3

I am using a default policy Amazonssmmaintainancewindowrole. In that policy I have modified the permissions for ssm:SendCommand to restrict the access to specific EC2 instances which is not working. If I give the resource as "*" for ssm:SendCommand, it is working fine. Please let me know what I am doing wrong with respect to restricting access.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "0",
            "Effect": "Allow",
            "Action": [
                "ssm:GetAutomationExecution",
                "ssm:GetParameters",
                "ssm:ListCommands",
                "ssm:StartAutomationExecution"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand"
            ],
            "Resource": [
                "arn:aws:ec2:eu-west-1:*:instance/myinstance-id",
                "arn:aws:s3:::bucketname",
                "arn:aws:ssm:us-east-1:*:document/AWS-ApplyPatchBaseline"
            ]
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:SSM*",
                "arn:aws:lambda:*:*:function:*:SSM*"
            ]
        },
        {
            "Sid": "3",
            "Effect": "Allow",
            "Action": [
                "states:DescribeExecution",
                "states:StartExecution"
            ],
            "Resource": [
                "arn:aws:states:*:*:stateMachine:SSM*",
                "arn:aws:states:*:*:execution:SSM*"
            ]
        }
    ]
}
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
AKHIL KUMAR
  • 63
  • 1
  • 6

0 Answers0