Restrict AWS SSM access to SSH only

Michael

6/12/24, 8:31 AM

I need to restrict some users AWS SSM access to SSH only. These users should only be able to start a SSH session via SSM like this:

ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"

It should not be possible to start a SSM session directly (ssm-user):

aws ssm start-session --target i-*

Is this possible?

1 + 0

amazon-ec2

amazon-web-services

aws-cli

aws-session-manager

Score:0

Server

Michael

6/13/24, 7:34 AM

Looks like I've found a solution here: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html

In general I created a user group and added this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
        }
    ]
}

Now a user in this group can start a SSH session but not a SSM session directly.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Restrict AWS SSM access to SSH only

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.