Update IAM role usage directions in Managed Instances guide

Question

Update IAM role usage directions in Managed Instances guide

JimTharioAmazon opened this issue 3 years ago · 2 comments

It looks like we need an updated set of policy permissions for managed instances.

We need to create a role for managed instances (MSAM-Managed-Instances) that includes:

AmazonSSMManagedInstanceCore (for basic control functionality), and
Inline policy similar to AWSLambdaBasicExecutionRole with logging permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Answer 1 · 2021-08-09T18:13:56.000Z

@jleyvacorrivium FYI

Answer 2 · 2021-12-15T18:39:52.000Z

The SSM team has updated their documentation about assigning roles to managed instances, and call out different levels of role including one for CloudWatch logging. We link to this from our MANAGED_INSTANCES.md guide.

https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html