By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access Denied - Connect to EC2 Instance using Systems Session Manager via AWS CLI

0

Hello,

I am getting "Access denied" issue with error message "User is not authorized to perform operation on resource and no identity-based policy allows the ssm:startsession action" when i am trying to connect to EC2 instance (Windows Server) using SSM via AWS CLI installed on my machine.

My Organization has provided me an User created under IAM Identity Center. I have created the custom managed policy as shown below, attached the policy to the custom permission set and assigned this permission set to the user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        }
    ]
}

I have created a role and tried adding the Identity Center User as well as role in the "Principal" section under the "Trust Relationships" tab of Roles feature, attached the custom managed policy to the role and assigned the role to the EC2 instance.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::MyAccountID:role/MyRoleName"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I have executed the command "aws ssm start-session --target myinstanceid --profile myprofile" to start the session from my local machine but i am getting the access denied issue.

Can you please suggest me the cause for the issue and solution for connecting to EC2 instance via AWS CLI using SSM?

Kamal

Topics
Management & GovernanceComputeSecurity, Identity, & Compliance
Tags
AWS Command Line InterfaceAmazon EC2AWS IAM Identity CenterSession Management
Language
English
Kamal
asked 3 months ago316 views
1 Answer
1

Hello.

In order to connect to EC2 with the "start-session" command, the following policy must be set for the user.
The following document describes an IAM policy that only accesses a specific instance, but it can be used if at least policies such as "ssm:StartSession", "ssm:TerminateSession", and "ssm:ResumeSession" are set.
https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:instance/instance-id",
                "arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell" 
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true" 
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeSessions",
                "ssm:GetConnectionStatus",
                "ssm:DescribeInstanceProperties",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:session/${aws:userid}-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey" 
            ],
            "Resource": "key-name"
        }
    ]
}

Additionally, by setting the following AWS managed policy in the IAM role of the EC2 instance, you can use Systems Manager functions and Session Manager.
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html

profile picture
EXPERT
Riku_Kobayashi
answered 3 months ago
  • Riku_Kobayashi EXPERT
    3 months ago

    I think it can be used if at least the following policy is attached to the user.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession",
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Resource": "*"
        }
    ]
}
  • MichaelFischer EXPERT
    3 months ago

    In addition, those actions starting with ssmmessages are required in the Role policy associated with the EC2 instance that connects to Systems Manager so that SSM can initiate connections to the instance on the user's behalf. They are not required for Role or user policies for starting SSM sessions.

  • Kamal
    3 months ago

    Thanks for your response @Riku_Kobayashi

    I have tried the way you have suggested by adding the JSON text to my existing policy, attached it to the permission set in IAM identity center and assigned the permission set to the user.

    Also, i have attached the "AmazonSSMManagedInstanceCore" policy to the "role", attached the role to EC2 instance and executed the command "aws ssm start-session --target Myinstanceid --profile Myprofile". Even then i am getting the access denied issue when trying to start session with the EC2 instance via AWS CLI.

    I am getting the error as "An error occurred (AccessDeniedException) when calling the StartSession operation: User: arn:aws:sts::MyAccountID:assumed-role/AWSReservedSSO_XXXXXXX/User is not authorized to perform: ssm:StartSession on resource: arn:aws:ec2:myregion:AccountID:instance/Myinstanceid because no identity-based policy allows the ssm:StartSession action

    Can you please suggest the possible cause of the issue and provide me a solution to fix the issue and connect to EC2 instance via AWS CLI?

    Kamal

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content