"machine identity" for AWS SSM hybrid (on-prem) endpoints



Is there a canonical way to give the AWS SSM agent running on a hybrid-activated (on-prem) system an AWS IAM identity? The example use case would be that I would like the SSM agent on the machine to be able to download software and configuration from secured S3 buckets that require authentication.

2 Answers


You should first check the AWS-Managed AmazonSSM* policies in AWS IAM and choose the most appropriate one for your use case.

Then create your own policy(ies) for what's missing: typically s3 access in your use case to allow software download.

Then, add these policies (AWS-Managed and yours) to the execution role of your EC2 instances: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

It is not EC2 best practice to load identity credentials in an instance: execution role is.

If you work at scale, you will need Infra-as-Code with CloudFormation or CDK to manage this efficiently.

Update: if it's on-prem and not AWS Outposts (I thought it was...), then the preferred option should IAM Roles Anywhere, which are still better than permanent credentials on a machine. Roles remain temporary credentials. See https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html and https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/



profile pictureAWS
answered 8 months ago

Hi, this tutorial describes the steps to create an IAM role for on-premises server, register the on-premises server to the Systems Manager, and install SSM Agent on on-premises server.

On the step you create the IAM role, you can attach an additional policy to access the S3 bucket. Alternatively, you can grant access to the bucket to the IAM role by modifying bucket policy.

profile picture
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions