- 최신
- 최다 투표
- 가장 많은 댓글
AmazonSSMManagedInstanceCore IAM Policy enables an instance to use Systems Manager core service functionality. It provides minimum permissions which allow an instance to:
- Register as a managed instance
- Send heartbeat information
- Send and receive messages for Run Command and Session Manager
- Retrieve State Manager association details
- Read parameters in Parameter Store
For more details about this policy, please refer to the following Blog Post[1]
However, it is not required to have the ability to read parameters, the AmazonSSMManagedInstanceCore policy is a baseline policy that includes the most common actions used. You can create your own IAM Policy that provides access to the System Manager features you wish to use in your environment. Please refer to following documentation[2] for a list of SSM Actions that are available within Systems Manager.
Additionally, the Systems Manager documentation will often include IAM Polices/Permissions required for each service within Systems Manager. For an example of this, see the following SSM Documentation for Session Manager[3] which goes over the minimal permissions you can provide to an EC2 instance to allow access for Session Manager Actions on your EC2 instance. So you can create an IAM Policy within your account to provide your EC2 Instance with permissions for the SSM services you wish to use rather then only use the AmazonSSMManagedInstanceCore IAM Policy.
[1] Applying managed instance policy best practices - https://aws.amazon.com/blogs/mt/applying-managed-instance-policy-best-practices/
[2] Actions, resources, and condition keys for AWS Systems Manager - Actions defined by AWS Systems Manager - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-actions-as-permissions
[3] Create a custom IAM role for Session Manager - https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html
