By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Error User cannot Terminate their own SSM Session when trying to use SCP.

0

We use AWS SSO to provide permissions for Session Manager access to systems. When trying to use Session Manager in conjunction with SCP one of our users is getting the following error:

$ scp -r -i ~/.ssh/example-key-singapore system1/startsystem.sh legerity@i-06a0c25qb665a08eb.ap-southeast-1:

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::001292317441:a
ssumed-role/AWSReservedSSO_Example_739d002d2774bna6/john.doe@companyname.com is not authorized t
o perform: ssm:TerminateSession on resource: arn:aws:ssm:ap-southeast-1:001292317441:session/john.doe@companyname.com-08fce585f53bab614 because no identity-based policy allows the ssm:TerminateSession action
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
lost connection

The session that it says can't be terminated is actually one that is already terminated so I can't figure out how it is erroring or why. I cannot replicate this error when giving myself the same permissions. This same user can access the same system via SSM (SSH equivalent) fine. The permissions assigned to this user are:
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2::001292317441:instance/**",
"arn:aws:ec2::053586226857:instance/*",
"arn:aws:ssm:::document/AWS-StartSSHSession"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:username}-"
]
}

This same command using the same permissions works fine for me. The command should work according the config in .ssh which is:
host i-. mi-.
ProxyCommand bash -c "aws ssm start-session --target $(echo %h|cut -d'.' -f1) --region $(echo %h|/usr/bin/cut -d'.' -f2) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'" --profile $(echo %h|cut -d '.' -f3)

Does anyone have any idea what might be happening?

Edited by: jonzen on Oct 29, 2021 3:38 AM

Edited by: jonzen on Oct 29, 2021 3:39 AM

Topics
Management & Governance
Tags
AWS Systems Manager
Language
English
jonzen
asked a year ago2257 views
3 Answers
0

I have seen aws start-session (which is what scp is using under the hood) throw an AccessDeniedException with the reason "no identity-based policy allows the ssm:TerminateSession action" when the Session Manager Plugin has not been installed in the AWS CLI. I'm not sure that's your problem because you said the other user can already login with SSM, but I thought this might help others searching for this error message.

Here's how to install it: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

Edit: Noted that this probably doesn't solve the OP's problem.

GrahamFromArchium
answered a year ago
0

Hi jonzen@,

With SSO, the credentials are federated as introduced here https://aws.amazon.com/identity/federation/. {aws:username} method does not work for federated identities; instead, {aws:userid} should be used. Please see the details here, under Example 3: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html

Please let you customer try again after updating the policies.

Cheers,
Yuting

AWS
AWS-User-8408345
answered a year ago
0

For me, it wasn't a security issue. I didn't have the session-manager plugin yet. Once I followed the steps outlined here, the authentication error went away. Leaving the IAM policy with {aws:username} worked for me.

clouddrew
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content