Overview
Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.
Set the permissions by selecting the permissions from the configuration menu:
- Core Permissions: Attaches AmazonSSMManagedInstanceCore managed policy which is required to enable an instance to use Systems Manager service core functionality.
- Access to Directory Services: Attaches AmazonSSMDirectoryServiceAccess managed policy, required only if you plan to join EC2 instance for Windows Server to a Microsoft AD directory
- Access for CloudWatch Agent: Attaches CloudWatchAgentServerPolicy managed policy, required only if you plan to install and run the CloudWatch agent on your instances
- Logging to S3 Permissions: Attaches an inline policy to allow writing objects to an S3 bucket. It is recommended to specify the exact bucket name to restrict the access.
- Access with VPC Endpoints: Attaches an inline policy to allow access to S3 buckets that are required when using VPC endpoints to access the SSM API. It is recommended to specify the specific region.
Configuration Templates
Items
2
Size
0.7 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
IamRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
Policies: []
RoleName: Ec2RoleForSSM
Ec2InstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
InstanceProfileName: Ec2RoleForSSM
Roles:
- Ref: IamRole
Parameters: {}
Metadata: {}
Conditions: {}
Actions
Customize Cf Template
Sources and Documentation
Configuration Source: AWS Documentation
Additional Documentation:
- CloudFormation Reference Guide: Create an IAM Role and create an Instance Profile
- AWS CLI Command Reference Guide: Create an IAM Role and create an Instance Profile