跨帐户SSM会话: AccessDeniedException

Question

我有两个AWS帐户和一个角色在每个帐户:帐户A有RoleA和帐户B有RoleB。

RoleA将假定RoleB能够在Account-B通过ssm start-session中的EC2实例中进行连接。

使用RoleA，我可以假设RoleB并使用aws描述Account-B中的实例，但是由于以下错误，无法启动ssm会话：

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::222222222222:assumed-role/RoleB/RoleB-SSM-test is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:us-east-1:222222222222:assumed-role/RoleB/RoleB-SSM-test-000000000000 because no identity-based policy allows the ssm:TerminateSession action

RoleA政策：

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "sts:AssumeRole"
               ],
               "Resource": [
                   "arn:aws:iam::222222222222:role/RoleB"
               ]
           }
       ]
   }

RoleB政策：

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "",
               "Effect": "Allow",
               "Action": [
                   "ssm:DescribeSessions",
                   "ssm:GetConnectionStatus",
                   "ssm:DescribeInstanceProperties",
                   "ec2:DescribeInstances",
                   "ssm:StartSession"
               ],
               "Resource": [
                   "arn:aws:ec2:us-east-1:222222222222:instance/i-123456abc789102de",
                   "arn:aws:ssm:us-east-1:222222222222:document/SSM-SessionManagerRunShell",
                   "arn:aws:ssm:us-east-1:222222222222:document/AWS-StartSSHSession"
               ]
           },
           {
               "Sid":"",
               "Effect":"Allow",
               "Action": [
                   "ssm:TerminateSession"
               ],
               "Resource": "*",
               "Condition": {
                   "StringLike": {
                       "ssm:resourceTag/aws:ssmmessages:session-id": [
                           "AROAXXXXXXXXXXXXX"
                       ]
                   }
               }
   
           }
       ]
   }

最初，ssm:TerminateSession in RoleB策略没有条件，并且与其他操作一起，我做了这个更改来尝试解决这个错误，但是没有成功，相同的错误消息。

我做错什么了？

Answer 1

您的RoleB策略缺少一些权限。根据文档，您需要kms:GenerateDataKey加密会话数据，还需要访问SSM重定向的文档。以下是文档中的示例策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:instance/instance-id",
                "arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell" 
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true" 
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeSessions",
                "ssm:GetConnectionStatus",
                "ssm:DescribeInstanceProperties",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:session/${aws:username}-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey" 
            ],
            "Resource": "key-name"
        }
    ]
}

参考文献：https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html#restrict-access-quickstart-end-user