Access Denied - Connect to EC2 Instance using Systems Session Manager via AWS CLI

0

Hello,

I am getting "Access denied" issue with error message "User is not authorized to perform operation on resource and no identity-based policy allows the ssm:startsession action" when i am trying to connect to EC2 instance (Windows Server) using SSM via AWS CLI installed on my machine.

My Organization has provided me an User created under IAM Identity Center. I have created the custom managed policy as shown below, attached the policy to the custom permission set and assigned this permission set to the user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        }
    ]
}

I have created a role and tried adding the Identity Center User as well as role in the "Principal" section under the "Trust Relationships" tab of Roles feature, attached the custom managed policy to the role and assigned the role to the EC2 instance.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::MyAccountID:role/MyRoleName"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I have executed the command "aws ssm start-session --target myinstanceid --profile myprofile" to start the session from my local machine but i am getting the access denied issue.

Can you please suggest me the cause for the issue and solution for connecting to EC2 instance via AWS CLI using SSM?

Kamal

1개 답변
1

Hello.

In order to connect to EC2 with the "start-session" command, the following policy must be set for the user.
The following document describes an IAM policy that only accesses a specific instance, but it can be used if at least policies such as "ssm:StartSession", "ssm:TerminateSession", and "ssm:ResumeSession" are set.
https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:instance/instance-id",
                "arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell" 
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true" 
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeSessions",
                "ssm:GetConnectionStatus",
                "ssm:DescribeInstanceProperties",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:session/${aws:userid}-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey" 
            ],
            "Resource": "key-name"
        }
    ]
}

Additionally, by setting the following AWS managed policy in the IAM role of the EC2 instance, you can use Systems Manager functions and Session Manager.
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html

profile picture
전문가
답변함 4달 전
  • I think it can be used if at least the following policy is attached to the user.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ssm:StartSession",
                    "ssm:TerminateSession",
                    "ssm:ResumeSession"
                ],
                "Resource": "*"
            }
        ]
    }
    
  • In addition, those actions starting with ssmmessages are required in the Role policy associated with the EC2 instance that connects to Systems Manager so that SSM can initiate connections to the instance on the user's behalf. They are not required for Role or user policies for starting SSM sessions.

  • Thanks for your response @Riku_Kobayashi

    I have tried the way you have suggested by adding the JSON text to my existing policy, attached it to the permission set in IAM identity center and assigned the permission set to the user.

    Also, i have attached the "AmazonSSMManagedInstanceCore" policy to the "role", attached the role to EC2 instance and executed the command "aws ssm start-session --target Myinstanceid --profile Myprofile". Even then i am getting the access denied issue when trying to start session with the EC2 instance via AWS CLI.

    I am getting the error as "An error occurred (AccessDeniedException) when calling the StartSession operation: User: arn:aws:sts::MyAccountID:assumed-role/AWSReservedSSO_XXXXXXX/User is not authorized to perform: ssm:StartSession on resource: arn:aws:ec2:myregion:AccountID:instance/Myinstanceid because no identity-based policy allows the ssm:StartSession action

    Can you please suggest the possible cause of the issue and provide me a solution to fix the issue and connect to EC2 instance via AWS CLI?

    Kamal

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