By using AWS re:Post, you agree to the Terms of Use

Full access policy, except ssm

0

Hello, i want to create a policy, which will give full permissions, to every resource except ssm, because for the ssm, i want to give a condition. I can think of 2 variants, of how to do it -

  1. Create a policy which will look like
            "iam:Add*",
            "iam:Create*",
            "iam:Deactivate*",
            "iam:Delete*",
            "iam:Detach*",
            "iam:Enable*",
            "iam:PassRole",
            "iam:Put*",
            "iam:Remove*",
            "iam:Resync*",
            "iam:Set*",
            "iam:Simulate*",
            "iam:Update*",
            "iam:Put*"
             ...

but for every resource there is. Then, i need help with finding all of those resource names.

  1. while giving full permissions using
{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

Deny access to the ssm, ONLY if the ssh document is not used, so i suppose it should look something like

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "BoolIfExists": {
                    "arn:aws:ssm:*:*:document/AWS-StartSSHSession": "false"
                }
            }
        }
    ]
}

But this dosnt seem to be working. Any help is appreciated.

1 Answer
1
Accepted Answer

Unfortunately, Systems Manager does not seem to allow a Document to be specified for the Condition Key.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html#awssystemsmanager-policy-keys

How about the following IAM policy?
SessionDocumentAccessCheck can be used to enforce the use of AWS-StartSSHSession.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "NotAction": [
                "ssm:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true"
                }
            }
        }
    ]    
}
profile picture
answered 5 days ago
  • Works as i wanted, thank you very much.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions