AWS Managed Policies Explorer

Home About

AWS Managed Policies. A maze of twisty passages all alike. Explore them here. If it looks like a button, it's clickable. Always up to date.

Service: AWS Systems Manager

Short Name:

ssm

ARN Format:arn:aws:ssm:${Region}:${Account}:${RelativeId}

ARN Regex:^arn:aws:(ssm|ec2):.+

ReadOnlyAccess

…

AWSCloud9SSMInstanceProfile

Action	Reference	Description
ssm:DescribeMaintenanceWindowExecutions	Docs	Grants permission to view the executions of a specified maintenance window
ssm:DescribeMaintenanceWindowExecutionTaskInvocations	Docs	Grants permission to view details of a specified task execution for a maintenance window
ssm:DescribeMaintenanceWindowExecutionTasks	Docs	Grants permission to view details about the tasks that ran during a specified maintenance window execution
ssm:DescribeMaintenanceWindows	Docs	Grants permission to view information about all or specified maintenance windows
ssm:DescribeMaintenanceWindowSchedule	Docs	Grants permission to view details about upcoming executions of a specified maintenance window
ssm:DescribeMaintenanceWindowsForTarget	Docs	Grants permission to view information about the maintenance window targets and tasks associated with a specified instance
ssm:DescribeMaintenanceWindowTargets	Docs	Grants permission to view a list of the targets associated with a specified maintenance window
ssm:DescribeMaintenanceWindowTasks	Docs	Grants permission to view a list of the tasks associated with a specified maintenance window
ssm:DescribeParameters	Docs	Grants permission to view details about a specified SSM parameter
ssm:DescribePatchBaselines	Docs	Grants permission to view information about patch baselines that meet the specified criteria
ssm:DescribePatchGroups	Docs	Grants permission to view information about the patch baseline for a specified patch group
ssm:DescribePatchGroupState	Docs	Grants permission to view aggregated status details for patches for a specified patch group
ssm:DescribePatchProperties	Docs	Grants permission to view details of available patches for a specified operating system and patch property
ssm:DescribeSessions	Docs	Grants permission to view a list of recent Session Manager sessions that meet the specified search criteria
ssm:GetResourcePolicies	Docs	Grants permission to retrieve lists of Systems Manager resource policies
ssm:ListAssociations	Docs	Grants permission to list the associations for a specified SSM document or managed instance
ssm:ListAssociationVersions	Docs	Grants permission to list versions of the specified association
ssm:ListCommandInvocations	Docs	Grants permission to list information about command invocations sent to a specified instance
ssm:ListCommands	Docs	Grants permission to list the commands sent to a specified instance
ssm:ListComplianceItems	Docs	Grants permission to list compliance status for specified resource types on a specified resource
ssm:ListComplianceSummaries	Docs	Grants permission to list a summary count of compliant and noncompliant resources for a specified compliance type
ssm:ListDocumentMetadataHistory	Docs	Grants permission to view metadata history about a specified SSM document
ssm:ListDocuments	Docs	Grants permission to view information about a specified SSM document
ssm:ListDocumentVersions	Docs	Grants permission to list all versions of a specified document
ssm:ListInstanceAssociations	Docs	Grants permission to SSM Agent to check for new State Manager associations (internal Systems Manager call)
ssm:ListInventoryEntries	Docs	Grants permission to view a list of specified inventory types for a specified instance
ssm:ListOpsItemEvents	Docs	Grants permission to view details about OpsItemEvents
ssm:ListOpsItemRelatedItems	Docs	Grants permission to view details about OpsItem RelatedItems
ssm:ListOpsMetadata	Docs	Grants permission to view a list of OpsMetadata objects
ssm:ListResourceComplianceSummaries	Docs	Grants permission to list resource-level summary count
ssm:ListResourceDataSync	Docs	Grants permission to list information about resource data sync configurations in an account
ssm:ListTagsForResource	Docs	Grants permission to view a list of resource tags for a specified resource
ssm:DeleteResourcePolicy	Docs	Grants permission to delete a Systems Manager resource policy
ssm:ModifyDocumentPermission	Docs	Grants permission to share a custom SSM document publicly or privately with specified AWS accounts
