Reputation: 105
aws SSM-SessionManagerRunShell permission setup error
I have defined the policy for a role in aws as:
Statement":[
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:StartSession",
"ssm:ResumeSession"
],
"Resource": ["arn:aws:ssm:*:*:session/S(aws:userid)-",
"arn:aws:ssm:*:*:session/$(aws:username)-*"]
},
{
"Effect": "Allow",
"Action":[
"ssm:StartSession",
"ssm:TerminateSession",
"ssm:DescribeSessions",
"ssm:GetConnectionStatus"
],
"Resource": ["arn:aws:ec2:*:*:instance/*"]
},
{
"Action": [
"ssm:StartSession",
"ssm:TerminateSession",
"ssm:SendCommand"],
"Effect": "Allow",
"Resource: [
"arn:aws:ssm:*:*:document/AWS-RunShellScript",
"arn:aws:ssm:*:*:document/AWS-StartSSHSession",
"arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost",
"arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell"]
}
]
However, I still received a notification from aws:
"In June 2024, we communicated to you about a change to AWS Systems Manager Session Manager where users with an AWS Identity and Access Management (IAM) policy scoped down to allow specific session documents must explicitly grant access to the SSM-SessionManagerRunShell document to start interactive shell sessions."
I already updated my policy back in June as you see I add this permission. But still got this email in beginning of October. What did I do wrong here in setting up the policy?
Upvotes: 0
Views: 107
Answers (1)
Reputation: 1356
If you have included the documents, then everything is fine in that regard, but there's already an issue with your policy, which can be the reason for policy invalidation and receiving that email, as you see below you have an additional white space after : and the Action name.
"Action": [
"ssm: TerminateSession",
"ssm: StartSession",
"ssm: ResumeSession"
],
This resource is also written in a wrong way:
"Resource: ["arn:aws:ec2:*:*:instance/*"]
it needs to be: "Resource": "arn:aws:ec2:::instance/*" (you can put it within a [], but the "" were wrong placed)
full correct permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:StartSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/S(aws:userid)-*",
"arn:aws:ssm:*:*:session/$(aws:username)-*"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:TerminateSession",
"ssm:DescribeSessions",
"ssm:GetConnectionStatus"
],
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:TerminateSession",
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ssm:*:*:document/AWS-RunShellScript",
"arn:aws:ssm:*:*:document/AWS-StartSSHSession",
"arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost",
"arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell"
]
}
]
}
Upvotes: 0
Related Questions
- AWS IAM role principal vs role session principal
- What is exactly "Assume" a role in AWS?
- AWS Secrets manager resource policy access for user
- AWS SSM DOcument Assume Role is unable to be assumed for Service Catalog
- How to write an S3 bucket policy to *only* allow specific IAM role and Cloudfront Origin Access Identity?
- AWS-IAM: Giving access to a single bucket
- Can IAM permission policy used to allow access to cross account resource?
- AWS Policy Limited Administrator