0

AWS Inline Policy to Limit Automation Document Execution per IAM is my goal, but understanding current limitations I can see that I can only use * wildcard and can't specify a specific document.

Is there any way to limit specific IAM to only have access over specific automation documents.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "test",
            "Effect": "Allow",
            "Action": [
                "ssm:StartAutomationExecution"
            ],
            "Resource": "*"
        }
    ]
}
John Rotenstein
  • 871
  • 7
  • 16
Daniel Johns
  • 27
  • 5

2 Answers2

0

You can limit IAM permissions by specifying the ARN of the document in the resource field. The ARN for AWS Systems Manager is contructed as follows:

arn:aws:ssm:region:account-id:document/document-name

You can specify the full arn of the document or place the asterix in the arn to limit the permission to a subset of the documents. Like in the documentation:

arn:aws:ssm:us-west-2:111222333444:document:West*
Henrik Pingel
  • 9,380
  • 2
  • 28
  • 39
  • Unfortunately, my testing seems to indicate that it is not possible to provide an ARN of an Automation Document when specifying the `ssm:StartAutomationExecution` action. It seems to only work with `Resource: *`. Did you manage to get a policy working with a specific ARN? – John Rotenstein May 27 '19 at 23:35
  • Can you please provide the error message you are getting? As stated I took the example from the the official documentation. Can you check if `arn:aws:ssm:us-west-2:111222333444:document/West*` (note the `/` instead if `:`) works? I'm not 100% sure if that could be it, but it is worth a try. – Henrik Pingel May 28 '19 at 17:15
  • I could not get it to work. IAM says "This policy does not grant any permissions". The error message says `not authorized to perform: ssm:StartAutomationExecution on resource: arn:aws:ssm:ap-southeast-2:123456789012:automation-definition/foo:$DEFAULT`. If you get it working, please let us know the policy that you used. – John Rotenstein May 28 '19 at 22:31
  • The documentation is very unclear and the above suggestions are not working, but they may work for other documents, I am not sure. – Daniel Johns Jun 30 '19 at 11:40
0

@JohnRotenstein, @HenrikPingel, I have found a way to achieve what I wanted with: {a "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:*" ], "Resource": [ "arn:aws:ssm:eu-west-2:{accountnumberplaceholder}:automation-definition/{documentnameplaceholder}:$DEFAULT", "arn:aws:ssm:eu-west-2:{accountnumberplaceholder}:automation-definition/{documentnameplaceholder}:$DEFAULT", "arn:aws:ssm:eu-west-2:{accountnumberplaceholder}:automation-definition/{documentnameplaceholder}:$DEFAULT", "arn:aws:ssm:eu-west-2:{accountnumberplaceholder}:*", "arn:aws:ec2:eu-west-2:{accountnumberplaceholder}:instance/*", "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript" ] } ]

Daniel Johns
  • 27
  • 5