1 Answer
- Newest
- Most votes
- Most comments
1
Hello.
In order to connect to EC2 with the "start-session" command, the following policy must be set for the user.
The following document describes an IAM policy that only accesses a specific instance, but it can be used if at least policies such as "ssm:StartSession", "ssm:TerminateSession", and "ssm:ResumeSession" are set.
https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:region:account-id:instance/instance-id",
"arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:userid}-*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": "key-name"
}
]
}
Additionally, by setting the following AWS managed policy in the IAM role of the EC2 instance, you can use Systems Manager functions and Session Manager.
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
I think it can be used if at least the following policy is attached to the user.
In addition, those actions starting with
ssmmessages
are required in the Role policy associated with the EC2 instance that connects to Systems Manager so that SSM can initiate connections to the instance on the user's behalf. They are not required for Role or user policies for starting SSM sessions.Thanks for your response @Riku_Kobayashi
I have tried the way you have suggested by adding the JSON text to my existing policy, attached it to the permission set in IAM identity center and assigned the permission set to the user.
Also, i have attached the "AmazonSSMManagedInstanceCore" policy to the "role", attached the role to EC2 instance and executed the command "aws ssm start-session --target Myinstanceid --profile Myprofile". Even then i am getting the access denied issue when trying to start session with the EC2 instance via AWS CLI.
I am getting the error as "An error occurred (AccessDeniedException) when calling the StartSession operation: User: arn:aws:sts::MyAccountID:assumed-role/AWSReservedSSO_XXXXXXX/User is not authorized to perform: ssm:StartSession on resource: arn:aws:ec2:myregion:AccountID:instance/Myinstanceid because no identity-based policy allows the ssm:StartSession action
Can you please suggest the possible cause of the issue and provide me a solution to fix the issue and connect to EC2 instance via AWS CLI?
Kamal