ssm:SendCommand from lambda IAM permissions needed
For the life of me I cannot figure out what permissions combinations sendCommand needs to be able to send a Run Command targetting Resource Groups.
I am trying to least-privilege only allowing a certain document but to all ec2 instance in a resouceGroup.
ssmSenderlambdaRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ['ssm:SendCommand'],
resources: [
linuxDocumentArn,
windowsDocumentArn,
`arn:aws:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:instance/*`
],
}));
ssmSenderlambdaRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ['resource-groups:*'],
resources: ['*'],
}));
accessDeniedConsole:
Solution
Some days you just wanna yell at AWS
In order to target resource groups you also need to have ["tag:GetResources"]
ssmSenderlambdaRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ["resource-groups:ListResourceTypes",
"resource-groups:SearchResources",
"resource-groups:GetGroup",
"resource-groups:GetTags",
"resource-groups:ListGroupResources",
"resource-groups:ListGroups"],
resources: [rgWindowsArn, rgLinuxArn],
}));
ssmSenderlambdaRole.addToPolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: ["tag:GetResources"],
resources: ["*"]
}));
- Automatically "stop" Sagemaker notebook instance after inactivity?
- AWS Lambda Open Telemetry, Missing Parent Span
- Access the Alexa Shopping and To-Do Lists with Python3 request module
- Load and execute a javascript file from S3 in a Lambda
- Middy is not getting a secret from Secret Manager in a NodeJS AWS Lambda
- ssm:SendCommand from lambda IAM permissions needed
- How does my NodeJS lambda function find a dependency added to a Lambda layer?
- Trying to integrate MQTT into Alexa AWS Lambda function
- How do I add python libraries to an AWS lambda function for Alexa?
- How to pass sensitive information securely in AWS Step Functions
- How can I use local nodejs modules in Lambda?
- Micronaut GraalVM Sendgrid AWS lambda application keeps getting a 400 returned from Sendgrid when trying to send email
- How to query cloudwatch logs of AWS Batch using boto3
- CDK API Gateway Lambda still getting timed out after increasing timeout duration
- Understanding SQS message receive amount
- Provide AWS Lex response in Hyperlink format
- FastAPI app works locally, but /blogs endpoint causes redirect loop on AWS Lambda deployment
- Cargo lambda build does not find OpenSSL development headers
- aws cdk failing to synth multiple Error Could not resolve package
- Unable to import module 'src.main': No module named 'dependencies' when uploading FastAPI zipped project to AWS Lambda
- I am unable to verify the signature returned from the Go AWS KMS SDK
- Exporting data from dynamo db to a csv file
- Mock ioRedis for connection failure
- Unable to import module 'main': No module named 'pydantic_core._pydantic_core when deploying a FastAPI app to AWS Lambda
- Running micronaut serverless locally
- Aws lambda running out of memory
- How to authenticate in MySQL RDS using IAM DB Authentication and Python
- Lambda calling Lambda - how to access the payload in the second?
- AWS Lambda using Winston logging loses Request ID
- Use Lambda to send alert to SNS Topic - but only send email once per unique body