Enforce a session document permission check

Start a session with a document by specifying the session documents in IAM policies

If you use the start-session AWS CLI command using the default session document, you can omit the document name. The system automatically calls the SSM-SessionManagerRunShell session document.

In all other cases, you must specify a value for the document-name parameter. When a user specifies the name of a session document in a command, the systems checks their IAM policy to verify they have permission to access the document. If they don't have permission, the connection request fails. The following examples includes the document-name parameter with the AWS-StartPortForwardingSession session document.


aws ssm start-session \
    --target i-02573cafcfEXAMPLE \
    --document-name AWS-StartPortForwardingSession \
    --parameters '{"portNumber":["80"], "localPortNumber":["56789"]}'

Enforce a session document permission check when starting a session

To restrict access to the AWS-StartPortForwardingSession session document, you can add a condition element to the user's IAM policy that validates whether the user has explicit access to a session document. When this condition is applied, the user must specify a value for the document-name option of the start-session command. The following condition element, when added to the ssm:StartSession action in the IAM policy, performs a session document access check.


"Condition": {
    "BoolIfExists": {
        "ssm:SessionDocumentAccessCheck": "true"
    }
}

With this condition element set to true, explicit access to a session document must be granted in the IAM policy for the user to start a session. To ensure the condition element is enforced, it must be included in all policy statements which allow the ssm:StartSession action. Here is an example.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnableSSMSession",
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:us-west-2:123456789012:instance/i-02573cafcfEXAMPLE",
                "arn:aws:ssm:us-west-2::document/AWS-StartPortForwardingSession"
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true"
                }
            }
        }
    ]
}

With this IAM policy in place, if the SessionDocumentAccessCheck condition element is set to true, users must enter the document-name parameter in their command when starting a session using the AWS CLI. The value of document-name must be the document specified in the Resource section of the IAM policy. If the user enters a different document name or they don't specify the document-name parameter, the request fails.

If the SessionDocumentAccessCheck condition element is set to false, it doen't affect the evaluation of the IAM policy.

For an example of specifying a Session Manager session document in an IAM policy, see Quickstart end user policies for Session Manager.

Other scenarios

To start a session using SSH, configuration steps must be completed on both the target managed node and the user's local machine. For information, see (Optional) Allow and control permissions for SSH connections through Session Manager.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Start a default shell session

Sample IAM policies for Session Manager