What resources do SSM managed instances actually need permissions for?


The AmazonSSMManagedInstanceCore managed policy includes **Resource: *** in all of its permission clauses, including for ssm:GetParameter[s]. I do not wish to give all of my instances permissions to read all of our parameters, and there are likely other resources I do not want them all having access to (PutInventory seems like another one I might prefer to tighten). What resources, parameters in particular, does SSM actually need access to for managing instances?

1 Answer

AmazonSSMManagedInstanceCore IAM Policy enables an instance to use Systems Manager core service functionality. It provides minimum permissions which allow an instance to:

  • Register as a managed instance
  • Send heartbeat information
  • Send and receive messages for Run Command and Session Manager
  • Retrieve State Manager association details
  • Read parameters in Parameter Store

For more details about this policy, please refer to the following Blog Post[1]

However, it is not required to have the ability to read parameters, the AmazonSSMManagedInstanceCore policy is a baseline policy that includes the most common actions used. You can create your own IAM Policy that provides access to the System Manager features you wish to use in your environment. Please refer to following documentation[2] for a list of SSM Actions that are available within Systems Manager.

Additionally, the Systems Manager documentation will often include IAM Polices/Permissions required for each service within Systems Manager. For an example of this, see the following SSM Documentation for Session Manager[3] which goes over the minimal permissions you can provide to an EC2 instance to allow access for Session Manager Actions on your EC2 instance. So you can create an IAM Policy within your account to provide your EC2 Instance with permissions for the SSM services you wish to use rather then only use the AmazonSSMManagedInstanceCore IAM Policy.

[1] Applying managed instance policy best practices - https://aws.amazon.com/blogs/mt/applying-managed-instance-policy-best-practices/

[2] Actions, resources, and condition keys for AWS Systems Manager - Actions defined by AWS Systems Manager - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-actions-as-permissions

[3] Create a custom IAM role for Session Manager - https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions