Messtone AWS IAM Administration Policy, for Messtone Fleet manager as follows` {“Version”:”2012-10-17″,”Statement”:[{“Sid”:”EC2″,”Effect”:”Allow”,”Action”:[“ec2:CreateTags”,”ec2:DeleteTags”,”ec2:Describe instances”,”ec2″:DescribeTaga”],”Resource”:”*”},{“Sid”:” General”,”Effect”:”Allow”,”Action”:[“ssm:AddTagsToResource”,”ssm:DescribeInstanceAssociationsStatus”,”ssm:DescribeInstancePatches”,” ssm:DescribeInstancePatchStates”,”ssm:DescribeInstanceProperties”,”ssm:GetVommandInvocation”,”ssm:GetServiceSetting”,”ssm:GetInventorySchema”,”ssm:ListComplianceItems”,”ListInventoryEntries”,”ssm:ListTagsForResource”,”ssm:ListCommandInvocations”,”ssm:List association”,”ssm:RemoveTagsFromResource”],”Resource”:”*”},{“Sid”:”SendCommand”,” Effect”:”Allow”,”Action:[“ssm:GetDocument”,”ssm:SendCommand”,”ssm:StartSession”],”Resource”:[“arn:aws:ec2:*:account-id:instance/*”,”arn:aws:ssm:*:account-id:managed-instance/*”,”arn:aws:ssm:*:account-id:document/SSM-SessionManagerRunShell”,”arn:aws:ssm:*:*:document/AWS-PasswordReset”,”arn:aws:ssm:*:*:docunent/AWSFleetManager-AddUsersToGroups”,”arn:aws:ssm:*:*:document/AWSFleetManager-CopyFileSystemItem”,”arn:aws:ssn:*:*:document/AWSFleetManager-CreateDirectory”,”arn:aws:ssm:*:*:document/AWSFleetManager-CreateGroup”,” arn:aws:ssm:*:*:document/AWSFleetManager-Create Userrharper@messtone.com”,”arn:aws:ssm:*:*:document/AWSFleetManager-CreateUserInteractive”,”arn:aws:ssm:*:*:document/AWSFleetManager-CreateWindowsRegistryKey”,”arn:aws:ssm:*:*:document/AWSFleetManager-DeleteFileSystemItem”,”arn:aws:ssm:*:*:document/AWSFleetManager-DeleteGroup”,”arn:aws:ssm:*:*:document/AWSFleetManager-DeleteUser”,”arn:aws:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryKey”,”arn:aws:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryValue”,”arn:aws::ssm:*:*:document/AWSFleetManger-GetFileContent”,”arn:aws:ssm:*:*:document/AWSFleetManager-GetFileSystemContent”,”arn:aws:ssm:*:*:document/AWSFleetManager-GetGroups”,”arn:aws:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters”,”arn:aws:ssm:*:*:document/AWSFleetManager-GetProcessDetails”,” arn:aws::ssm:*:*:/AWSFleetManager-GetUsers”,”arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsEvents”,”arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent”,”arn:aws:ssm:*:*:document/AWSFleetManager-MoveFileSystemItem”,” arn:aws:ssm:*:*:document/AWSFleetManager-RemoveUsersFromGroups”,”arn:aws:ssm:*:*:/AWSFleetManager-RenameFileSystemItem”,” arn:aws:ssm:*:*:/AWSFleetManager-SetWindowsRegistryValue”,”arn:aws:ssm:*:*:document/AWSFleetManager-StartProcess”,”arn:aws:ssm:*:*:document/AWSFleetManager-TerminateProcess”],”Condition”:{“BoolIfExists”:{“ssm:SessionDocumentAccessCheck”:”true”}}},{“Sid”:”TerminateSession”,”Effect”:”Allow”,”Action”:[“ssm:TerminateSession”],”Resource”*”,”Condition”:{“StringLike”:{“ssm:resourceTag/aws:ssmmessages:session-id”:[“${aws:userid}”]}}},{“Sid”:”KMS”,”Effect”:”Allow”,” Action”:[“kms:GenerateDataKey”],”Resource”:[“arn:aws:,kms:region:account-id:key/key-nameMesstone”]}]}