Posted On: Dec 11, 2020

Amazon Systems Manager now supports Amazon Virtual Private Cloud (Amazon VPC) endpoint policies, which allow you to configure access to the Systems Manager API. When you create Amazon VPC endpoints for Systems Manager, you can attach Amazon Identity and Access Management (IAM) resource policies that restrict user access to Systems Manager API operations, when these operations are accessed via the Amazon VPC endpoint. For example, you can limit certain users to only be able to list Systems Manager Run Command invocations but not to send any command invocations. You can also restrict specific users’ ability to start a Systems Manager Session Manager session. 

To create an Amazon VPC endpoint for Systems Manager, please see the documentation here

Amazon Systems Manager is available in the Amazon Web Services China (Beijing) region, operated by Sinnet, and in the Amazon Web Services China (Ningxia) region, operated by NWCD. For information about Amazon Systems Manager, see the product detail page