AWS IAM SSM - Restrict Documents that Instances can run

Question

Is there a way to restrict the IAM policy for an EC2 instance s.t. it can only run a short list of Documents - I tried restricting access to ssm:GetDocument like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ssm:GetDocument"
        ],
        "Resource": [
            "arn:aws:ssm:ap-southeast-2:*:document/MyCommand"
        ]
    }
 ]}

But I can run any command on the instance still including the AWS-RunPowershellScript document.

This link shows how users can be restricted with respect to ssm:sendCommand: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delegate-commands.html

Answer 1

I have not found a way to restrict SendCommand based on document. If a user does not have access, you get an error like this:

User: arn:aws:iam::123456789012:user/username is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:123456789012:instance/i-01234567890abcdef

This indicates that the Resource in SendCommand can be limited based on instance ids. It would be nice if one of the Conditions was a Document ARN, but so far I haven't found any way to do it (it's not a condition in the policy generator wizard).

Update: I posted this question on the AWS forums, hopefully I'll get a response: https://forums.aws.amazon.com/thread.jspa?threadID=249039

Update 2: I got a response and the solution is that to accomplish this you must use Resource to specify both what instances you allow commands to be run on, and what document the user is allowed to run. For example, this is what I ended up with:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand"
            ],
            "Resource": [
                "arn:aws:ec2:*:123456789012:instance/*",
                "arn:aws:ssm:*:123456789012:document/RestartServices"
            ]
        }
    ]
}