Restricted SSH for instances using session manager & IAM

Restricting instance SSH sessions through IAM & SSM Documents

Table Of Contents

Today I Explained

AWS Systems Manager Session Manager] allows for connecting to EC2s running within the AWS cloud. Provided that these instances have been configured with systems manager, it provides a lightweight way of enabling keyless SSH for servers.

Using the capabilities of session documents, this can further improve security posture by having the assumed roles on instances restricted based on the intended purpose. When starting a session, a document only needs to be specified to connect as that user:

aws ssm start-session \
		--document-name SSHAsReadOnly \
		--target i-52...

This approach relies on users to select the appropriate document when connecting to an instance to make use of this least privilege approach. As by default, anyone is able to connect to an instance using the ssm-user, which is granted administrative permissions over the instance.

This can be addressed through the use of IAM Policies, as Session Manager has strong integration with IAM. Using an IAM policy it is possible to limit sessions by tags:

{
    "Effect": "Allow",
    "Action": ["ssm:StartSession"],
    "Resource": ["arn:aws:ec2:ca-central-1:012345678901:instance/*"],
    "Condition": {
        "StringLike": {
            "ssm:resourceTag/MySample": [
                "Restricted"
            ]
        }
    }
}

Or by revoking the ability to make use of the default session manager document SSM-SessionManagerRunShell. This works by enabling the flag that requires explicit permission grants for session documents, rather than the implicit allowed use.

{
  "Condition": {
    "BoolIfExists": {
        "ssm:SessionDocumentAccessCheck": "true"
    }
  }
}