ssm:PutResourcePolicy	Docs	Grants permission to create or update a Systems Manager resource policy
ssm:DescribeActivations	Docs	Grants permission to view details about a specified managed instance activation, such as when it was created and the number of instances registered using the activation
ssm:DescribeAssociation	Docs	Grants permission to view details about the specified association for a specified instance or target
ssm:DescribeAssociationExecutions	Docs	Grants permission to view all executions for a specified association
ssm:DescribeAssociationExecutionTargets	Docs	Grants permission to view information about a specified association execution
ssm:DescribeAutomationExecutions	Docs	Grants permission to view details about all active and terminated Automation executions
ssm:DescribeAutomationStepExecutions	Docs	Grants permission to view information about all active and terminated step executions in an Automation workflow
ssm:DescribeAvailablePatches	Docs	Grants permission to view all patches eligible to include in a patch baseline
ssm:DescribeDocument	Docs	Grants permission to view details about a specified SSM document
ssm:DescribeDocumentParameters	Docs	Grants permission to display information about SSM document parameters in the Systems Manager console (internal Systems Manager action)
ssm:DescribeDocumentPermission	Docs	Grants permission to view the permissions for a specified SSM document
ssm:DescribeEffectiveInstanceAssociations	Docs	Grants permission to view all current associations for a specified instance
ssm:DescribeEffectivePatchesForPatchBaseline	Docs	Grants permission to view details about the patches currently associated with the specified patch baseline (Windows only)
ssm:DescribeInstanceAssociationsStatus	Docs	Grants permission to view the status of the associations for a specified instance
ssm:DescribeInstanceInformation	Docs	Grants permission to view details about a specified instance
ssm:DescribeInstancePatches	Docs	Grants permission to view general details about the patches on a specified instance
ssm:DescribeInstancePatchStates	Docs	Grants permission to view status details about patches on a specified instance
ssm:DescribeInstancePatchStatesForPatchGroup	Docs	Grants permission to describe the high-level patch state for the instances in the specified patch group
ssm:DescribeInstanceProperties	Docs	Grants permission to user's Amazon EC2 console to render managed instances' nodes
ssm:DescribeInventoryDeletions	Docs	Grants permission to view details about a specified inventory deletion
ssm:DescribeOpsItems	Docs	Grants permission to view details about specified OpsItems
ssm:GetAutomationExecution	Docs	Grants permission to view details of a specified Automation execution
ssm:GetCalendar	Docs	Grants permission to view details of a specific calendar
ssm:GetCalendarState	Docs	Grants permission to view the calendar state for a change calendar or a list of change calendars
ssm:GetCommandInvocation	Docs	Grants permission to view details about the command execution of a specified invocation or plugin
ssm:GetConnectionStatus	Docs	Grants permission to view the Session Manager connection status for a specified managed instance
ssm:GetDefaultPatchBaseline	Docs	Grants permission to view the current default patch baseline for a specified operating system type
ssm:GetDeployablePatchSnapshotForInstance	Docs	Grants permission to retrieve the current patch baseline snapshot for a specified instance
ssm:GetDocument	Docs	Grants permission to view the contents of a specified SSM document
ssm:GetInventory	Docs	Grants permission to view instance inventory details per the specified criteria
ssm:GetInventorySchema	Docs	Grants permission to view a list of inventory types or attribute names for a specified inventory item type
ssm:GetMaintenanceWindow	Docs	Grants permission to view details about a specified maintenance window
ssm:GetMaintenanceWindowExecution	Docs	Grants permission to view details about a specified maintenance window execution
ssm:GetMaintenanceWindowExecutionTask	Docs	Grants permission to view details about a specified maintenance window execution task
ssm:GetMaintenanceWindowExecutionTaskInvocation	Docs	Grants permission to view details about a specific maintenance window task running on a specific target
ssm:GetMaintenanceWindowTask	Docs	Grants permission to view details about tasks registered with a specified maintenance window
ssm:GetManifest	Docs	Grants permission to Systems Manager and SSM Agent to determine package installation requirements for an instance (internal Systems Manager call)
ssm:GetOpsItem	Docs	Grants permission to view information about a specified OpsItem
ssm:GetOpsMetadata	Docs	Grants permission to retrieve an OpsMetadata object
ssm:GetOpsSummary	Docs	Grants permission to view summary information about OpsItems based on specified filters and aggregators
ssm:GetParameter	Docs	Grants permission to view information about a specified parameter
ssm:GetParameterHistory	Docs	Grants permission to view details and changes for a specified parameter
ssm:GetParameters	Docs	Grants permission to view information about multiple specified parameters
ssm:GetParametersByPath	Docs	Grants permission to view information about parameters in a specified hierarchy
ssm:GetPatchBaseline	Docs	Grants permission to view information about a specified patch baseline
ssm:GetPatchBaselineForPatchGroup	Docs	Grants permission to view the ID of the current patch baseline for a specified patch group
ssm:GetServiceSetting	Docs	Grants permission to view the account-level setting for an AWS service
ssm:PutConfigurePackageResult	Docs	Grants permission to SSM Agent to generate a report of the results of specific agent requests (internal Systems Manager call)
ssm:AddTagsToResource	Docs	Grants permission to add or overwrite one or more tags for a specified AWS resource
ssm:RemoveTagsFromResource	Docs	Grants permission to remove a specified tag key from a specified resource
ssm:AssociateOpsItemRelatedItem	Docs	Grants permission to associate RelatedItem to an OpsItem
ssm:CancelCommand	Docs	Grants permission to cancel a specified Run Command command
ssm:CancelMaintenanceWindowExecution	Docs	Grants permission to cancel an in-progress maintenance window execution
ssm:CreateActivation	Docs	Grants permission to create an activation that is used to register on-premises servers and virtual machines (VMs) with Systems Manager
ssm:CreateAssociation	Docs	Grants permission to associate a specified Systems Manager document with specified instances or other targets
ssm:CreateAssociationBatch	Docs	Grants permission to combine entries for multiple CreateAssociation operations in a single command
ssm:CreateDocument	Docs	Grants permission to create a Systems Manager SSM document
ssm:CreateMaintenanceWindow	Docs	Grants permission to create a maintenance window
ssm:CreateOpsItem	Docs	Grants permission to create an OpsItem in OpsCenter
ssm:CreateOpsMetadata	Docs	Grants permission to create an OpsMetadata object for an AWS resource
ssm:CreatePatchBaseline	Docs	Grants permission to create a patch baseline
ssm:CreateResourceDataSync	Docs	Grants permission to create a resource data sync configuration, which regularly collects inventory data from managed instances and updates the data in an Amazon S3 bucket
ssm:DeleteActivation	Docs	Grants permission to delete a specified activation for managed instances
ssm:DeleteAssociation	Docs	Grants permission to disassociate a specified SSM document from a specified instance
ssm:DeleteDocument	Docs	Grants permission to delete a specified SSM document and its instance associations
ssm:DeleteInventory	Docs	Grants permission to delete a specified custom inventory type, or the data associated with a custom inventory type
ssm:DeleteMaintenanceWindow	Docs	Grants permission to delete a specified maintenance window
ssm:DeleteOpsItem	Docs	Grants permission to delete an OpsItem
ssm:DeleteOpsMetadata	Docs	Grants permission to delete an OpsMetadata object
ssm:DeleteParameter	Docs	Grants permission to delete a specified SSM parameter
ssm:DeleteParameters	Docs	Grants permission to delete multiple specified SSM parameters
ssm:DeletePatchBaseline	Docs	Grants permission to delete a specified patch baseline
ssm:DeleteResourceDataSync	Docs	Grants permission to delete a specified resource data sync
ssm:DeregisterManagedInstance	Docs	Grants permission to deregister a specified on-premises server or virtual machine (VM) from Systems Manager
ssm:DeregisterPatchBaselineForPatchGroup	Docs	Grants permission to deregister a specified patch baseline from being the default patch baseline for a specified patch group
ssm:DeregisterTargetFromMaintenanceWindow	Docs	Grants permission to deregister a specified target from a maintenance window
ssm:DeregisterTaskFromMaintenanceWindow	Docs	Grants permission to deregister a specified task from a maintenance window
