Based in the control access using SSM Police, Why this police don't work?

Hello community,

We are encountering an issue with a policy that has been working across all accounts within our AWS organization thus far. However, we are experiencing difficulties with new accounts, despite these new accounts having identical System Manager configurations. Below is the base policy that we have been using:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowStartConnections", "Effect": "Allow", "Action": "ssm:StartSession", "Resource": "arn:aws:ec2::[Account ID]:instance/", "Condition": { "StringEquals": { "aws:ResourceTag/[Tag Key]": "[Value]" }, "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Sid": "AllowResumeConnectionTerminateConnection", "Effect": "Allow", "Action": [ "ssm:ResumeSession", "ssm:TerminateSession" ], "Resource": "arn:aws:ssm:::session/${aws:userid}-", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Sid": "AllowSeveralActionsOfSSM", "Effect": "Allow", "Action": [ "ssmmessages:CreateDataChannel", "ssmmessages:OpenDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:CreateControlChannel" ], "Resource": "", "Condition": { "Null": { "aws:ResourceTag/[Tag Key]": "[Value]" }, "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }

Now, we modify the policy to this version, but this new version requires constant updates.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowStartConnections", "Effect": "Allow", "Action": "ssm:StartSession", "Resource": [ "arn:aws:ec2:[AWS region]:[Account ID]:instance/[Id Instance]", "arn:aws:ssm:[AWS region]:[Account ID]:document/SSM-SessionManagerRunShell" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Sid": "AllowResumeConnectionTerminateConnection", "Effect": "Allow", "Action": [ "ssm:ResumeSession", "ssm:TerminateSession" ], "Resource": "arn:aws:ssm:::session/${aws:userid}-", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Sid": "AllowSeveralActionsOfSSM", "Effect": "Allow", "Action": [ "ssmmessages:CreateDataChannel", "ssmmessages:OpenDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:CreateControlChannel" ], "Resource": "", "Condition": { "Null": { "aws:ResourceTag/soporte": "true" }, "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }

We have attempted to modify this policy to align with Example 3: "Restrict access based on tags" from the Additional sample IAM policies for Session Manager article, as follows:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowStartConnections", "Effect": "Allow", "Action": "ssm:StartSession", "Resource": "", "Condition": { "StringEquals": { "ssm:resourceTag/[Tag Key]": "[Value]" }, "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Sid": "AllowResumeConnectionTerminateConnection", "Effect": "Allow", "Action": [ "ssm:ResumeSession", "ssm:TerminateSession" ], "Resource": "arn:aws:ssm:::session/${aws:userid}-", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } }, { "Sid": "AllowSeveralActionsOfSSM", "Effect": "Allow", "Action": [ "ssmmessages:CreateDataChannel", "ssmmessages:OpenDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:CreateControlChannel" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/[Tag Key]": "[Value]" }, "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }

But we still get the message "The user [User Account] can't start a session at the resource arn:aws:ssm:[AWS region]:[Account ID]:document/SSM-SessionManagerRunShell because none one police allow to performance the action"

We are seeking suggestions as we aim to avoid modifying the policy unnecessarily, preferring instead to potentially resolve the issue by simply adding a tag to the instance.

Thank you for your assistance.