Step 5: (Optional) Restrict access to commands in a session
You can restrict the commands that a user can run in an AWS Systems Manager Session Manager session
by using a custom Session
type AWS Systems Manager (SSM) document. In the
document, you define the command that is run when the user starts a session and the
parameters that the user can provide to the command. The Session
document schemaVersion
must be 1.0, and the sessionType
of
the document must be InteractiveCommands
. You can then create AWS Identity and Access Management
(IAM) policies that allow users to access only the Session
documents
that you define. For more information about using IAM policies to restrict access
to commands in a session, see IAM policy examples for
interactive commands.
Documents with the sessionType
of InteractiveCommands
are only supported for sessions started from the AWS Command Line Interface (AWS CLI). The user
provides the custom document name as the --document-name
parameter
value and provides any command parameter values using the --parameters
option. For more information about running interactive commands, see Starting a session
(interactive and noninteractive commands).
Use following procedure to create a custom Session
type SSM
document that defines the command a user is allowed to run.
Restrict access to commands in a session (console)
To restrict the commands a user can run in a Session Manager session (console)
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. -
In the navigation pane, choose Documents.
-
Choose Create command or session.
-
For Name, enter a descriptive name for the document.
-
For Document type, choose Session document.
-
Enter your document content that defines the command a user can run in a Session Manager session using JSON or YAML, as shown in the following example.
-
Choose Create document.
Restrict access to commands in a session (command line)
Before you begin
If you haven't already, install and configure the AWS Command Line Interface (AWS CLI) or the AWS Tools for PowerShell. For information, see Installing or updating the latest version of the AWS CLI and Installing the AWS Tools for PowerShell.
To restrict the commands a user can run in a Session Manager session (command line)
-
Create a JSON or YAML file for your document content that defines the command a user can run in a Session Manager session, as shown in the following example.
-
Run the following commands to create an SSM document using your content that defines the command a user can run in a Session Manager session.
Interactive command parameters and the AWS CLI
There are a variety of ways you can provide interactive command parameters when using the AWS CLI. Depending on the operating system (OS) of your client machine that you use to connect to managed nodes with the AWS CLI, the syntax you provide for commands that contain special or escape characters might differ. The following examples show some of the different ways you can provide command parameters when using the AWS CLI, and how to handle special or escape characters.
Parameters stored in Parameter Store can be referenced in the AWS CLI for your command parameters as shown in the following example.
The following example shows how you can use a shorthand syntax with the AWS CLI to pass parameters.
You can also provide parameters in JSON as shown in the following example.
Parameters can also be stored in a JSON file and provided to the AWS CLI as shown in the following example. For more information about using AWS CLI parameters from a file, see Loading AWS CLI parameters from a file in the AWS Command Line Interface User Guide.
{ "command": [ "
my command
" ] }
You can also generate an AWS CLI skeleton from a JSON input file as shown in the following example. For more information about generating AWS CLI skeletons from JSON input files, see Generating AWS CLI skeleton and input parameters from a JSON or YAML input file in the AWS Command Line Interface User Guide.
{ "Target": "
instance-id
", "DocumentName": "MyInteractiveCommandDocument
", "Parameters": { "command": [ "my command
" ] } }
To escape characters inside quotation marks, you must add additional backslashes to the escape characters as shown in the following example.
For information about using quotation marks with command parameters in the AWS CLI, see Using quotation marks with strings in the AWS CLI in the AWS Command Line Interface User Guide.
IAM policy examples for interactive commands
You can create IAM policies that allow users to access only the
Session
documents you define. This restricts the commands a
user can run in a Session Manager session to only the commands defined in your custom
Session
type SSM documents.
- Allow a user to run an interactive command on a single managed node
-
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ssm:StartSession", "Resource":[ "arn:aws:ec2:
region
:987654321098
:instance/i-02573cafcfEXAMPLE
", "arn:aws:ssm:region
:987654321098
:document/exampleAllowedSessionDocument
" ] } ] } - Allow a user to run an interactive command on all managed nodes
-
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ssm:StartSession", "Resource":[ "arn:aws:ec2:
us-west-2
:987654321098
:instance/*", "arn:aws:ssm:us-west-2
:987654321098
:document/exampleAllowedSessionDocument
" ] } ] } - Allow a user to run multiple interactive commands on all managed nodes
-
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ssm:StartSession", "Resource":[ "arn:aws:ec2:
us-west-2
:987654321098
:instance/*", "arn:aws:ssm:us-west-2
:987654321098
:document/exampleAllowedSessionDocument
", "arn:aws:ssm:us-west-2
:987654321098
:document/exampleAllowedSessionDocument2
" ] } ] }