2

I'm trying to have an IAM user who can only use SSM Run Command with a specific Document.

If I have the following policy attached to the user, that user can indeed only successfully execute AWS-RunShellScript (which is an AWS managed) document on EC2 instances.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeDocument",
                "ssm:DescribeDocumentParameters",
                "ssm:DescribeDocumentPermission",
                "ssm:GetCommandInvocation",
                "ssm:GetDocument",
                "ssm:ListCommandInvocations",
                "ssm:ListCommands",
                "ssm:ListDocumentMetadataHistory",
                "ssm:ListDocuments",
                "ssm:ListDocumentVersions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "arn:aws:ssm:us-west-2:999999999999:document/AWS-RunShellScript"
        }
    ]
}

However, if I replace the resource item in the policy with a custom document ARN that I created (e.g. arn:aws:ssm:us-west-2:999999999999:document/CustomDocument), I get "Access Denied"

enter image description here

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
Azad Salahli
  • 876
  • 3
  • 14
  • 30
  • 1
    Try adding the EC2 instances running the document to the policy too e.g. `"Resource": [..., "arn:aws:ec2:*:999999999999:instance/*"]`. Does that work? – Ermiya Eskandary Dec 04 '21 at 21:16
  • 1
    @ErmiyaEskandary that was it! Apparently instance isn't optional, despite what the docs claim ‍♂️ Thanks. If you post this as an answer, I can award you the bounty – Azad Salahli Dec 08 '21 at 11:59

2 Answers2

6

It's not really clear in the documentation but to limit ssm:SendCommand, you must use the Resource field to specify both what document(s) the IAM user is allowed to run and what instance(s) you allow commands to be run on.

The user would see all instances when trying to run a command but will only be able to execute commands for the EC2 instance IDs specified in the IAM policy.

You can specify the policy to allow any instance like below if needs be or specify a limited list of instance IDs in line with the standard security advice of granting least privilege in IAM policies.

As to why the AWS managed document works, it's probably some internal magic ‍♂️

This should work:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"ssm:SendCommand",
         "Resource":[
            "arn:aws:ec2:us-west-2:999999999999:instance/*",
            "arn:aws:ssm:us-west-2:999999999999:document/AWS-RunShellScript"
         ]
      }
   ]
}
Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
0

Slightly similar unexpected behaviour (not really clear in the documentation either): if you define 2 blocks for the same action, they are considered by AWS as just one, eg:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"ssm:SendCommand",
         "Resource":[
            "arn:aws:ec2:us-west-2:999999999999:instance/i-1",
            "arn:aws:ssm:us-west-2:999999999999:document/AWS-RunShellScript"
         ]
      },
      {
         "Effect":"Allow",
         "Action":"ssm:SendCommand",
         "Resource":[
            "arn:aws:ec2:us-west-2:999999999999:instance/i-2",
            "arn:aws:ssm:us-west-2:999999999999:document/AWS-SecondDoc"
         ]
      }
   ]
}

will allow you to connect to i-1 with both "AWS-RunShellScript" and "AWS-SecondDoc" (and same for i-2).

Maxime
  • 111
  • 1
  • 5