An IAM policy that provides end users the ability start a session to instances based on the tags assigned and the ability to terminate only their own sessions.

 
Tags
Console Access
API and CLI Access
Session Manager
Tags
Missing Parameters
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:::instance/*"
            ],
            "Effect": "Allow",
            "Condition": [
                {
                    "StringLike": {
                        "ssm:resourceTag/Key": [
                            "Value"
                        ]
                    }
                }
            ]
        },
        {
            "Action": [
                "ssm:DescribeSessions",
                "ssm:GetConnectionStatus",
                "ssm:DescribeInstanceProperties",
                "ec2:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:GetDocument"
            ],
            "Resource": [
                "arn:aws:ssm:::document/SSM-SessionManagerRunShell"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:TerminateSession"
            ],
            "Resource": "arn:aws:ssm:::session/${aws:username}-*",
            "Effect": "Allow"
        }
    ]
}
Customize Policy
* Required field