Mange users permission at Instance, using SSM

Hi,

I am new to use SSM alternative of SSH connection.

So, I am trying to create a permissions for users to be used when using SSM.

For example: I don't need all users to act as an (ec2-user), I need user to check the specific file only, or had a user without ability to reboot the services at instances.

Topics

Compute Security, Identity, & Compliance Management & Governance

Tags

Linux Provisioning AWS Identity and Access Management Amazon EC2 AWS Systems Manager IAM Policies

Language

English

rePost-User-2140084

asked a year ago407 views

1 Answer

Newest
Most votes
Most comments

If I understand your question correctly you need some local users on your ec2-instance and you need some solution that e.g. IAM users or federated users which can access the instance with their own local user.

Here is the documentation how to enable this with linux instances: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-run-as.html

There is also a blog post which describe some solution to provide access for AD users: https://aws.amazon.com/blogs/mt/configuring-aws-systems-manager-session-manager-support-federated-users-using-session-tags/

sazecis

answered a year ago

rePost-User-2140084
a year ago
Thank you for sharing the details. But, I am trying to:

Enable SSO with my Azure AD (already I did this).

Grant users access to act at my EC2 using their Azure AD credentials.

I need to assign permissions/roles to them and let them use only SSM, the alternative of using an SSH connection. I need this with different permissions, I don't need all to use the ec2-user account.
sazecis
a year ago
First of all ec2-user is not used at all by the SSM. By default it has it's own user, i.e. ssm-user. The blog describes the following solution: Corporate user browses to the ADFS portal sign-in page and provides Active Directory authentication credentials. The IdP authenticates the user and returns a SAML assertion that includes the PrincipalTag:SSMSessionRunAs=username. Client posts the assertion to the AWS SAML endpoint. The endpoint validates the assertion with an AWS STS endpoint and requests temporary security credentials on behalf of the user. Temporary credentials are returned using AWS STS AssumeRoleWithSAML. The session will be tagged with PrincipalTag:SSMSessionRunAs The endpoint sends the sign-in URL back to the client as a redirect. The client browser is redirected to AWS Management Console. The client accesses the AWS Systems Manager console and starts the Session Manager session for a Linux instance. Session Manager starts the session using the user name specified for the SSMSessionRunAs tag for the federated session. Session starts in the given AD user context and a browser-based shell opens in a new tab.

Relevant content

ssh proxy to connect to EC2 instance using SSM
Joann Babak
asked 3 days ago
How can Hybrid SSM Activation be used to provide IAM credentials to all users
jacobmgn_aws
asked 3 months ago
Error User cannot Terminate their own SSM Session when trying to use SCP.
jonzen
asked 2 years ago
Create User to Use S3 API with Restricted Permissions
Accepted Answer
PokyWizard
asked 2 years ago
How do I use SSM Agent logs to troubleshoot issues with SSM Agent in my managed instance?
AWS OFFICIALUpdated a year ago
Why am I getting a "Server refused our key" error when I try to connect to my EC2 instance using SSH?
AWS OFFICIALUpdated a year ago
Why am I receiving errors when I use the browser-based SSH console to access my Lightsail instance?
AWS OFFICIALUpdated 2 months ago
How do I add new user accounts with SSH access to my EC2 instance using cloud-init and user data?
AWS OFFICIALUpdated 2 years ago
Configuring AWS Systems Manager for use with VMware Cloud on AWS
EXPERT
Jonas Werner
published 9 months ago
Why am I seeing charges for 'Public IPv4 addresses' when I am under the AWS free tier?
EXPERT
dnyanesh-db
published 2 months ago