ssm:DisassociateOpsItemRelatedItem	Docs	Grants permission to disassociate RelatedItem from an OpsItem
ssm:LabelParameterVersion	Docs	Grants permission to apply an identifying label to a specified version of a parameter
ssm:PutCalendar	Docs	Grants permission to create/edit a specific calendar
ssm:PutComplianceItems	Docs	Grants permission to register a compliance type and other compliance details on a specified resource
ssm:PutInventory	Docs	Grants permission to add or update inventory items on multiple specified managed instances
ssm:PutParameter	Docs	Grants permission to create an SSM parameter
ssm:RegisterDefaultPatchBaseline	Docs	Grants permission to specify the default patch baseline for an operating system type
ssm:RegisterManagedInstance	Docs	Grants permission to register a Systems Manager Agent
ssm:RegisterPatchBaselineForPatchGroup	Docs	Grants permission to specify the default patch baseline for a specified patch group
ssm:RegisterTargetWithMaintenanceWindow	Docs	Grants permission to register a target with a specified maintenance window
ssm:RegisterTaskWithMaintenanceWindow	Docs	Grants permission to register a task with a specified maintenance window
ssm:ResetServiceSetting	Docs	Grants permission to reset the service setting for an AWS account to the default value
ssm:ResumeSession	Docs	Grants permission to reconnect a Session Manager session to a managed instance
ssm:SendAutomationSignal	Docs	Grants permission to send a signal to change the current behavior or status of a specified Automation execution
ssm:SendCommand	Docs	Grants permission to run commands on one or more specified managed instances
ssm:StartAssociationsOnce	Docs	Grants permission to run a specified association manually
ssm:StartAutomationExecution	Docs	Grants permission to initiate the execution of an Automation document
ssm:StartChangeRequestExecution	Docs	Grants permission to initiate the execution of an Automation Change Template document
ssm:StartSession	Docs	Grants permission to initiate a connection to a specified target for a Session Manager session
ssm:StopAutomationExecution	Docs	Grants permission to stop a specified Automation execution that is already in progress
ssm:TerminateSession	Docs	Grants permission to permanently end a Session Manager connection to an instance
ssm:UnlabelParameterVersion	Docs	Grants permission to remove an identifying label from a specified version of a parameter
ssm:UpdateAssociation	Docs	Grants permission to update an association and immediately run the association on the specified targets
ssm:UpdateAssociationStatus	Docs	Grants permission to update the status of the SSM document associated with a specified instance
ssm:UpdateDocument	Docs	Grants permission to update one or more values for an SSM document
ssm:UpdateDocumentDefaultVersion	Docs	Grants permission to change the default version of an SSM document
ssm:UpdateDocumentMetadata	Docs	Grants permission to update the metadata of an SSM document
ssm:UpdateInstanceAssociationStatus	Docs	Grants permission to SSM Agent to update the status of the association that it is currently running (internal Systems Manager call)
ssm:UpdateInstanceInformation	Docs	Grants permission to SSM Agent to send a heartbeat signal to the Systems Manager service in the cloud
ssm:UpdateMaintenanceWindow	Docs	Grants permission to update a specified maintenance window
ssm:UpdateMaintenanceWindowTarget	Docs	Grants permission to update a specified maintenance window target
ssm:UpdateMaintenanceWindowTask	Docs	Grants permission to update a specified maintenance window task
ssm:UpdateManagedInstanceRole	Docs	Grants permission to assign or change the IAM role assigned to a specified managed instance
ssm:UpdateOpsItem	Docs	Grants permission to edit or change an OpsItem
ssm:UpdateOpsMetadata	Docs	Grants permission to update an OpsMetadata object
ssm:UpdatePatchBaseline	Docs	Grants permission to update a specified patch baseline
ssm:UpdateResourceDataSync	Docs	Grants permission to update a resource data sync
ssm:UpdateServiceSetting	Docs	Grants permission to update the service setting for an AWS account

aws:RequestTag/${TagKey}aws:ResourceTag/${TagKey}aws:TagKeysec2:SourceInstanceARNssm:AutoApprovessm:DocumentCategoriesssm:Overwritessm:Recursivessm:SessionDocumentAccessCheckssm:SourceInstanceARNssm:SyncTypessm:resourceTag/${TagKey}ssm:resourceTag/aws:ssmmessages:session-idssm:resourceTag/aws:ssmmessages:target-idssm:resourceTag/tag-key