0

I am using ssm:tag of documents to restrict access to users based on user role and document tag. I have added a condition to IAM policy and it's working. But when I try to do this with cross account, it's not working.

1) My SSM documents are in Master account, shared with Child account

2) IAM Policy to restrict access based on tags is in Child account (Tag key: Role)

3) The request is made to Child account

Scenario 1: I can execute the documents successfully, when condition from the IAM Policy is removed. So the Child AWS account can fetch the SSM Documents from Master AWS account.

Scenario 2: I cannot execute the documents when filtered based on tags, i.e. condition added to teh IAM policy. This shows the Child AWS account is unable to fetch tags of SSM documents from Master AWS account. Could someone please help me with this? Attaching the IAM Policy for reference.

IAM Policy Document:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": [
                "arn:aws:s3:::ssm-deliverables/ssm-*",
                "arn:aws:ec2:ap-south-1:20**********:instance/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ssm:ListCommandInvocations",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "arn:aws:ssm:::document/*",
            "Condition": {
                "StringEquals": {
                    "ssm:resourceTag/Role": "${aws:PrincipalTag/Role}"
                }
            }
        }
    ]
}
Tilak Puli
  • 73
  • 1
  • 3

1 Answers1

1

aws:PrincipalTag used here is one of the aws global condition context keys. We have to use the above key to compare the tag attached to a principal making request with the tag that you specify in the policy.

In this case, the principal is IAM User/Role to which the above policy is attached. So the IAM User/Role itself should be tagged with the same values mentioned in the IAM Policy.

For Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:StartInstances",
      "Resource": "*",
      "Condition": {"StringEquals": {"ec2:resourceTag/Name": "${aws:PrincipalTag/Name}" 
       }
      }
    }
  ]
}

Assume that the above policy is attached to an IAM user who has wants to start an EC2 Instance, the user will be able to start the EC2 Instance if the user is tagged with the same tags as the resource tags mentioned in the IAM Policy.

So, you have to tag the IAM User making request to SSM, with the key 'Role' and Value set the role name or arn same as ssm document tags.

Abhinaya
  • 949
  • 1
  • 5
  • 12
  • We are tagging the user and document with Role. It's working in master account which has documents. It's not working when we use same policy condition in child account which is using shared documents of master account. In this scenario child account is able to run document without condition. With condition it's not working. I have checked multiple cases and found that it is able to get principal tag but not resource tag in child account – Tilak Puli May 06 '20 at 15:53
  • BTW Thank you for response. – Tilak Puli May 06 '20 at 15:54