Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Just In Time Node Access - Not Prompting for Approval

0

We are trying to implement Just-in-Time (JIT) EC2 node access controls in AWS using Systems Manager as per the article here https://aws.amazon.com/blogs/mt/introducing-just-in-time-node-access-using-aws-systems-manager and deny-access policies via Cedar to restrict access to EC2 instances based on environment tags. e.g:

forbid ( principal, action == AWS::SSM::Action::"getTokenForInstanceAccess", resource ) when { resource.hasTag("Environment") && resource.getTag("Environment") == "Production" };

We've followed AWS's guidance by setting up a delegated administrator account, created permission sets with limited access and applied Cedar deny policies targeting GetTokenForInstanceAccess (as per the above policy).

However, access to EC2 instances via Fleet Manager RDP or Session Manager is still granted without triggering any approval flow, even when deny policies are configured without conditions. We attempted to restrict RDP by removing ssm:StartSession and ssm-guiconnect:StartConnection from the permission set, but this simply blocks access entirely instead of prompting for JIT approval. We also verified that service endpoints are correctly configured and not the cause. It seems that the JIT approval flow is not applying correctly and we’d like clarification on:

  1. Whether JIT access is actually supported for Fleet Manager RDP and...
  2. What we can do to resolve this, beyond what we have already tried.

Any helps that can be provided on this would be appreciated. Regards, Elliot

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS Systems ManagerIAM PoliciesAWS Account ManagementSecurity, Identity, & Compliance
Language
English
asked a year ago399 views
2 Answers
0

Just-in-time node access in AWS Systems Manager is designed to help remove long-standing permissions to nodes while maintaining operational efficiency. Based on your description, there are a few key points to address:

  1. Yes, just-in-time node access does support Fleet Manager RDP sessions. In fact, Systems Manager provides session recording for RDP sessions to Windows Server nodes to help meet compliance requirements and perform root cause analysis.

  2. For your issue with the approval flow not triggering, there are several potential causes:

First, ensure that approval policies are properly set up. For just-in-time node access to work, an approval policy must apply to the node. If there are no approval policies that apply to a node, users cannot request access to it.

Second, check the evaluation order of your policies. Deny-access policies take precedence over auto-approval policies. The evaluation order is: deny-access, auto-approval, and then manual approval policies.

Third, verify that you've set up the unified Systems Manager console, which is required for just-in-time node access.

Fourth, ensure your IAM policies are correctly configured. For moving from Session Manager to just-in-time node access, IAM policies need modification, including adding required permissions and removing the "StartSession" API operation for Session Manager.

If you've removed ssm:StartSession and ssm-guiconnect:StartConnection permissions and it's blocking access entirely instead of prompting for approval, you may need to ensure that users have the necessary permissions to request access through the just-in-time node access feature, while not having direct access to start sessions.

Also, check if you have any auto-approval policies that might be overriding your deny-access policies for the specific nodes or users in question. Remember that deny-access policies apply to all accounts in an AWS Organizations organization, while auto-approval and manual approval policies apply only to the AWS accounts and AWS Regions where they're created.
Sources
Just-in-time node access using Systems Manager - AWS Systems Manager
Create approval policies for your nodes - AWS Systems Manager
Just-in-time node access frequently asked questions - AWS Systems Manager
AWS Systems Manager launches just-in-time node access - AWS
Create a deny-access policy for just-in-time node access - AWS Systems Manager

answered a year ago
0

Hi Elliot,

You're absolutely right to expect an approval prompt if you've set up Just-in-Time (JIT) access correctly. Based on what you’ve described, here are a few things that might be causing the issue:

Approval Policy Placement – JIT access requires at least one approval policy to apply to the node. If there’s no approval policy matching the instance (even if deny policies are in place), users might either get straight access or get blocked — not prompted.

Policy Evaluation Order – Cedar policies follow a strict order:

Deny policies (like the one you’ve written)

Auto-approval

Then manual approval If a deny policy matches first (especially one without conditions), no prompt will show — access is outright blocked.

Fleet Manager Nuance – While Session Manager fully supports JIT, RDP via Fleet Manager has its own flow. If users are trying to RDP and your policies remove both ssm:StartSession and ssm-guiconnect:StartConnection, access will fail entirely — JIT can't override that unless users retain at least enough permission to request the session.

IAM Permission Mismatch – Double-check that the user has permissions to request access under JIT — not just session permissions. There’s a distinct difference in required IAM actions for initiating JIT requests vs. direct connect permissions.

You’re close! Try temporarily removing the unconditional deny and see if JIT prompts start working. Then layer it back with tags for precision.

Hope this helps — feel free to report back with your findings!

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content