Restrict AWS SSM access to SSH only

Question

I need to restrict some users AWS SSM access to SSH only. These users should only be able to start a SSH session via SSM like this:

ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"

It should not be possible to start a SSM session directly (ssm-user):

aws ssm start-session --target i-*

Is this possible?

score 0 · Answer 1 · answered Jun 13 '23 at 07:34

Looks like I've found a solution here: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html

In general I created a user group and added this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
        }
    ]
}

Now a user in this group can start a SSH session but not a SSM session directly.

Restrict AWS SSM access to SSH only

1 Answers1