By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

By Service Protected

VPC Security ControlsEC2 Security ControlsIAM Security ControlsS3 Security ControlsRDS Security ControlsOpenSearch/Elasticsearch Security ControlsEFS Security ControlsRoute53 Security ControlsDynamoDB Security ControlsEMR SecurityLambda SecurityCloudFormation SecurityAWS Certificate Manager (ACM) SecurityLogging & Monitoring ConfigurationsBackups & DRBilling and Cost Management

By Implementation

Configuration Packages

Strategy Guides

Other

IAM Security Controls

EC2 IAM Role for AWS Systems Manager

Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.

Set the permissions by selecting the permissions from the configuration menu: 

  • Core Permissions: Attaches AmazonSSMManagedInstanceCore managed policy which is required to enable an instance to use Systems Manager service core functionality.
  • Access to Directory Services: Attaches AmazonSSMDirectoryServiceAccess managed policy, required only if you plan to join EC2 instance for Windows Server to a Microsoft AD directory
  • Access for CloudWatch Agent: Attaches CloudWatchAgentServerPolicy managed policy, required only if you plan to install and run the CloudWatch agent on your instances
  • Logging to S3 Permissions: Attaches an inline policy to allow writing objects to an S3 bucket. It is recommended to specify the exact bucket name to restrict the access.
  • Access with VPC Endpoints: Attaches an inline policy to allow access to S3 buckets that are required when using VPC endpoints to access the SSM API. It is recommended to specify the specific region.
AWS Documentation
Items
2
Size
0.7 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  IamRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "Ec2RoleForSSM"
      Description: "EC2 IAM role for SSM access"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
      Policies: []
  Ec2InstanceProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties:
      InstanceProfileName: "Ec2RoleForSSM"
      Roles:
        - Ref: "IamRole"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

IAM Role Settings

IAM Policies

* Required field