AWS SSM IAM 访问问题
AWS SSM IAM Access Issue
我的用户通过 SSM 连接到我的 AWS EC2 实例。这些实例没有 public-IP,也没有跳转主机,因此无法直接连接。
每个EC2实例都有一个名称标签,我希望IAM策略受标签名称限制。由于多种原因,按实例 ID 进行限制将不可行。
ec2 服务器上的 NAME 标签是 client-name。 ec2 的策略在这里可以正常工作 以限制对实例的访问。我可以通过控制台看到。但是,SSM 策略似乎不起作用,我已经进行了数百次更改以尝试使其起作用。我不断收到以下错误。非常感谢任何帮助。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Name": "client-name"
}
}
},
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:document/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/Name": "client-name"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
我名为testuser_delme2的用户使用如下命令连接,报错如下:
aws ssm start-session --target i-003000333337777c7 --document-name AWS-StartPortForwardingSession --parameters portNumber="3389",localPortNumber="3389"
错误:
An error occurred (AccessDeniedException) when calling the StartSession operation: User: arn:aws:iam::222666555000:user/testuser_delme2 is not authorized to perform: ssm:StartSession on resource: arn:aws:ssm:ap-southeast-1::document/AWS-StartPortForwardingSession because no identity-based policy allows the ssm:StartSession action
好吧,我弄清楚了这个问题,并将其张贴在这里以防对其他人有所帮助。由于某些奇怪的原因 ssm start-session 与其他 SSM 命令的工作方式不同。
正确的做法是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:*","ssm:StartSession"],
"Resource": "*",
"Condition": {"StringEquals": {"aws:ResourceTag/Name": "client-name"}}
},
{
"Effect": "Deny",
"Action": ["ec2:DeleteTags", "ec2:CreateTags"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:DescribeInstances", "s3:ListAllMyBuckets", "kms:*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "arn:aws:ssm:*:*:*"
},
{
"Effect":"Allow",
"Action":["ssm:SendCommand"],
"Resource":["arn:aws:ec2:*:*:instance/*"],
"Condition": {"StringEquals": {"aws:ResourceTag/Name": "client-name"}}
}
]
}
我的用户通过 SSM 连接到我的 AWS EC2 实例。这些实例没有 public-IP,也没有跳转主机,因此无法直接连接。
每个EC2实例都有一个名称标签,我希望IAM策略受标签名称限制。由于多种原因,按实例 ID 进行限制将不可行。
ec2 服务器上的 NAME 标签是 client-name。 ec2 的策略在这里可以正常工作 以限制对实例的访问。我可以通过控制台看到。但是,SSM 策略似乎不起作用,我已经进行了数百次更改以尝试使其起作用。我不断收到以下错误。非常感谢任何帮助。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Name": "client-name"
}
}
},
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:document/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/Name": "client-name"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
我名为testuser_delme2的用户使用如下命令连接,报错如下:
aws ssm start-session --target i-003000333337777c7 --document-name AWS-StartPortForwardingSession --parameters portNumber="3389",localPortNumber="3389"
错误:
An error occurred (AccessDeniedException) when calling the StartSession operation: User: arn:aws:iam::222666555000:user/testuser_delme2 is not authorized to perform: ssm:StartSession on resource: arn:aws:ssm:ap-southeast-1::document/AWS-StartPortForwardingSession because no identity-based policy allows the ssm:StartSession action
好吧,我弄清楚了这个问题,并将其张贴在这里以防对其他人有所帮助。由于某些奇怪的原因 ssm start-session 与其他 SSM 命令的工作方式不同。
正确的做法是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:*","ssm:StartSession"],
"Resource": "*",
"Condition": {"StringEquals": {"aws:ResourceTag/Name": "client-name"}}
},
{
"Effect": "Deny",
"Action": ["ec2:DeleteTags", "ec2:CreateTags"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:DescribeInstances", "s3:ListAllMyBuckets", "kms:*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "arn:aws:ssm:*:*:*"
},
{
"Effect":"Allow",
"Action":["ssm:SendCommand"],
"Resource":["arn:aws:ec2:*:*:instance/*"],
"Condition": {"StringEquals": {"aws:ResourceTag/Name": "client-name"}}
}
]
}