I tried to provide a policy following the samples here:
But, I keep getting a warning and it does not work.
These are all I tried so far:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowStartSessionExceptProd", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "*", "Condition": { "StringNotLike": { "ssm:resourceTag/environment": [ "prod", "Prod" ] } } } ]
}Or
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowStartSessionExceptProd", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "*", "Condition": { "StringEquals": { "arn:aws:ec2:*:*:instance": [ "i-myInstanceId1", "i-myInstanceId2" ] } } } ]
}Or even I tried to use more resource-based conditions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowStartSessionExceptProd", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "*", "Condition": { "StringNotLike": { "ssm:resourceTag/environment": [ "prod", "Prod" ], "arn:aws:ec2:*:*:resourceTag/environment": [ "prod", "Prod" ], "ec2:resourceTag/environment": [ "prod", "Prod" ] } } } ]
}In general, all I want to do is allow access to start session in SSM on servers which are not prod servers.
My EC2 prod servers all have a tag environment:prod
I get an error message on each condition which doesn't work:There are no actions in your policy that support this condition key.
Example:ec2:resourceTag /environment (StringNotLike prod and Prod)
There are no actions in your policy that support this condition key.
I appreciate any help.
41 Answer
From the comments and some investigation, here's the answer:
From the docs, it is pretty easy to notice which actions support what conditions.
Unfortunately the examples provided for Restricting Access are wrong, i.e. there's an error in the documentation that contains the sample code.
A PR might be a good idea so others don't hang on the same thing.
2