AWS Systems Manager
User Guide

Enforce Document Permission Check for Default CLI Scenario

When you configure Session Manager for your account, the system creates an SSM document named SSM-SessionManagerRunShell. This SSM document stores your requirements for whether session data is saved in an Amazon S3 bucket or Amazon CloudWatch Logs log group, whether session data is encrypted using AWS Key Management Service, and whether Run As support is enabled for your sessions. For example:

{ "schemaVersion": "1.0", "description": "Document to hold regional settings for Session Manager", "sessionType": "Standard_Stream", "inputs": { "s3BucketName": "MyBucketName", "s3KeyPrefix": "MyBucketPrefix", "s3EncryptionEnabled": true, "cloudWatchLogGroupName": "MyLogGroupName", "cloudWatchEncryptionEnabled": true, "kmsKeyId": "MyKMSKeyID", "runAsEnabled": true, "runAsDefaultUser": "MyDefaultRunAsUser" } }

By default, if a user in your account has been granted permission in their IAM user policy to start sessions, that user has access to this SSM document. This means that when they use the AWS CLI to run the start-session command, and they do not specify a configuration document, the system uses SSM-SessionManagerRunShell and launches the full interactive shell. The session starts even if the user’s IAM policy doesn’t grant explicit permission to access the SSM-SessionManagerRunShell document.

For example, the following command doesn’t specify a Session Manager configuration document.

aws ssm start-session --target i-02573cafcfEXAMPLE

The following example does specify the default Session Manager configuration document.

aws ssm start-session --document-name SSM-SessionManagerRunShell --target i-02573cafcfEXAMPLE

For cases where the user doesn’t specify a document name in the start-session CLI command, you can ensure that the user has been granted explicit access to this default configuration document. You do this by adding the following condition element to the IAM policy that controls the user’s access to sessions:

"Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" } }

With this condition element set to true in the user’s associated IAM policy, explicit access to SSM-SessionManagerRunShell must be granted in the IAM policy. For example:

{ "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell" }

This condition element applies only to the default SSM-SessionManagerRunShell configuration document, and only when a user doesn’t specify a configuration document name in an CLI start-session command. In other words, it ensures that the user has been granted access to SSM-SessionManagerRunShell when they run the following command:

aws ssm start-session --target i-02573cafcfEXAMPLE

For an example of specifying a Session Manager configuration document in a user’s IAM policy, see Quickstart End User Policy for Session Manager.

Other Scenarios

Using the default SSM-SessionManagerRunShell configuration document is the only case when a document name can be omitted from the start-session CLI command. In other cases, the document name must be specified, and the system checks whether the user has been granted explicit access to the configuration document they specify.

For example, if a user specifies the name of a custom configuration document you have created, the user’s IAM policy must grant them permission to access that document.

If a user runs a command to start a session using SSH, the user’s policy must grant them access to the AWS-StartSSHSession configuration document.

Note

In order to start a session using SSH, configuration steps must be completed on both the target instance and the user's local machine. For information, see (Optional) Enable SSH Connections Through Session Manager.