SSM-Automation-DiagnosisBucketPolicy
The managed policy AWS-SSM-Automation-DiagnosisBucketPolicy provides
permissions for diagnosing issues with nodes that interact with AWS Systems Manager services, by
allowing access to S3 buckets that are used for diagnosis and remediation of
issues.
You can attach the AWS-SSM-Automation-DiagnosisBucketPolicy policy to
your IAM identities. Systems Manager also attaches this policy to an IAM role that allows
Systems Manager to perform diagnosis actions on your behalf.
Permissions details
This policy includes the following permissions.
-
s3– Allows principals to access and write objects to an Amazon S3 bucket.
To view more details about the policy, including the latest version of the JSON policy document, see AWS-SSM-Automation-DiagnosisBucketPolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
The managed policy
AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
provides permissions for an operational account to diagnose issues with nodes by
providing organization-specific permissions.
You can attach
AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
to your IAM identities. Systems Manager also attaches this policy to an IAM role that allows
Systems Manager to perform diagnosis actions on your behalf.
Permissions details
This policy includes the following permissions.
-
organizations– Allows principals to list a root of the organization, and get member accounts to determine target accounts. -
sts– Allows principals to assume remediation execution roles to run SSM Automation documents across accounts and Regions, within the same organization.
To view more details about the policy, including the latest version of the JSON policy document, see AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed policy: AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy
The managed policy
AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy
provides permissions for an operational account to diagnose issues with nodes by
providing organization-specific permissions.
You can attach the
AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy
policy to your IAM identities. Systems Manager also attaches this policy to an IAM role that
allows Systems Manager to perform diagnosis actions on your behalf.
Permissions details
This policy includes the following permissions.
-
organizations– Allows principals to list a root of the organization, and get member accounts to determine target accounts. -
sts– Allows principals to assume diagnosis execution roles to run SSM Automation documents across accounts and Regions, within the same organization.
To view more details about the policy, including the latest version of the JSON policy document, see AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy in the AWS Managed Policy Reference Guide.
Systems Manager updates to AWS managed policies
In the following table, view details about updates to AWS managed policies for Systems Manager since this service began tracking these changes on March 12, 2021. For information about other managed policies for the Systems Manager service, see Additional managed policies for Systems Manager later in this topic. For automatic alerts about changes to this page, subscribe to the RSS feed on the Systems Manager Document history page.
| Change | Description | Date |
|---|---|---|
|
AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy – New policy |
Systems Manager added a new policy that provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions. |
November 21, 2024 |
|
AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy – New policy |
Systems Manager added a new policy that provides permissions for an operational account to diagnose issues with nodes by providing organization-specific permissions. |
November 21, 2024 |
|
AWS-SSM-Automation-DiagnosisBucketPolicy – New policy |
Systems Manager added a new policy to support starting Automation workflows that diagnose issues with managed nodes in targeted accounts and Regions. |
November 21, 2024 |
|
AmazonSSMServiceRolePolicy – Update to an existing policy |
Systems Manager added new permissions to allow AWS Resource Explorer to gather details about Amazon EC2 instances and display the results in widgets in the new Systems Manager Dashboard. |
November 21, 2024 |
| SSMQuickSetupRolePolicy – Update to an existing policy | Systems Manager has updated the managed policy
SSMQuickSetupRolePolicy. This updates allows the
associated service-linked role
AWSServiceRoleForSSMQuickSetup to manage resource data
syncs. |
November 21, 2024 |
| AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy – New policy | Systems Manager added a new policy to support starting Automation workflows that diagnose issues with managed nodes in targeted account and Regions. | November 21, 2024 |
| AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy – New policy | Systems Manager added a new policy to support starting Automation workflows that diagnose issues with managed nodes in a targeted account and Region. | November 21, 2024 |
| AWS-SSM-RemediationAutomation-AdministrationRolePolicy – New policy | Systems Manager added a new policy to support starting Automation workflows that remediate issues in managed nodes in targeted accounts and Regions. | November 21, 2024 |
| AWS-SSM-RemediationAutomation-ExecutionRolePolicy – New policy | Systems Manager added a new policy to support starting Automation workflows that remediate issues in managed nodes in a targeted account and Region. | November 21, 2024 |
| AWSQuickSetupSSMManageResourcesExecutionPolicy – New policy | Systems Manager added a new policy to support running an operation in Quick Setup
that creates IAM roles for Quick Setup associations, which in turn are
created by a AWSQuickSetupType-SSM deployment. |
November 21, 2024 |
| AWSQuickSetupSSMLifecycleManagementExecutionPolicy – New policy | Systems Manager added a new policy to support Quick Setup running a AWS CloudFormation custom resource on lifecycle events during a Quick Setup deployment. | November 21, 2024 |
| AWSQuickSetupSSMDeploymentRolePolicy – New policy | Systems Manager added a new policy to support granting administrative permissions that allow Quick Setup to create resources that are using during the Systems Manager onboarding process. | November 21, 2024 |
| AWSQuickSetupSSMDeploymentS3BucketRolePolicy – New policy | Systems Manager added a new policy to support managing and retrieving information about specific buckets in the principal account that are managed through AWS CloudFormation templates | November 21, 2024 |
| AWSQuickSetupEnableDHMCExecutionPolicy – New policy | Systems Manager is introducing a new policy to allow Quick Setup to create an IAM role that itself uses the existing AmazonSSMManagedEC2InstanceDefaultPolicy. This policy contains all the permissions required for SSM Agent to communicate with Systems Manager service. The new policy also allows modifications to the Systems Manager service settings. | November 21, 2024 |
| AWSQuickSetupEnableAREXExecutionPolicy – New policy | Systems Manager added a new policy to allow Quick Setup to create a service-linked role for AWS Resource Explorer, for accessing Resource Explorer views and aggregator indexes. | November 21, 2024 |
| AWSQuickSetupManagedInstanceProfileExecutionPolicy – New policy |
Systems Manager added a new policy to allow Quick Setup to create a default Quick Setup instance profile and to attach it to any Amazon EC2 instances that lack an associated instance profile. This new policy also allows Quick Setup to attach permissions to existing profiles to ensure that all required Systems Manager permissions have been granted. |
November 21, 2024 |
| AWSQuickSetupFullAccess – New policy | Systems Manager added a new policy to allow Entities full access to AWS Systems Manager Quick Setup API actions and data in the AWS Management Console and AWS SDKs, as well as limited access to other AWS service resources that are required for Quick Setup operations. | November 21, 2024 |
| AWSQuickSetupReadOnlyAccess – New policy | Systems Manager added a new policy to grant read-only permissions that allow principals to view AWS Systems Manager Quick Setup data and reports, including information from other AWS service resources that are required for Quick Setup operations. | November 21, 2024 |
|
SSMQuickSetupRolePolicy – Update to an existing policy |
Systems Manager added new permissions to allow Quick Setup to check the health of additional AWS CloudFormation stack sets that it has created. |
August 13, 2024 |
| AmazonSSMManagedEC2InstanceDefaultPolicy – Update to an existing policy | Systems Manager has added statement IDs (Sids) to the JSON policy for
AmazonSSMManagedEC2InstanceDefaultPolicy. These Sids
provide inline descriptions of the purpose of each policy statement. |
July 18, 2024 |
| SSMQuickSetupRolePolicy – New policy | Systems Manager added a new policy to allow Quick Setup to check the health of deployed resources and remediate instances that have drifted from the original configuration. | July 3, 2024 |
| AWSQuickSetupDeploymentRolePolicy – New policy | Systems Manager added a new policy to support multiple Quick Setup configuration types that create IAM roles and automations, which in turn configure frequently used Amazon Web Services services and features with recommended best practices. | July 3, 2024 |
|
AWSQuickSetupPatchPolicyDeploymentRolePolicy – New policy |
Systems Manager added a new policy to allow Quick Setup to create resources associated with Patch Manager patch policy Quick Setup configurations. |
July 3, 2024 |
|
AWSQuickSetupPatchPolicyBaselineAccess – New policy |
Systems Manager added a new policy to allow Quick Setup to access patch baselines in Patch Manager with read-only permissions. |
July 3, 2024 |
| AWSSystemsManagerEnableExplorerExecutionPolicy – New policy | Systems Manager added a new policy to allow Quick Setup to grant administrative permissions for enabling Explorer. | July 3, 2024 |
| AWSSystemsManagerEnableConfigRecordingExecutionPolicy – New policy | Systems Manager added a new policy to allow Quick Setup to enable and configure AWS Config configuration recording. | July 3, 2024 |
|
AWSQuickSetupDevOpsGuruPermissionsBoundary – New policy |
Systems Manager added a new policy to allow Quick Setup to enable and configure Amazon DevOps Guru. |
July 3, 2024 |
|
AWSQuickSetupDistributorPermissionsBoundary – New policy |
Systems Manager added a new policy to allow Quick Setup to enable and configure Distributor, a tool in AWS Systems Manager. |
July 3, 2024 |
|
AWSQuickSetupSSMHostMgmtPermissionsBoundary – New policy |
Systems Manager added a new policy to allow Quick Setup to enable and configure Systems Manager tools for securely managing Amazon EC2 instances. |
July 3, 2024 |
|
AWSQuickSetupPatchPolicyPermissionsBoundary – New policy |
Systems Manager added a new policy to allow Quick Setup to enable and configure patch policies in Patch Manager, a tool in AWS Systems Manager. |
July 3, 2024 |
|
AWSQuickSetupSchedulerPermissionsBoundary – New policy |
Systems Manager added a new policy to allow Quick Setup to enable and configure scheduled operations on Amazon EC2 instances and other resources. |
July 3, 2024 |
|
AWSQuickSetupCFGCPacksPermissionsBoundary – New policy |
Systems Manager added a new policy to allow Quick Setup to deploy AWS Config conformance packs. |
July 3, 2024 |
|
AWSSystemsManagerOpsDataSyncServiceRolePolicy – Update to an existing policy |
OpsCenter updated the policy to improve the security of the service code within the service-linked role for Explorer to manage OpsData-related operations. | July 3, 2023 |
|
AmazonSSMManagedEC2InstanceDefaultPolicy – New policy |
Systems Manager added a new policy to allow Systems Manager functionality on Amazon EC2 instances without the use of an IAM instance profile. |
August 18, 2022 |
|
AmazonSSMServiceRolePolicy – Update to an existing policy |
Systems Manager added new permissions to allow Explorer to create a managed rule when you turn on Security Hub from Explorer or OpsCenter. New permissions were added to check that config and the compute-optimizer meet the necessary requirements before allowing OpsData. |
April 27, 2021 |
|
AWSSystemsManagerOpsDataSyncServiceRolePolicy – New policy |
Systems Manager added a new policy to create and update OpsItems and OpsData from Security Hub findings in Explorer and OpsCenter. |
April 27, 2021 |
|
|
Systems Manager added new permissions to allow viewing aggregate OpsData and OpsItems details from multiple accounts and AWS Regions in Explorer. |
March 24, 2021 |
|
Systems Manager started tracking changes |
Systems Manager started tracking changes for its AWS managed policies. |
March 12, 2021 |
Additional managed policies for Systems Manager
In addition to the managed policies described earlier in this topic, the following policies are also supported by Systems Manager.
-
AmazonSSMAutomationApproverAccess– AWS managed policy that allows access to view automation executions and send approval decisions to automation that is waiting for approval. -
AmazonSSMAutomationRole– AWS managed policy that provides permissions for the Systems Manager Automation service to run activities defined within Automation runbooks. Assign this policy to administrators and trusted power users. -
AmazonSSMDirectoryServiceAccess– AWS managed policy that that allows SSM Agent to access AWS Directory Service on behalf of the user for requests to join the domain by the managed node. -
AmazonSSMFullAccess– AWS managed policy that grants full access to the Systems Manager API and documents. -
AmazonSSMMaintenanceWindowRole– AWS managed policy that provides maintenance windows with permissions to the Systems Manager API. -
AmazonSSMManagedInstanceCore– AWS managed policy that allows a node to use Systems Manager service core functionality. -
AmazonSSMPatchAssociation– AWS managed policy that provides access to child instances for patch association operations. -
AmazonSSMReadOnlyAccess– AWS managed policy that grants access to Systems Manager read-only API operations, such asGet*andList*. -
AWSSSMOpsInsightsServiceRolePolicy– AWS managed policy that provides permissions for creating and updating operational insight OpsItems in Systems Manager. Used to provide permissions through the service-linked role AWSServiceRoleForAmazonSSM_OpsInsights. -
AWSSystemsManagerAccountDiscoveryServicePolicy– AWS managed policy that grants Systems Manager permission to discover AWS account information. -
AWSSystemsManagerChangeManagementServicePolicy– AWS managed policy that provides access to AWS resources managed or used by the Systems Manager change management framework and used by the service-linked roleAWSServiceRoleForSystemsManagerChangeManagement. -
AmazonEC2RoleforSSM– This policy is no longer supported and should not be used. In its place, use theAmazonSSMManagedInstanceCorepolicy to allow Systems Manager service core functionality on EC2 instances. For information, see Configure instance permissions required for Systems Manager.
