By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IAM Resource ARN for SSM

0

I created an IAM policy to allow starting an SSM session to an EC2 instance. Initially, I specified arn:aws:ssm::<my-account-id> /AWS-StartPortForwardingSession, but it didn't work. I suspect this is because AWS-StartPortForwardingSession is an AWS-managed document. So, I modified it to arn:aws:ssm:::/AWS-StartPortForwardingSession.

I'm curious about the difference between arn:aws:ssm::* /AWS-StartPortForwardingSession and arn:aws:ssm:::document/AWS-StartPortForwardingSession.

Why is the account ID sometimes omitted and other times replaced with an asterisk (*)?

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws:ec2:::instance/", "arn:aws:ssm:::document/SSM-SessionManagerRunShell", "arn:aws:ssm:*::document/AWS-StartPortForwardingSession" ], "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" } } } ] }

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Systems ManagerIAM Policies
Language
English
jinjia
asked 8 months ago335 views
1 Answer
1
Accepted Answer

Hello.

For SSM documents managed by AWS, do not include the account ID.
In other words, "AWS-StartPortForwardingSession" is a document managed by AWS, so there is no need to enter the account ID.
I think the reason for the asterisk is to allow you to use SSM documents from all regions.
https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies

Documents and automation definition resources that are owned by Amazon, as well as public parameters that are provided by both Amazon and third-party sources, do not include account IDs in their ARN formats. For example:

  • The SSM document AWS-RunPatchBaseline:
    • arn:aws:ssm:us-east-2::document/AWS-RunPatchBaseline
  • The automation runbook AWS-ConfigureMaintenanceWindows:
    • arn:aws:ssm:us-east-2::automation-definition/AWS-ConfigureMaintenanceWindows
  • The public parameter /aws/service/bottlerocket/aws-ecs-1-nvidia/x86_64/1.13.4/image_version:
    • arn:aws:ssm:us-east-2::parameter/aws/service/bottlerocket/aws-ecs-1-nvidia/x86_64/1.13.4/image_version
profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
profile pictureAWS
EXPERT
secondabhi_aws
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content