By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS session manager, force requirement of SSH key

0

Hi,

I was able to configure AWS session manager to use SSH keys over session manager tunnel as it is described here -> https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html.

But now i need to force user to provide SSH keys, because now, even tho i can use SSH keys to authenticate into the EC2 instance, im still able to to it without providing SSH keys, just by using aws ssm start-session command.

As i suppose i can add some kind of policy for that, something like:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountid:user/test-user"
            },
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Condition": {
                "StringEquals": {
                    "ssm:StartSession/RequireSSH": "True" ( parameters made up, by me )
                }
            }
        }
    ]
}

But im not sure what should be in the place of "ssm:StartSession/RequireSSH": "True",

Any help will be appreciated

Joann

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceAWS Systems ManagerIAM PoliciesSession Management
Language
English
Joann Babak
asked 2 years ago989 views
2 Answers
1

The condition you want is ssm:SessionDocumentAccessCheck. See: Controlling user permissions for SSH connections through Session Manager. Something like this:

{
    "Version": "2012-10-17",
    "Statement": [
      {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:region:account-id:instance/*",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ]
        },
        {
            "Effect": "Deny",
            "Action": "ssm:StartSession",
            "NotResource": "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
        }
    ]
}
profile pictureAWS
EXPERT
kentrad
answered 2 years ago
0
Accepted Answer

It appeared that the solution that @Kentrad provided didn't worked for me fully as i wanted, but what did worked for me is :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:eu-north-1:<accountid>:instance/*",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true"
                }
            }
        }
    ]
}

I found this solution mainly here https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-sessiondocumentaccesscheck.html

Joann Babak
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content