Search code examples
amazon-web-servicesaws-ssm

AWS SSM IAM Access Issue

I have my users who connect to my AWS EC2 instances via SSM. The instances do not have a public-IP, nor is there a jump-host, and hence there is no way to connect directly.

Each EC2 instance has a name tag, I wish for the IAM policy to be restricted by the tag name. Restricting by instance ID will not be feasible for multiple reasons.

The NAME tag on the ec2 server is client-name. The ec2's policy here works fine to limit access to the instances. I can see that via the console. However, the SSM policy doesn't seem to work, I have made 100s of changes to try and make it work. I keep getting the error below. Would appreciate any help.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Name": "client-name"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ssm:*",
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ssm:*:*:document/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Name": "client-name"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:DeleteTags",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}

My user named testuser_delme2 uses the following command to connect, and the error is as follows:

aws ssm start-session --target i-003000333337777c7 --document-name AWS-StartPortForwardingSession --parameters portNumber="3389",localPortNumber="3389"

Error:

An error occurred (AccessDeniedException) when calling the StartSession operation: User: arn:aws:iam::222666555000:user/testuser_delme2 is not authorized to perform: ssm:StartSession on resource: arn:aws:ssm:ap-southeast-1::document/AWS-StartPortForwardingSession because no identity-based policy allows the ssm:StartSession action
Solution

  • Well, I figured out the issue, and posting it here in case it helps others. For some strange reason ssm start-session does not work the same way as other SSM commands.

    This is the correct way:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["ec2:*","ssm:StartSession"],
            "Resource": "*",
            "Condition": {"StringEquals": {"aws:ResourceTag/Name": "client-name"}}
        },
        {
            "Effect": "Deny",
            "Action": ["ec2:DeleteTags", "ec2:CreateTags"],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["ec2:DescribeInstances", "s3:ListAllMyBuckets", "kms:*"],
            "Resource": "*"
        },
        {
         "Effect": "Allow",
         "Action": "ssm:*",
         "Resource": "arn:aws:ssm:*:*:*"
        },
        {
         "Effect":"Allow",
         "Action":["ssm:SendCommand"],
         "Resource":["arn:aws:ec2:*:*:instance/*"],
         "Condition": {"StringEquals": {"aws:ResourceTag/Name": "client-name"}}
        }
    ]
}