AWS service-owned resources accessed by Systems Manager Data perimeter policy considerations

Data perimeters in AWS Systems Manager

A data perimeter is a set of preventive guardrails in your AWS environment that help ensure your data can only be accessed by trusted identities from expected networks and resources. When you implement data perimeter controls, you might need to include exceptions for AWS service-owned resources that Systems Manager accesses on your behalf.

For more information about data perimeters, see Data perimeters on AWS.

AWS service-owned resources accessed by Systems Manager

Systems Manager accesses the AWS service-owned resources listed below to provide functionality.

SSM document categories S3 bucket

Systems Manager accesses an AWS managed S3 bucket to retrieve document category information for AWS Systems Manager Documents. This bucket contains metadata about document categories that help organize and classify SSM Documents in the console.

Resource ARN pattern

arn:aws:s3:::ssm-document-categories-region

Regional examples:

arn:aws:s3:::ssm-document-categories-us-east-1
arn:aws:s3:::ssm-document-categories-us-west-2
arn:aws:s3:::ssm-document-categories-eu-west-1
arn:aws:s3:::ssm-document-categories-ap-northeast-1

When accessed

This resource is accessed when you view SSM Documents in the Systems Manager console or when using APIs that retrieve document metadata and categories.

Data stored

The bucket contains JSON files with document category definitions and metadata. This data is read-only and does not contain customer-specific information.

Identity used

Systems Manager accesses this resource using AWS service credentials on behalf of your requests.

Required permissions

s3:GetObject on the bucket contents.

Data perimeter policy considerations

When implementing data perimeter controls using Service Control Policies (SCPs) or VPC endpoint policies with conditions like aws:ResourceOrgID, you need to create exceptions for the AWS service-owned resources that Systems Manager requires.

For example, if you're using an SCP with aws:ResourceOrgID to restrict access to resources outside your organization, you would need to add an exception for the SSM Document categories bucket:



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictToOrgResources",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:ResourceOrgID": "o-example1234567"
        },
        "ForAllValues:StringNotLike": {
          "aws:ResourceArn": [
            "arn:aws:s3:::ssm-document-categories*"
          ]
        }
      }
    }
  ]
}

This policy denies access to resources outside your organization, but includes an exception for any S3 bucket that matches the ssm-document-categories* pattern, allowing Systems Manager to continue functioning properly.

Similarly, if you're using VPC endpoint policies to restrict S3 access, you would need to ensure that the SSM document categories buckets are accessible through your VPC endpoints.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data protection

Identity and access management