AWS IAM Permissions Guardrails

AWS IAM Permissions Guardrails https://aws-samples.github.io/aws-iam-permissions-guardrails/

View project on GitHub

Amazon Systems Manager (SSM)

Identifier Guardrail Rationale Remediation References IAM Actions
IAM-SSM-1 Check that usage of ssm:SendCommand is scoped via the usage of Resource Level Permissions or via the usage of conditions such as ssm:ResourceTag (no usage of * except for breakglass/admin roles) ssm:RunCommand allows command execution on a machine that is managed by SSM (SSM Agent Installed and Instance Profile configured with proper permissions). If a wildcard resource is specified - this grants unrestricted access to command execution on all SSM Managed EC2 Instances across the account. While some usecases may legitimately require this access (Breakglass/Admin Accounts, IR, etc), the majority of roles should be scoped to have this access only to EC2 Instances required for function. Usage of Resource Level Permissions - Specifiying the ARN of the instances needed in the statement of the policy arn:Partition:ec2:{Region}:Account:instance/{InstanceId} Or Usage of a tag condition - ec2:ResourceTag to scope usage of the command to only instances containing the appropriate tag https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html#awssystemsmanager-managed-instance

https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html

ssm:SendCommand
IAM-SSM-2 ssm:StartSession action with Resource * that doesnt have a condition statement such as ssm:ResourceTag StartSession permission allows a principal to start an SSH session with the instance target. Unrestricted access to this can lead to logging into resources which may or may not be owned by the intended principal. Session manager should allow login into properly tagged resources only. If there are the instances being spun up either deliberately or accidentally with the appropriate tags it should not be accessible via SSH using Systems Manager Usage of tag condition such as ssm:ResourceTag OR Removal of the ssm:StartSession action from the IAM policy https://docs.aws.amazon.com/systems-manager/latest/userguide/auth-and-access-control-permissions-reference.html

ssm:StartSession