Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS IAM SSM - Restrict Documents that Instances can run

Is there a way to restrict the IAM policy for an EC2 instance s.t. it can only run a short list of Documents - I tried restricting access to ssm:GetDocument like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ssm:GetDocument"
        ],
        "Resource": [
            "arn:aws:ssm:ap-southeast-2:*:document/MyCommand"
        ]
    }
 ]}

But I can run any command on the instance still including the AWS-RunPowershellScript document.

This link shows how users can be restricted with respect to ssm:sendCommand: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delegate-commands.html

like image 496
Brett Hankinson Avatar asked Jun 22 '16 13:06

Brett Hankinson


People also ask

Can I restrict the access of IAM users to specific Amazon EC2 resources?

Most essential Amazon EC2 actions don't support resource-level permissions or conditions, and isolating IAM users or groups of user's access to Amazon EC2 resources by any criteria other than AWS Region doesn't fit most use cases. Instead, consider linking multiple different AWS accounts through AWS Organizations.

What are AWS SSM documents?

An AWS Systems Manager document (SSM document) defines the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 pre-configured documents that you can use by specifying parameters at runtime.


1 Answers

I have not found a way to restrict SendCommand based on document. If a user does not have access, you get an error like this:

User: arn:aws:iam::123456789012:user/username is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:123456789012:instance/i-01234567890abcdef

This indicates that the Resource in SendCommand can be limited based on instance ids. It would be nice if one of the Conditions was a Document ARN, but so far I haven't found any way to do it (it's not a condition in the policy generator wizard).

Update: I posted this question on the AWS forums, hopefully I'll get a response: https://forums.aws.amazon.com/thread.jspa?threadID=249039

Update 2: I got a response and the solution is that to accomplish this you must use Resource to specify both what instances you allow commands to be run on, and what document the user is allowed to run. For example, this is what I ended up with:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand"
            ],
            "Resource": [
                "arn:aws:ec2:*:123456789012:instance/*",
                "arn:aws:ssm:*:123456789012:document/RestartServices"
            ]
        }
    ]
}
like image 103
stefansundin Avatar answered Sep 27 '22 20:09

stefansundin