I followed the guide to create a Custom Policy to allow only AWS-StartPortForwardingSessionToRemoteHost action to a bastion host.
This is the Policy I created and getting AccessDeniedExcepton
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:StartSession",
"Resource": [
"arn:aws:ssm:us-east-1:**************:document/AWS-StartPortForwardingSessionToRemoteHost",
"arn:aws:ec2:us-east-1:**************:instance/*"
],
"Effect": "Allow",
"Sid": "EnableSSMSession"
},
{
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Effect": "Allow",
"Sid": "DescribeEC2"
}
]
}
However, if I set Resource to * for ssm:StartSession action I am able to start a session with StartPortForwardingSessionToRemoteHost. Can you please guide me about what I am missing? I literally followed the simple examples from the guide. Thanks
We shouldn't use account IDs for AWS public documents that begins with AWS-. Here is the working version of policy statement
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ssm:StartSession",
"Resource": [
"arn:aws:ssm:us-east-1::document/AWS-StartPortForwardingSessionToRemoteHost",
"arn:aws:ec2:us-east-1:**************:instance/*"
],
"Effect": "Allow",
"Sid": "EnableSSMSession"
},
{
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Effect": "Allow",
"Sid": "DescribeEC2"
}
]
}