I have an AWS Role with ReadOnlyAccess (AWS Managed Policy).
I need to make this role capable of executing some actions, for example start/stop an Amazon EC2 instance and connect via ssm in eu-west-1 and eu-central-1 regions, but even full permission for EC2 and SSM it does not allow to perform listed actions:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"ssm:*",
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"eu-west-1",
"eu-central-1",
]
}
}
}
When starting instances it is trying to start (I see it in CloudTrail Logs) but then it stopped in 2 seconds.
For ssm connect I received the error:
An error occurred while calling the StartConnection API operation. AccessDeniedException: User: arn:aws:sts::acc_id:assumed-role/sre/user is not authorized to perform: ssm-guiconnect:StartConnection on resource: arn:aws:ec2:eu-central-1:acc_id:instance/*"
However, if I add full permissions for this role it works and users with this role may perform needed actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"eu-west-1",
"eu-central-1",
"us-east-1"
]
}
}
Is there some bug in AWS or could there be pitfalls from my infrastructure side?
AWS policy do not recognice regions in "condition" EC2 instances: I found that encryption is used for EC2 on this account, so full rights for kms(kms:*) solved the problem with instance start. SSM (Fleet manager): used policysim.aws.amazon.com/home/index.jsp#role/sre to debag policy and find out that: For ssm connection it is needed "ssm-guiconnect:StartConnection" and "ssm:StartSession" permitions.