AWS SSM IAM 访问问题

AWS SSM IAM Access Issue

我的用户通过 SSM 连接到我的 AWS EC2 实例。这些实例没有 public-IP,也没有跳转主机,因此无法直接连接。

每个EC2实例都有一个名称标签,我希望IAM策略受标签名称限制。由于多种原因,按实例 ID 进行限制将不可行。

ec2 服务器上的 NAME 标签是 client-nameec2 的策略在这里可以正常工作 以限制对实例的访问。我可以通过控制台看到。但是,SSM 策略似乎不起作用,我已经进行了数百次更改以尝试使其起作用。我不断收到以下错误。非常感谢任何帮助。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Name": "client-name"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ssm:*",
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ssm:*:*:document/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Name": "client-name"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:DeleteTags",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}

我名为testuser_delme2的用户使用如下命令连接,报错如下:

aws ssm start-session --target i-003000333337777c7 --document-name AWS-StartPortForwardingSession --parameters portNumber="3389",localPortNumber="3389"

错误:

An error occurred (AccessDeniedException) when calling the StartSession operation: User: arn:aws:iam::222666555000:user/testuser_delme2 is not authorized to perform: ssm:StartSession on resource: arn:aws:ssm:ap-southeast-1::document/AWS-StartPortForwardingSession because no identity-based policy allows the ssm:StartSession action

好吧,我弄清楚了这个问题,并将其张贴在这里以防对其他人有所帮助。由于某些奇怪的原因 ssm start-session 与其他 SSM 命令的工作方式不同。

正确的做法是:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["ec2:*","ssm:StartSession"],
            "Resource": "*",
            "Condition": {"StringEquals": {"aws:ResourceTag/Name": "client-name"}}
        },
        {
            "Effect": "Deny",
            "Action": ["ec2:DeleteTags", "ec2:CreateTags"],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["ec2:DescribeInstances", "s3:ListAllMyBuckets", "kms:*"],
            "Resource": "*"
        },
        {
         "Effect": "Allow",
         "Action": "ssm:*",
         "Resource": "arn:aws:ssm:*:*:*"
        },
        {
         "Effect":"Allow",
         "Action":["ssm:SendCommand"],
         "Resource":["arn:aws:ec2:*:*:instance/*"],
         "Condition": {"StringEquals": {"aws:ResourceTag/Name": "client-name"}}
        }
    ]
}