New! Security Assessments
No Items in Stack
Browse
Browse

Security Control

Config Rules
Network Firewall
Auto Remediation
Conformance Packs
Amazon GuardDuty
Amazon Inspector
Security Hub
Amazon Macie
Billing and Cost
S3 Bucket Policies
CloudWatch Alarms & Rules
Logging & Monitoring
AWS WAF
Service Control Policies
Backups & DR
AWS Systems Manager
Security Groups & NACLs
KMS
IAM Policies

Configuration Packages

Custom VPC Template
Enable Logging Services
Threat Detection
Monitoring & Compliance
Auto Remediation Rules
EC2 Patch Management
Common SCPs Package
PCI DSS Compliance
CIS AWS Benchmark

Service

VPC
S3
EC2
IAM
CloudFormation
Lambda
EMR
DynamoDB
RDS

Security Strategy Guides

AWS Account Setup Guide
EC2 Security Strategy
S3 Security Strategy
Logging & Monitoring Strategy

Solutions, Guides & Tools

Security Solutions
Security Tools
Close
IAM Security Controls

EC2 IAM Role for AWS Systems Manager



OverviewConfigure & DeploySources & Documentation

Overview

Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.

Set the permissions by selecting the permissions from the configuration menu: 

  • Core Permissions: Attaches AmazonSSMManagedInstanceCore managed policy which is required to enable an instance to use Systems Manager service core functionality.
  • Access to Directory Services: Attaches AmazonSSMDirectoryServiceAccess managed policy, required only if you plan to join EC2 instance for Windows Server to a Microsoft AD directory
  • Access for CloudWatch Agent: Attaches CloudWatchAgentServerPolicy managed policy, required only if you plan to install and run the CloudWatch agent on your instances
  • Logging to S3 Permissions: Attaches an inline policy to allow writing objects to an S3 bucket. It is recommended to specify the exact bucket name to restrict the access.
  • Access with VPC Endpoints: Attaches an inline policy to allow access to S3 buckets that are required when using VPC endpoints to access the SSM API. It is recommended to specify the specific region.

Configuration Templates

Items
2
Size
0.7 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  IamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
      Policies: []
      RoleName: Ec2RoleForSSM
      Description: EC2 IAM role for SSM access
  Ec2InstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      InstanceProfileName: Ec2RoleForSSM
      Roles:
        - Ref: IamRole
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

IAM Policies

* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation:

A Secure Cloud

AboutPrivacy PolicyTerms of Service
© 2020 asecurecloud Inc. All Rights Reserved.