Bare minimum SSM Sessions Manager permissions

SSM Session Manager Link to heading

Assuming you’re using a supported AMI, SSM Session Manager (amazon-ssm-agent) will be pre-installed and will automatically try to connect outbound to ssm.[region].amazonaws.com.

The following configuration is the minimum you require to be able to connect to an instance using Session Manager.

Security Group rules Link to heading

Port TCP/443 needs to be allowed outbound.

The instance IAM role Link to heading

Attach the AmazonSSMManagedInstanceCore managed policy.

The user/role IAM policy Link to heading

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S",
            "Effect": "Allow",
            "Action": [
                "ssm:GetConnectionStatus",
                "ssm:StartSession"
            ],
            "Resource": "arn:aws:ec2:::instance/*",
        }
    ]
}