Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

no identity-based policy allows the ssm:StartSession action

0

Hi there, I followed the guide to create a Custom Policy to allow only AWS-StartPortForwardingSessionToRemoteHost action to a bastion host.

This is the Policy I created and getting AccessDeniedExcepton

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ssm:us-east-1:**************:document/AWS-StartPortForwardingSessionToRemoteHost",
                "arn:aws:ec2:us-east-1:**************:instance/*"
            ],
            "Effect": "Allow",
            "Sid": "EnableSSMSession"
        },
        {
            "Action": "ec2:DescribeInstances",
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "DescribeEC2"
        }
    ]
}

However, if I set Resource to * for ssm:StartSession action I am able to start a session with StartPortForwardingSessionToRemoteHost. Can you please guide me about what I am missing? I literally followed the simple examples from the guide. Thanks

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS Identity and Access ManagementAWS Systemmanager
Sprache
English
buraktas
gefragt vor 4 Monaten1059 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Hello.

As stated in the document below, in the case of an AWS managed document, the AWS account part in the ARN must not be specified.
Therefore, I set it to "*".
https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_id-based-policy-examples.html

All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs. The account ID shouldn't be specified in the Amazon Resource Name (ARN) for AWS public documents (documents that begin with AWS-*).

Please change the policy as below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ssm:us-east-1:*:document/AWS-StartPortForwardingSessionToRemoteHost",
                "arn:aws:ec2:us-east-1:**************:instance/*"
            ],
            "Effect": "Allow",
            "Sid": "EnableSSMSession"
        },
        {
            "Action": "ec2:DescribeInstances",
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "DescribeEC2"
        }
    ]
}
profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 4 Monaten
profile picture
EXPERTE
Gary Mclean
überprüft vor 4 Monaten
  • buraktas
    vor 4 Monaten

    you my friend saved my day. Thank you, I literally spent hours on this.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt