Overview

Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required.

Set the permissions by selecting the permissions from the configuration menu: 

  • Core Permissions: Attaches AmazonSSMManagedInstanceCore managed policy which is required to enable an instance to use Systems Manager service core functionality.
  • Access to Directory Services: Attaches AmazonSSMDirectoryServiceAccess managed policy, required only if you plan to join EC2 instance for Windows Server to a Microsoft AD directory
  • Access for CloudWatch Agent: Attaches CloudWatchAgentServerPolicy managed policy, required only if you plan to install and run the CloudWatch agent on your instances
  • Logging to S3 Permissions: Attaches an inline policy to allow writing objects to an S3 bucket. It is recommended to specify the exact bucket name to restrict the access.
  • Access with VPC Endpoints: Attaches an inline policy to allow access to S3 buckets that are required when using VPC endpoints to access the SSM API. It is recommended to specify the specific region.

Configuration Templates

Items
2
Size
0.7 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  IamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
      Policies: []
      RoleName: Ec2RoleForSSM
      Description: EC2 IAM role for SSM access
  Ec2InstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      InstanceProfileName: Ec2RoleForSSM
      Roles:
        - Ref: IamRole
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Cf Template

IAM Policies

* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: