Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS session manager, force requirement of SSH key

0

Hi,

I was able to configure AWS session manager to use SSH keys over session manager tunnel as it is described here -> https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html.

But now i need to force user to provide SSH keys, because now, even tho i can use SSH keys to authenticate into the EC2 instance, im still able to to it without providing SSH keys, just by using aws ssm start-session command.

As i suppose i can add some kind of policy for that, something like:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountid:user/test-user"
            },
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Condition": {
                "StringEquals": {
                    "ssm:StartSession/RequireSSH": "True" ( parameters made up, by me )
                }
            }
        }
    ]
}

But im not sure what should be in the place of "ssm:StartSession/RequireSSH": "True",

Any help will be appreciated

Joann

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS Identity and Access ManagementAWS BefehlszeilenschnittstelleAWS SystemmanagerIAM-RichtlinienSitzungsverwaltung
Sprache
English
Joann Babak
gefragt vor 2 Jahren1008 Aufrufe
2 Antworten
1

The condition you want is ssm:SessionDocumentAccessCheck. See: Controlling user permissions for SSH connections through Session Manager. Something like this:

{
    "Version": "2012-10-17",
    "Statement": [
      {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:region:account-id:instance/*",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ]
        },
        {
            "Effect": "Deny",
            "Action": "ssm:StartSession",
            "NotResource": "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
        }
    ]
}
profile pictureAWS
EXPERTE
kentrad
beantwortet vor 2 Jahren
0
Akzeptierte Antwort

It appeared that the solution that @Kentrad provided didn't worked for me fully as i wanted, but what did worked for me is :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:eu-north-1:<accountid>:instance/*",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true"
                }
            }
        }
    ]
}

I found this solution mainly here https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-sessiondocumentaccesscheck.html

Joann Babak
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt