Permissions for @turbot/aws-ssm
Taking a look at permissions and associated grant levels for each permission for SSM:
| Permission | Grant Level | Help |
|---|---|---|
| ec2messages:AcknowledgeMessage | Admin | |
| ec2messages:DeleteMessage | Admin | |
| ec2messages:FailMessage | Admin | |
| ec2messages:GetEndpoint | Admin | |
| ec2messages:GetMessages | Admin | |
| ec2messages:SendReply | Admin | |
| iam:ListRoles | Metadata | |
| iam:PassRole | Admin | Allows to use existing role in SSM. |
| ssm-guiconnect:CancelConnection | Operator | |
| ssm-guiconnect:GetConnection | Metadata | |
| ssm-guiconnect:StartConnection | Operator | |
| ssm:AddTagsToResource | Operator | Considered to be low risk operation. Tags are metadata that you assign to your managed instances. Tags enable you to categorize your managed instances in different ways. E.g. by purpose/ owner/ or environment. |
| ssm:AssociateOpsItemRelatedItem | Admin | |
| ssm:CancelCommand | Operator | Attempts to cancel the command specified by the Command ID |
| ssm:CancelMaintenanceWindowExecution | Operator | |
| ssm:CreateActivation | Admin | Operator can manage to registers on-premises server or virtual machine with Amazon EC2 so that you can manage these resources using Run Command |
| ssm:CreateAssociation | Operator | Operator can associates the specified Systems Manager document with the specified instances or targets. |
| ssm:CreateAssociationBatch | Operator | |
| ssm:CreateDocument | Admin | |
| ssm:CreateMaintenanceWindow | Admin | |
| ssm:CreateOpsItem | Admin | |
| ssm:CreateOpsMetadata | Admin | |
| ssm:CreatePatchBaseline | Admin | Admin can creates a patch baseline. This is a admin definition for the patch base line. Verify that the AWS-DefaultPatchBaseline meets the need. Or create a patch baseline that defines a standard set of patches for the instances. |
| ssm:CreateResourceDataSync | Admin | Admin can create a resource data sync configuration to a single bucket in Amazon S3. |
| ssm:DeleteActivation | Admin | |
| ssm:DeleteAssociation | Operator | |
| ssm:DeleteDocument | Admin | Before deleting the document. It is recommend that you use DeleteAssociation to disassociate all instances that are associated with the document. |
| ssm:DeleteInventory | Admin | |
| ssm:DeleteMaintenanceWindow | Admin | |
| ssm:DeleteOpsMetadata | Admin | |
| ssm:DeleteParameter | Operator | Delete a parameter from the system. |
| ssm:DeleteParameters | Operator | Delete a list of parameters. |
| ssm:DeletePatchBaseline | Admin | |
| ssm:DeleteResourceDataSync | Admin | |
| ssm:DeregisterManagedInstance | Operator | Removes the server or virtual machine from the list of registered servers. You can reregister the instance again at any time. If you don’t plan to use Run Command on the server. We suggest uninstalling the SSM Agent first. |
| ssm:DeregisterPatchBaselineForPatchGroup | Admin | |
| ssm:DeregisterTargetFromMaintenanceWindow | Operator | |
| ssm:DeregisterTaskFromMaintenanceWindow | Operator | |
| ssm:DescribeActivations | Metadata | Describes the associations for the specified Systems Manager document or instance |
| ssm:DescribeAssociation | ReadOnly | |
| ssm:DescribeAssociationExecutionTargets | ReadOnly | |
| ssm:DescribeAssociationExecutions | ReadOnly | |
| ssm:DescribeAutomationExecutions | Metadata | Provides details about all active and terminated Automation executions. |
| ssm:DescribeAutomationStepExecutions | Metadata | Provides details about all active and terminated step executions in an Automation workflow. |
| ssm:DescribeAvailablePatches | Metadata | |
| ssm:DescribeDocument | Metadata | Describes the specified SSM document. |
| ssm:DescribeDocumentParameters | Metadata | Displays the Documents node in the left navigation for EC2 and SSM. https://docs.aws.amazon.com/IAM/latest/UserGuide/list\_amazonsimplesystemsmanager.html |
| ssm:DescribeDocumentPermission | Metadata | Only account ID is displayed |
| ssm:DescribeEffectiveInstanceAssociations | Metadata | All associations for the instance(s). |
| ssm:DescribeEffectivePatchesForPatchBaseline | Metadata | The EffectivePatch structure defines metadata about a patch along with the approval state of the patch in a particular patch baseline |
| ssm:DescribeInstanceAssociationsStatus | Metadata | Only status information about the instance association |
| ssm:DescribeInstanceInformation | Metadata | As it provides detailed information like the operating system platform the SSM Agent version (Linux) status etc. |
| ssm:DescribeInstancePatchStates | Metadata | Very high-level information of the patch state. |
| ssm:DescribeInstancePatchStatesForPatchGroup | Metadata | Defines the high-level patch compliance state for a managed instance. providing information about the number of installed. missing. not applicable. and failed patches along with metadata about the operation when this information was gathered for the instance |
| ssm:DescribeInstancePatches | Metadata | Retrieves the high-level patch state of one or more instances |
| ssm:DescribeInstanceProperties | Metadata | Displays the Managed Instances node in the left navigation for EC2 and SSM. https://docs.aws.amazon.com/IAM/latest/UserGuide/list\_amazonsimplesystemsmanager.html |
| ssm:DescribeInventoryDeletions | Metadata | |
| ssm:DescribeMaintenanceWindowExecutionTaskInvocations | Metadata | Retrieves the individual task executions (one per target) for a particular task executed as part of a Maintenance Window execution. |
| ssm:DescribeMaintenanceWindowExecutionTasks | Metadata | |
| ssm:DescribeMaintenanceWindowExecutions | Metadata | |
| ssm:DescribeMaintenanceWindowSchedule | Metadata | |
| ssm:DescribeMaintenanceWindowTargets | Metadata | |
| ssm:DescribeMaintenanceWindowTasks | Metadata | |
| ssm:DescribeMaintenanceWindows | Metadata | |
| ssm:DescribeMaintenanceWindowsForTarget | Metadata | |
| ssm:DescribeOpsItems | Metadata | |
| ssm:DescribeParameters | Metadata | |
| ssm:DescribePatchBaselines | Metadata | |
| ssm:DescribePatchGroupState | Metadata | |
| ssm:DescribePatchGroups | Metadata | |
| ssm:DescribePatchProperties | Metadata | |
| ssm:DescribeSessions | Metadata | |
| ssm:DisassociateOpsItemRelatedItem | Admin | |
| ssm:GetAutomationExecution | Metadata | |
| ssm:GetCalendarState | Metadata | |
| ssm:GetCommandInvocation | Metadata | Returns detailed information about command execution |
| ssm:GetConnectionStatus | Metadata | |
| ssm:GetDefaultPatchBaseline | Metadata | |
| ssm:GetDeployablePatchSnapshotForInstance | ReadOnly | Contains A pre-signed Amazon S3 URL that can be used to download the patch snapshot.http://docs.aws.amazon.com/systems-manager/latest/APIReference/API\_GetDeployablePatchSnapshotForInstance.html#EC2-GetDeployablePatchSnapshotForInstance-response-SnapshotDownloadUrl |
| ssm:GetDocument | Metadata | |
| ssm:GetInventory | Metadata | |
| ssm:GetInventorySchema | Metadata | |
| ssm:GetMaintenanceWindow | Metadata | |
| ssm:GetMaintenanceWindowExecution | Metadata | |
| ssm:GetMaintenanceWindowExecutionTask | Metadata | |
| ssm:GetMaintenanceWindowExecutionTaskInvocation | Metadata | |
| ssm:GetMaintenanceWindowTask | Metadata | |
| ssm:GetManifest | Metadata | Fetches the installation description for a package. https://docs.aws.amazon.com/IAM/latest/UserGuide/list\_amazonsimplesystemsmanager.html |
| ssm:GetOpsItem | Metadata | |
| ssm:GetOpsMetadata | Metadata | |
| ssm:GetOpsSummary | Metadata | |
| ssm:GetParameter | Metadata | Get information about a parameter by using the parameter name. |
| ssm:GetParameterHistory | Metadata | |
| ssm:GetParameters | Metadata | Get details of a parameter. |
| ssm:GetParametersByPath | Metadata | Retrieve parameters in a specific hierarchy. |
| ssm:GetPatchBaseline | Metadata | |
| ssm:GetPatchBaselineForPatchGroup | Metadata | |
| ssm:GetServiceSetting | Metadata | |
| ssm:LabelParameterVersion | Operator | |
| ssm:ListAssociationVersions | Metadata | Retrieves all versions of an association for a specific association ID. |
| ssm:ListAssociations | Metadata | Lists the associations for the specified Systems Manager document or instance |
| ssm:ListCommandInvocations | Metadata | |
| ssm:ListCommands | Metadata | No direct access to the S3 data |
| ssm:ListComplianceItems | Metadata | |
| ssm:ListComplianceSummaries | Metadata | |
| ssm:ListDocumentMetadataHistory | Metadata | |
| ssm:ListDocumentVersions | Metadata | |
| ssm:ListDocuments | Metadata | |
| ssm:ListInstanceAssociations | Metadata | This is shown only part of the AWS managed service part. not part of the API list |
| ssm:ListInventoryEntries | Metadata | |
| ssm:ListOpsItemEvents | Metadata | |
| ssm:ListOpsItemRelatedItems | Metadata | |
| ssm:ListOpsMetadata | Metadata | |
| ssm:ListResourceComplianceSummaries | Metadata | |
| ssm:ListResourceDataSync | Metadata | |
| ssm:ListTagsForResource | Metadata | |
| ssm:ModifyDocumentPermission | Admin | |
| ssm:PutComplianceItems | Admin | |
| ssm:PutConfigurePackageResult | Metadata | Reports installation result for a package. https://docs.aws.amazon.com/IAM/latest/UserGuide/list\_amazonsimplesystemsmanager.html |
| ssm:PutInventory | Operator | |
| ssm:PutParameter | Admin | |
| ssm:RegisterDefaultPatchBaseline | Admin | As creation is associated to Admin above |
| ssm:RegisterManagedInstance | Admin | |
| ssm:RegisterPatchBaselineForPatchGroup | Admin | |
| ssm:RegisterTargetWithMaintenanceWindow | Operator | Uses the Maintenance created by Admin |
| ssm:RegisterTaskWithMaintenanceWindow | Operator | Uses the Maintenance created by Admin |
| ssm:RemoveTagsFromResource | Operator | |
| ssm:ResetServiceSetting | Admin | |
| ssm:ResumeSession | Admin | |
| ssm:SendAutomationSignal | Operator | |
| ssm:SendCommand | Operator | |
| ssm:StartAssociationsOnce | Operator | |
| ssm:StartAutomationExecution | Operator | |
| ssm:StartChangeRequestExecution | Admin | |
| ssm:StartSession | Admin | |
| ssm:StopAutomationExecution | Operator | |
| ssm:TerminateSession | Admin | |
| ssm:UnlabelParameterVersion | Admin | |
| ssm:UpdateAssociation | Operator | As create/delete is part of the Operation function |
| ssm:UpdateAssociationStatus | Operator | |
| ssm:UpdateDocument | Admin | |
| ssm:UpdateDocumentDefaultVersion | Admin | |
| ssm:UpdateDocumentMetadata | Admin | |
| ssm:UpdateInstanceAssociationStatus | Operator | |
| ssm:UpdateInstanceInformation | Operator | |
| ssm:UpdateMaintenanceWindow | Admin | |
| ssm:UpdateMaintenanceWindowTarget | Operator | Operator can change the target of an existing Maintenance Window. |
| ssm:UpdateMaintenanceWindowTask | Operator | Operator can modify a task assigned to a Maintenance Window. |
| ssm:UpdateManagedInstanceRole | Admin | Assigns or changes an Amazon Identity and Access Management (IAM) role to the managed instance. |
| ssm:UpdateOpsItem | Admin | |
| ssm:UpdateOpsMetadata | Admin | |
| ssm:UpdatePatchBaseline | Admin | |
| ssm:UpdateResourceDataSync | Admin | |
| ssm:UpdateServiceSetting | Admin | |
| ssmmessages:CreateControlChannel | Admin | |
| ssmmessages:CreateDataChannel | Admin | |
| ssmmessages:OpenControlChannel | Admin | |
| ssmmessages:OpenDataChannel | Admin |