AWS IAM Permissions For SSM
Minimal IAM Permissions for AWS SSM
USE CASE: Principle of least privilege when assigning permissions for SSM as EC2 Instance Profile.
When using AWS Systems Manager (SSM), it's important to only provide the minimal permissions necessary for the service to function properly. Assigning overly broad or full access can pose security risks, and it's often unnecessary for standard use cases. Below is a minimal IAM policy that ensures SSM can work while limiting permissions to the essential actions required for basic functionality.
Policy
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Action": [
6 "ssmmessages:CreateDataChannel",
7 "ssmmessages:OpenDataChannel",
8 "ssmmessages:CreateControlChannel",
9 "ssmmessages:OpenControlChannel",
10 "ssm:UpdateInstanceInformation",
11 "ec2:Describe*"
12 ],
13 "Effect": "Allow",
14 "Resource": "*"
15 }
16 ]
17}
Explanation
-
ssmmessages:CreateDataChannel&ssmmessages:OpenDataChannel: These actions allow SSM to create and open the data channel necessary for communication between the instance and SSM. -
ssmmessages:CreateControlChannel&ssmmessages:OpenControlChannel: These actions permit SSM to manage the control channel for sending commands and receiving responses. -
ssm:UpdateInstanceInformation: This action is required for updating the instance’s status and ensuring SSM maintains up-to-date information about managed instances. -
ec2:Describe*: The Describe permissions are required to retrieve information about the instance’s environment, such as instance metadata and status, which helps SSM manage the instance correctly.
Key Takeaway
This policy provides the necessary permissions for SSM to work properly without granting full access to SSM, EC2, or other resources. By applying the principle of least privilege, we ensure that the instance can communicate with SSM efficiently and securely, without exposing excessive permissions.