How-to restrict AWS IAM User to be able execute "SSM Run Commands" on a specific EC2 server

Question

I am trying to setup and assign a policy so that a user can only trigger AWS Systems Manager Services (SSM) Run Commands on only authorized or assigned EC2 instances to them.

To do this, I am following instructions from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html and as per it, I created below custom policy with provisioning access for only 1 EC2 instance:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:ListDocuments",
                "ssm:DescribeDocument*",
                "ssm:GetDocument",
                "ssm:DescribeInstance*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ssm:SendCommand",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
                "arn:aws:s3:::test-ssm-logs/TESTSERV",
                "arn:aws:ssm:us-east-1:123456789012:document/AWS-RunPowerShellScript"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "TESTSERV"
                }
            }
        },
        {
            "Action": [
                "ssm:CancelCommand",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ec2:DescribeInstanceStatus",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

After I assigned above policy to a test user and when I log in using it and navigate to "Run Command", under Target Instances I see other EC2 instances as well and I am even able to execute commands to them as well. Shouldn't the user only see the 1 instance that is specified in above policy?

I do not understand what am I doing wrong here and how to fix it? Appreciate your help.

Thanks!

I have below IAM policy assigned to all my EC2 system instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeAssociation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:GetParameters",
                "ssm:ListAssociations",
                "ssm:ListInstanceAssociations",
                "ssm:PutInventory",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ds:CreateComputer",
                "ds:DescribeDirectories"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::amazon-ssm-packages-*"
        }
    ]
}

Also, I have below IAM policy assigned to test user to so that they can Start/Stop/Restart EC2 instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "TESTSERV"
                }
            }
        }
    ]
}

Do you have any other policies configured? Since you are not explicitly denying access to other instances in the policy you pasted, it might be possible that the permissions are being "inherited" from other policies. — Viccari, Mar 20 '17 at 14:48
This is the fun part of IAM policy : it wouldn't tell you the `Condition` contains something it cannot control. — mootmoot, Mar 20 '17 at 18:06
I have updated my question to include other policy details that are assigned to the instance & user — famaus, Mar 20 '17 at 18:17
As for the EC2 "policy", do you mean `IAM instance Roles/Profile` assign to the EC2? — mootmoot, Mar 20 '17 at 18:36
@mootmoot - yes, IAM instance Roles/Profile assigned to EC2. This will be Task 1 & 3 from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html — famaus, Mar 20 '17 at 18:48
IAM instance roles is all about EC2 instance can do or cannot with other aws resource. Basically you can remove this part from your question. As for the policy, I suggest you try to edit them out using Policy Simulator. — mootmoot, Mar 20 '17 at 18:58
the bad news is, AWS only supported limited number of conditions, you cannot freely make them works even those option available in AWS console policy generator interface. : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html — mootmoot, Mar 20 '17 at 19:12
@mootmoot if I remove IAM instance roles then I don't see any instance under Run Command so it would seem like this policy assignment is needed. Also, I did check Policy Simulator but I do not see any Actions related to SSM (like Send Command, List Command, etc.) — famaus, Mar 20 '17 at 22:37
In case anyone is wondering like I was, SSM commands are under Systems Manager in IAM. — Utkarsh Dalal, Dec 08 '22 at 08:08

score 7 · Accepted Answer · answered Mar 20 '17 at 23:10

I was able to make this work by adjusting policy as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:ListDocuments",
                "ssm:DescribeDocument*",
                "ssm:GetDocument",
                "ssm:DescribeInstance*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ssm:SendCommand",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
                "arn:aws:s3:::nsight-ssm-logs/TESTSERV",
                "arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
            ]
        },
        {
            "Action": [
                "ssm:CancelCommand",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ec2:DescribeInstanceStatus",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

My requirement was to only allow execution of PowerShell scripts so the line:

"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"

You can replace AWS-RunPowerShellScript with * to allow all commands.

Also, the EC2 Role assignment was necessary since without it I couldn't see any instances under Run Command.

Please also know that the user would see all instances under Run Command but will only be able to execute commands for the EC2 instances for which the policies are assigned to, user account. I do not think there is any option to suppress this.

Thanks for your contribution and helpful tips.

Well, this is the annoying part of IAM policy. Even though there is ARN like this `arn:aws:iam:::user/${aws:username}`, I am not sure whether you can use it as condition to restrict showing instance belongs to the user. — mootmoot, Mar 21 '17 at 08:52

How-to restrict AWS IAM User to be able execute "SSM Run Commands" on a specific EC2 server

1 Answers1