AWS EC2 SSM Basic Permissions

Blog Posts

AWS EC2 SSM Basic Permissions

AWS Systems Manager Permissions can be confusing...

2023-03-05
Read More

Command line tool to manage MFA tokens

A command-line tool to manage MFA tokens...

2023-03-05
Read More

How to Make Long Running Temporary Tasks

How to make long running temporary tasks

2022-04-03
Read More

How to point a Route53 Record to a CloudFront Distribution

How to point a Route53 Record to a CloudFront Distribution in and not in the same AWS account...

2022-03-06
Read More

How To Get AWS Lambda To Run Binary Files

How to get AWS Lambda to run arbitrary binaries...

2022-03-05
Read More

Problem

You have EC2 instances and you want to connect to them via AWS Systems Manager instead of using SSH/RDP and all you need is a command line interface. If you search AWS IAM's managed policies for "SSM", you will find lots of policies. Which one should you pick for this use case?

Solution

The basic permissions needed for an EC2 instance to communicate with AWS Systems Manager can be found in the "AmazonSSMManagedInstanceCore" Amazon Managed Policy. If you create an IAM Role and attach this managed policy you will find that you can execution run commands/documents on the server. But you will find you cannot directly connect to the EC2 Instance using Systems Manager in the EC2 Console. This is because this managed policy is missing one permission you need. That is "ec2:DescribeInstances". I typically attach the "AmazonSSMManagedInstanceCore" managed policy to the role I plan on using and then add an inline policy with following policy doc.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "ReadEC2Instances",
			"Effect": "Allow",
			"Action": "ec2:DescribeInstances",
			"Resource": "*"
		}
	]
}

At this point you should be able to connect to the EC2 Instance.

NOTE: If you cannot connect to a EC2 Instance that both has the correct IAM permissions and has the SSM Agent installed make sure the SSM Agent is running. Sometimes it can randomly stop running. Lastly, if the server was turned on when it did not have the correct permissions the agent will not check to see if it gained access for a while. I recommend if possible to restart the server or connect through some other method and start/restart the SSM Agent service.