Why does restricting `ssm:sendCommand` to a specific document via an IAM policy show access denied?

I'm trying to have an IAM user who can only use SSM Run Command with a specific Document.

If I have the following policy attached to the user, that user can indeed only successfully execute AWS-RunShellScript (which is an AWS managed) document on EC2 instances.

{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["ssm:DescribeDocument","ssm:DescribeDocumentParameters","ssm:DescribeDocumentPermission","ssm:GetCommandInvocation","ssm:GetDocument","ssm:ListCommandInvocations","ssm:ListCommands","ssm:ListDocumentMetadataHistory","ssm:ListDocuments","ssm:ListDocumentVersions"],"Resource": "*"},{"Effect": "Allow","Action": "ssm:SendCommand","Resource": "arn:aws:ssm:us-west-2:999999999999:document/AWS-RunShellScript"}]}

However, if I replace the resource item in the policy with a custom document ARN that I created (e.g. arn:aws:ssm:us-west-2:999999999999:document/CustomDocument), I get "Access Denied"

enter image description here

2

Best Answer

It's not really clear in the documentation but to limit ssm:SendCommand, you must use the Resource field to specify both what document(s) the IAM user is allowed to run and what instance(s) you allow commands to be run on.

The user would see all instances when trying to run a command but will only be able to execute commands for the EC2 instance IDs specified in the IAM policy.

You can specify the policy to allow any instance like below if needs be or specify a limited list of instance IDs in line with the standard security advice of granting least privilege in IAM policies.

As to why the AWS managed document works, it's probably some internal magic 🤷‍♂️

This should work:

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"ssm:SendCommand","Resource":["arn:aws:ec2:us-west-2:999999999999:instance/*","arn:aws:ssm:us-west-2:999999999999:document/AWS-RunShellScript"]}]}

Slightly similar unexpected behaviour (not really clear in the documentation either): if you define 2 blocks for the same action, they are considered by AWS as just one, eg:

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"ssm:SendCommand","Resource":["arn:aws:ec2:us-west-2:999999999999:instance/i-1","arn:aws:ssm:us-west-2:999999999999:document/AWS-RunShellScript"]},{"Effect":"Allow","Action":"ssm:SendCommand","Resource":["arn:aws:ec2:us-west-2:999999999999:instance/i-2","arn:aws:ssm:us-west-2:999999999999:document/AWS-SecondDoc"]}]}

will allow you to connect to i-1 with both "AWS-RunShellScript" and "AWS-SecondDoc" (and same for i-2).

Random Posts

VIM Select Entire LineAlternate for Normalizer Transformation?How to get the entire web page source using Selenium WebDriver in python [duplicate]Why am I suddenly getting a "Blocked loading mixed active content" issue in Firefox?Wagtail internationalization - add pages with other languagestruggling with python code in pearson revel chapter 2Package.resolved file is corrupted or malformedKotlin Convert Double? to DoubleJava - Rotating arrayGet first row value of a given columnTransformers always only use a single Linear layer for classification head?Creating and appending text to txt file in VB.NETHow to read JsonResult object in c#How can I set the default playback speed in mpv?How to perform common post-initialization tasks in inherited classes?warning: Public keyring not found; have you run 'pacman-key --init'?Is null check needed before calling instanceof?Left align and right align within div in BootstrapNMAP running on Zenmap 7.93 NSOCK ERROR ssl_init_helper OpenSSL legacy provider failed to loadFile type associated icons package for flutter?