How to limit ssm documents accessible by a iam role for start automation using tags?

Question

I have a iam role which has access to start automation. I want to limit the documents it can access by using tags.

I have added this policy but it's not working.

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ssm:StartAutomationExecution"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": "ssm:StartAutomationExecution",
            "Resource": [
                "arn:aws:ssm:*:*:document/*",
                "arn:aws:ssm:*:*:automation-definition/*:$DEFAULT"
            ],
            "Condition": {
                "StringNotEquals": {
                    "ssm:resourceTag/Role": "${aws:PrincipalTag/Role}"
                }
            }
        }
    ]
}```

score 0 · Accepted Answer · answered Apr 26 '20 at 06:40

0

This condition is not supported for the StartAutomationExecution operation.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html

answered Apr 26 '20 at 06:40

Benoît Sauvère

701
7
23

How to limit ssm documents accessible by a iam role for start automation using tags?

1 Answers1