Access Denied - Connect to EC2 Instance using Systems Session Manager via AWS CLI

0

Hello,

I am getting "Access denied" issue with error message "User is not authorized to perform operation on resource and no identity-based policy allows the ssm:startsession action" when i am trying to connect to EC2 instance (Windows Server) using SSM via AWS CLI installed on my machine.

My Organization has provided me an User created under IAM Identity Center. I have created the custom managed policy as shown below, attached the policy to the custom permission set and assigned this permission set to the user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        }
    ]
}

I have created a role and tried adding the Identity Center User as well as role in the "Principal" section under the "Trust Relationships" tab of Roles feature, attached the custom managed policy to the role and assigned the role to the EC2 instance.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::MyAccountID:role/MyRoleName"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I have executed the command "aws ssm start-session --target myinstanceid --profile myprofile" to start the session from my local machine but i am getting the access denied issue.

Can you please suggest me the cause for the issue and solution for connecting to EC2 instance via AWS CLI using SSM?

Kamal

1 réponse
1

Hello.

In order to connect to EC2 with the "start-session" command, the following policy must be set for the user.
The following document describes an IAM policy that only accesses a specific instance, but it can be used if at least policies such as "ssm:StartSession", "ssm:TerminateSession", and "ssm:ResumeSession" are set.
https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:instance/instance-id",
                "arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell" 
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true" 
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeSessions",
                "ssm:GetConnectionStatus",
                "ssm:DescribeInstanceProperties",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:session/${aws:userid}-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey" 
            ],
            "Resource": "key-name"
        }
    ]
}

Additionally, by setting the following AWS managed policy in the IAM role of the EC2 instance, you can use Systems Manager functions and Session Manager.
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html

profile picture
EXPERT
répondu il y a 4 mois
  • I think it can be used if at least the following policy is attached to the user.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ssm:StartSession",
                    "ssm:TerminateSession",
                    "ssm:ResumeSession"
                ],
                "Resource": "*"
            }
        ]
    }
    
  • In addition, those actions starting with ssmmessages are required in the Role policy associated with the EC2 instance that connects to Systems Manager so that SSM can initiate connections to the instance on the user's behalf. They are not required for Role or user policies for starting SSM sessions.

  • Thanks for your response @Riku_Kobayashi

    I have tried the way you have suggested by adding the JSON text to my existing policy, attached it to the permission set in IAM identity center and assigned the permission set to the user.

    Also, i have attached the "AmazonSSMManagedInstanceCore" policy to the "role", attached the role to EC2 instance and executed the command "aws ssm start-session --target Myinstanceid --profile Myprofile". Even then i am getting the access denied issue when trying to start session with the EC2 instance via AWS CLI.

    I am getting the error as "An error occurred (AccessDeniedException) when calling the StartSession operation: User: arn:aws:sts::MyAccountID:assumed-role/AWSReservedSSO_XXXXXXX/User is not authorized to perform: ssm:StartSession on resource: arn:aws:ec2:myregion:AccountID:instance/Myinstanceid because no identity-based policy allows the ssm:StartSession action

    Can you please suggest the possible cause of the issue and provide me a solution to fix the issue and connect to EC2 instance via AWS CLI?

    Kamal

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions