Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Full access policy, except ssm

0

Hello, i want to create a policy, which will give full permissions, to every resource except ssm, because for the ssm, i want to give a condition. I can think of 2 variants, of how to do it -

  1. Create a policy which will look like
            "iam:Add*",
            "iam:Create*",
            "iam:Deactivate*",
            "iam:Delete*",
            "iam:Detach*",
            "iam:Enable*",
            "iam:PassRole",
            "iam:Put*",
            "iam:Remove*",
            "iam:Resync*",
            "iam:Set*",
            "iam:Simulate*",
            "iam:Update*",
            "iam:Put*"
             ...

but for every resource there is. Then, i need help with finding all of those resource names.

  1. while giving full permissions using
{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

Deny access to the ssm, ONLY if the ssh document is not used, so i suppose it should look something like

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "BoolIfExists": {
                    "arn:aws:ssm:*:*:document/AWS-StartSSHSession": "false"
                }
            }
        }
    ]
}

But this dosnt seem to be working. Any help is appreciated.

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS Identity and Access ManagementAWS SystemmanagerIAM-Richtlinien
Sprache
English
Joann Babak
gefragt vor 2 Jahren374 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Unfortunately, Systems Manager does not seem to allow a Document to be specified for the Condition Key.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys

How about the following IAM policy?
SessionDocumentAccessCheck can be used to enforce the use of AWS-StartSSHSession.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "NotAction": [
                "ssm:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true"
                }
            }
        }
    ]    
}
profile picture
hayao-k
beantwortet vor 2 Jahren
  • Joann Babak
    vor 2 Jahren

    Works as i wanted, thank you very much.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt