Hey everyone! I'm trying to set up AWS Systems Manager to restrict access to non-EC2 instances, like on-premises servers or VMs that are registered via hybrid activation. I want to use specific tags attached to these managed instances and write IAM policies to allow access based on these tags. I came across a policy sample that seems promising:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMStartSessionOnInstances",
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": "*",
"Condition": {
"StringLike": {
"ssm:resourceTag/department": "WebServers"
}
}
}
]
}
```
However, I keep running into a problem when trying to access the instance using port forwarding. The error I get is:
`An error occurred (AccessDeniedException) when calling the StartSession operation: User: arn:aws:iam:::user/systems-manager is not authorized to perform: ssm:StartSession on resource: arn:aws:ssm:::managed-instance/mi- because no identity-based policy allows the ssm:StartSession action`
If I remove the condition, it works fine. Has anyone successfully implemented tag-based restrictions for Systems Manager in this context? Any insights would be appreciated!
3 Answers
It sounds like you're on the right track, but I think you might need to check the tag keys you're using. Instead of `ssm:resourceTag`, have you tried using `aws:ResourceTag`? That could be where the issue lies since both can be confusing. Some users have had success using `aws:ResourceTag` specifically for certain actions.
Hmm, that's weird. I noticed you're trying to apply your policy to all resources. Instead, consider splitting it up – one for all documents without a condition and another for EC2 instances with the tag condition. This could help streamline your access control.
That makes sense! It could be that the condition is conflicting when applied broadly. Breaking it up like you suggested could clarify permissions and help avoid the error you're seeing.
That's interesting! But keep in mind, not all SSM actions support conditions based on tags. Make sure that `ssm:StartSession` is one of those that do. You might want to double-check the AWS Authorization Reference for that.
Yes, I checked it and the `StartSession` action does allow for conditions. I think the problem might be elsewhere, maybe due to policies that could be denying access like Service Control Policies (SCPs).
I thought the same thing at first, but according to the documentation, `ssm:resourceTag` is also supposed to work for Systems Manager. It’s just tricky with how those tags and access rights are set up. Have you verified that the tags you want are actually applied to your managed instance?