diff --git a/infra/terraform/modules/iam/attach.tf b/infra/terraform/modules/iam/attach.tf
index bbecf7f..569cc70 100644
--- a/infra/terraform/modules/iam/attach.tf
+++ b/infra/terraform/modules/iam/attach.tf
@@ -17,3 +17,8 @@ resource "aws_iam_user_policy_attachment" "user_attach_ecr_push" {
   user       = "terraform-github-actions"
   policy_arn = aws_iam_policy.ecr_push.arn
 }
+
+resource "aws_iam_user_policy_attachment" "user_attach_ssm_exec_policy" {
+  user       = "terraform-github-actions"
+  policy_arn = aws_iam_policy.ssm_exec_policy.arn
+}
diff --git a/infra/terraform/modules/iam/policies.tf b/infra/terraform/modules/iam/policies.tf
index 4c09e99..055babb 100644
--- a/infra/terraform/modules/iam/policies.tf
+++ b/infra/terraform/modules/iam/policies.tf
@@ -25,3 +25,10 @@ resource "aws_iam_policy" "ecr_push" {
   description = "ECR push permissions"
   policy      = file("${path.module}/../../policies/ecr-push.json")
 }
+
+resource "aws_iam_policy" "ssm_exec_policy" {
+  name   = "ssm-send-command-policy"
+  path        = "/"
+  description = "SSM send permissions"
+  policy = file("${path.module}/../../policies/ssm-exec-policy.json")
+}
\ No newline at end of file
diff --git a/infra/terraform/policies/ssm-exec-policy.json b/infra/terraform/policies/ssm-exec-policy.json
new file mode 100644
index 0000000..1e9d540
--- /dev/null
+++ b/infra/terraform/policies/ssm-exec-policy.json
@@ -0,0 +1,27 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowSSMSendCommand",
+      "Effect": "Allow",
+      "Action": [
+        "ssm:SendCommand"
+      ],
+      "Resource": [
+        "arn:aws:ec2:ap-northeast-2:010438505844:instance/*",
+        "arn:aws:ssm:ap-northeast-2::document/AWS-RunShellScript"
+      ]
+    },
+    {
+      "Sid": "AllowSSMDescribe",
+      "Effect": "Allow",
+      "Action": [
+        "ssm:ListCommands",
+        "ssm:ListCommandInvocations",
+        "ssm:GetCommandInvocation",
+        "ssm:ListDocuments"
+      ],
+      "Resource": "*"
+    }
+  ]
+}