Menu
AWS Systems Manager
User Guide

Restricting Run Command Access Based on Instance Tags

Before you can manage instances by using Run Command, you must configure an AWS Identity and Access Management (IAM) user policy for any user who will execute commands, and an IAM instance profile role for any instance that will process commands, as described in Configuring Access to Systems Manager. You can further restrict command execution to specific instances by creating an IAM user policy that includes a condition that the user can only execute commands on instances that are tagged with specific Amazon EC2 tags. In the following example, the user is allowed to use Run Command (Effect: Allow, Action: ssm:SendCommand) by using any SSM document (Resource: arn:aws:ssm:*:*:document/*) on any instance (Resource: arn:aws:ec2:*:*:instance/*) with the condition that the instance is a Finance WebServer (ssm:resourceTag/Finance: WebServer). If the user sends a command to an instance that is not tagged or that has any tag other than Finance: WebServer, the execution results show AccessDenied.

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ssm:*:*:document/*" ] }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ec2:*:*:instance/*" ], "Condition":{ "StringLike":{ "ssm:resourceTag/Finance":[ "WebServers" ] } } } ] }

You can create IAM policies that enable a user to execute commands on instances that are tagged with multiple tags. The following policy enables the user to execute commands on instances that have two tags. If a user sends a command to an instance that is not tagged with both of these tags, the execution results show AccessDenied.

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tag_key1":[ "tag_value1" ], "ssm:resourceTag/tag_key2":[ "tag_value2" ] } } }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ssm:us-west-1::document/AWS-*", "arn:aws:ssm:us-east-1::document/AWS-*" ] }, { "Effect":"Allow", "Action":[ "ssm:UpdateInstanceInformation", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:GetDocument" ], "Resource":"*" } ] }

You can also create IAM policies that enable a user to execute commands on multiple groups of tagged instances. The following policy enables the user to execute commands on either group of tagged instances, or both groups.

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tag_key1":[ "tag_value1" ] } } }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tag_key2":[ "tag_value2" ] } } }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ssm:us-west-1::document/AWS-*", "arn:aws:ssm:us-east-1::document/AWS-*" ] }, { "Effect":"Allow", "Action":[ "ssm:UpdateInstanceInformation", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:GetDocument" ], "Resource":"*" } ] }

For more information about creating IAM user policies, see Managed Policies and Inline Policies in the IAM User Guide. For more information about tagging instances, see Tagging Your Amazon EC2 Resources in the Amazon EC2 User Guide for Linux Instances (content applies to Windows and Linux instances).