no identity-based policy allows the ssm:StartSession action

0

Hi there, I followed the guide to create a Custom Policy to allow only AWS-StartPortForwardingSessionToRemoteHost action to a bastion host.

This is the Policy I created and getting AccessDeniedExcepton

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ssm:us-east-1:**************:document/AWS-StartPortForwardingSessionToRemoteHost",
                "arn:aws:ec2:us-east-1:**************:instance/*"
            ],
            "Effect": "Allow",
            "Sid": "EnableSSMSession"
        },
        {
            "Action": "ec2:DescribeInstances",
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "DescribeEC2"
        }
    ]
}

However, if I set Resource to * for ssm:StartSession action I am able to start a session with StartPortForwardingSessionToRemoteHost. Can you please guide me about what I am missing? I literally followed the simple examples from the guide. Thanks

1 Answer
1
Accepted Answer

Hello.

As stated in the document below, in the case of an AWS managed document, the AWS account part in the ARN must not be specified.
Therefore, I set it to "*".
https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_id-based-policy-examples.html

All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs. The account ID shouldn't be specified in the Amazon Resource Name (ARN) for AWS public documents (documents that begin with AWS-*).

Please change the policy as below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ssm:us-east-1:*:document/AWS-StartPortForwardingSessionToRemoteHost",
                "arn:aws:ec2:us-east-1:**************:instance/*"
            ],
            "Effect": "Allow",
            "Sid": "EnableSSMSession"
        },
        {
            "Action": "ec2:DescribeInstances",
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "DescribeEC2"
        }
    ]
}
profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • you my friend saved my day. Thank you, I literally spent hours on this.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions