ssm:SendCommand from lambda IAM permissions needed
For the life of me I cannot figure out what permissions combinations sendCommand needs to be able to send a Run Command targetting Resource Groups.
I am trying to least-privilege only allowing a certain document but to all ec2 instance in a resouceGroup.
ssmSenderlambdaRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ['ssm:SendCommand'],
resources: [
linuxDocumentArn,
windowsDocumentArn,
`arn:aws:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:instance/*`
],
}));
ssmSenderlambdaRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ['resource-groups:*'],
resources: ['*'],
}));
accessDeniedConsole:
Solution
Some days you just wanna yell at AWS
In order to target resource groups you also need to have ["tag:GetResources"]
ssmSenderlambdaRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ["resource-groups:ListResourceTypes",
"resource-groups:SearchResources",
"resource-groups:GetGroup",
"resource-groups:GetTags",
"resource-groups:ListGroupResources",
"resource-groups:ListGroups"],
resources: [rgWindowsArn, rgLinuxArn],
}));
ssmSenderlambdaRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ["tag:GetResources"],
resources: ["*"]
}));
- Is there a way to monitor/alert on any changes to the private IP address of an ALB in AWS?
- Springboot lambda on localstack with terraform, docker: Error loading class StreamLambdaHandler: Metaspace","errorType":"java.lang.OutOfMemoryError
- Get all work items from a project azure devops REST API
- Error Connecting to MSK Cluster with Kafka-Python Using SASL_SSL
- How to reference the name of the table used by GraphQL models in Amplify when calling a DynamoDB in Lambda function?
- How to create a deployable Python Lamba zip using Poetry
- Formatting DynamoDB data to normal JSON in AWS Lambda
- Accessing DynamoDb from lambda code throws SdkClientException: Unable to load credentials from system settings
- AppSyncJS selectionSetList is undefined in info object
- AWS Lambda Logs using AWSCLI: How can I access Lambda logs using AWSCLI?
- Debugging lambda locally using cdk not sam
- AWS Lambda with Go: "Runtime.InvalidEntrypoint" Error for POST Request to API Gateway Endpoint
- Decrypt text with AWS KMS in NodeJs
- How to increase the maximum size of the AWS lambda deployment package (RequestEntityTooLargeException)?
- "AssertDescription: CDK bootstrap stack version 6 required"
- How to restrict KMS decryption to only a lambda function and not others?
- Restrict public access to S3 bucket, but allow access for Lambdas
- How to best use Python 3's mimetypes module in AWS Lambda?
- transactional lambda in aws dynamodb to generate a counter of new records from one table to another table?
- How to configure FastAPI to publish logs to CloudWatch?
- How to upload a zip to S3 with CDK
- How to make inference to a keras model hosted on AWS SageMaker via AWS Lambda function?
- How to deploy a Pre-Trained model using AWS SageMaker Notebook Instance?
- Failed to satisfy constraint: Member must satisfy regular expression pattern
- Send Post request to an external API using AWS Lambda in python
- Is it possible to deploy API Gateway and Lambda in two regions with Serverless?
- image failed to show when Upload from Lambda
- How message from AWS DLQ gets deleted?
- Aws Lambda to List All Available Language Runtimes
- AWS Lambda python: .so module: ModuleNotFoundError: No module named 'regex._regex' when in subshell