AWS session manager, force requirement of SSH key

Question

Hi,

I was able to configure AWS session manager to use SSH keys over session manager tunnel as it is described here -> https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html.

But now i need to force user to provide SSH keys, because now, even tho i can use SSH keys to authenticate into the EC2 instance, im still able to to it without providing SSH keys, just by using `aws ssm start-session` command.

As i suppose i can add some kind of policy for that, something like:

```

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountid:user/test-user"
            },
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Condition": {
                "StringEquals": {
                    "ssm:StartSession/RequireSSH": "True" ( parameters made up, by me )
                }
            }
        }
    ]
}
```

But im not sure what should be in the place of `"ssm:StartSession/RequireSSH": "True"`,

Any help will be appreciated

Joann

Accepted Answer

It appeared that the solution that @Kentrad provided didn't worked for me fully as i wanted, but what did worked for me is :
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:eu-north-1::instance/*",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true"
                }
            }
        }
    ]
}
```

I found this solution mainly here https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-sessiondocumentaccesscheck.html

Answer

The condition you want is ssm:SessionDocumentAccessCheck. See: [Controlling user permissions for SSH connections through Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html#ssh-connections-permissions). Something like this:

```
{
    "Version": "2012-10-17",
    "Statement": [
      {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:region:account-id:instance/*",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ]
        },
        {
            "Effect": "Deny",
            "Action": "ssm:StartSession",
            "NotResource": "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
        }
    ]
}
```

AWS session manager, force requirement of SSH key

相關內容