2 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
1
The condition you want is ssm:SessionDocumentAccessCheck. See: Controlling user permissions for SSH connections through Session Manager. Something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": [
"arn:aws:ec2:region:account-id:instance/*",
"arn:aws:ssm:*:*:document/AWS-StartSSHSession"
]
},
{
"Effect": "Deny",
"Action": "ssm:StartSession",
"NotResource": "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
}
]
}
0
It appeared that the solution that @Kentrad provided didn't worked for me fully as i wanted, but what did worked for me is :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": [
"arn:aws:ec2:eu-north-1:<accountid>:instance/*",
"arn:aws:ssm:*:*:document/AWS-StartSSHSession"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
}
]
}
I found this solution mainly here https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-sessiondocumentaccesscheck.html
répondu il y a 2 ans
Contenus pertinents
- demandé il y a un an
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a 10 mois
- AWS OFFICIELA mis à jour il y a un an
Thank you very much Kentrad !