1

https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html#awssystemsmanager-policy-keys

I cant find an answer that clears this up for me

Im looking at this example: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringLike": {
                    "ssm:resourceTag/Finance": [
                        "WebServers"
                    ]
                }
            }
        }
    ]
}

what is the difference between aws:TagKeys, ssm:resourceTag/tag-key, aws:ResourceTag/${TagKey}

what is ssm:resourceTag? is it different than aws:ResourceTag/${TagKey}? Is it a special tag applied by systems manager? i dont use systems manager to apply tags to ec2 instances, I just tag them manually. How do I restrict session manager access to my ec2 instances via tags I have manually applied to them?

Tim
  • 30,383
  • 6
  • 47
  • 77
red888
  • 4,069
  • 16
  • 58
  • 104
  • https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html#awssystemsmanager-ssm_resourceTag_tag-key – Tim Aug 18 '20 at 23:12
  • yeah thats the same document. `Filters access based on a tag key-value pair assigned to the AWS resource` vs `Filters access based on a tag key-value pair assigned to the Systems Manager resource` what does that mean? Is EC2 an aws resource or a systems manager resource? which one do I use if im manually assigning tags to instances – red888 Aug 18 '20 at 23:21
  • What are you trying to achieve? – Tim Aug 19 '20 at 00:37
  • i want to restrict ssm access by ec2 tag – red888 Aug 19 '20 at 15:26
  • Great. Now we've discovered what you're trying to do someone can help. I use SSM but haven't tried to do this, I will try to have a look at the AWS documentation and tutorials when I have some time later out of interest. – Tim Aug 19 '20 at 18:00

1 Answers1

1

As the document says its EC2 instance tag, and I have tried this, it works, btw maybe you should enable the SSM agent to dig instance information into SSM, where you should able to see instance info such as instance tag within AWS Systems Manager -> Fleet Manager -> Instance ID: XXX.

As I was working to filter use access by instance tags, after enable inventory in SSM then it works.

Dave M
  • 4,494
  • 21
  • 30
  • 30
SikiShen
  • 11
  • 1