Step 5: (Optional) Restrict access to commands in a session
You can restrict the commands that a user can run in an Amazon Systems Manager Session Manager session
by using a custom Session
type Amazon Systems Manager (SSM) document. In the
document, you define the command that is run when the user starts a session and the
parameters that the user can provide to the command. The Session
document schemaVersion
must be 1.0, and the sessionType
of
the document must be InteractiveCommands
. You can then create Amazon Identity and Access Management
(IAM) policies that allow users to access only the Session
documents
that you define. For more information about using IAM policies to restrict access
to commands in a session, see IAM policy examples for
interactive commands.
Documents with the sessionType
of InteractiveCommands
are only supported for sessions started from the Amazon Command Line Interface (Amazon CLI). The user
provides the custom document name as the --document-name
parameter
value and provides any command parameter values using the --parameters
option. For more information about running interactive commands, see Starting a session
(interactive and noninteractive commands).
Use following procedure to create a custom Session
type SSM
document that defines the command a user is allowed to run.
Restrict access to commands in a session (console)
To restrict the commands a user can run in a Session Manager session (console)
Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/
. -
In the navigation pane, choose Documents.
-
Choose Create command or session.
-
For Name, enter a descriptive name for the document.
-
For Document type, choose Session document.
-
Enter your document content that defines the command a user can run in a Session Manager session using JSON or YAML, as shown in the following example.
-
Choose Create document.
Restrict access to commands in a session (command line)
Before you begin
If you haven't already, install and configure the Amazon Command Line Interface (Amazon CLI) or the Amazon Tools for PowerShell. For information, see Installing or updating the latest version of the Amazon CLI and Installing the Amazon Tools for PowerShell.
To restrict the commands a user can run in a Session Manager session (command line)
-
Create a JSON or YAML file for your document content that defines the command a user can run in a Session Manager session, as shown in the following example.
-
Run the following commands to create an SSM document using your content that defines the command a user can run in a Session Manager session.
Interactive command parameters and the Amazon CLI
There are a variety of ways you can provide interactive command parameters when using the Amazon CLI. Depending on the operating system (OS) of your client machine that you use to connect to managed nodes with the Amazon CLI, the syntax you provide for commands that contain special or escape characters might differ. The following examples show some of the different ways you can provide command parameters when using the Amazon CLI, and how to handle special or escape characters.
Parameters stored in Parameter Store can be referenced in the Amazon CLI for your command parameters as shown in the following example.
The following example shows how you can use a shorthand syntax with the Amazon CLI to pass parameters.
You can also provide parameters in JSON as shown in the following example.
Parameters can also be stored in a JSON file and provided to the Amazon CLI as shown in the following example. For more information about using Amazon CLI parameters from a file, see Loading Amazon CLI parameters from a file in the Amazon Command Line Interface User Guide.
{ "command": [ "
my command
" ] }
You can also generate an Amazon CLI skeleton from a JSON input file as shown in the following example. For more information about generating Amazon CLI skeletons from JSON input files, see Generating Amazon CLI skeleton and input parameters from a JSON or YAML input file in the Amazon Command Line Interface User Guide.
{ "Target": "
instance-id
", "DocumentName": "MyInteractiveCommandDocument
", "Parameters": { "command": [ "my command
" ] } }
To escape characters inside quotation marks, you must add additional backslashes to the escape characters as shown in the following example.
For information about using quotation marks with command parameters in the Amazon CLI, see Using quotation marks with strings in the Amazon CLI in the Amazon Command Line Interface User Guide.
IAM policy examples for interactive commands
You can create IAM policies that allow users to access only the
Session
documents you define. This restricts the commands a
user can run in a Session Manager session to only the commands defined in your custom
Session
type SSM documents.
- Allow a user to run an interactive command on a single managed node
-
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ssm:StartSession", "Resource":[ "arn:aws-cn:ec2:
region
:987654321098
:instance/i-02573cafcfEXAMPLE
", "arn:aws-cn:ssm:region
:987654321098
:document/exampleAllowedSessionDocument
" ] } ] } - Allow a user to run an interactive command on all managed nodes
-
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ssm:StartSession", "Resource":[ "arn:aws-cn:ec2:
us-west-2
:987654321098
:instance/*", "arn:aws-cn:ssm:us-west-2
:987654321098
:document/exampleAllowedSessionDocument
" ] } ] } - Allow a user to run multiple interactive commands on all managed nodes
-
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ssm:StartSession", "Resource":[ "arn:aws-cn:ec2:
us-west-2
:987654321098
:instance/*", "arn:aws-cn:ssm:us-west-2
:987654321098
:document/exampleAllowedSessionDocument
", "arn:aws-cn:ssm:us-west-2
:987654321098
:document/exampleAllowedSessionDocument2
" ] } ] }