Can someone please help me to create a IAM policy for below scenario if its possible to restrict access to SSM parameter store path from EC2 instance.
- EC2 instance created and attached IAM role
- Created 2 Assumed roles -
read & writeandread-only. Whoever has access to these roles, they can access to EC2 instance through "SSM session manager" using their SSO. e.g. session id/username looks likem*@xyz.comif I look at session manager history. That means first login to console using their assumed roles and connecting to ec2 instance through ssm.
Now I want store some parameters info by creating them in the parameter store and they should be accessible during maintenance activities on EC2 instance through attached IAM role.
Now I want to create an IAM policy and attached that EC2 IAM role to not access by anyone of read&write and read-only role members whose usernames starts with m*@xyz.com.
I tried creating a policy but it didn't work because by default it will be taking EC2 IAM user (EC2 IAM role) as assumed role even though session id shows individual.
I checked these details using below command to see what IAM user it is using to make API calls.
aws sts get-caller-identity
{
"UserId": "ARNVDDGUSKDGKDGDKDGD:<ec2 instance id>",
"Account": "aws account",
"Arn": "arn:aws:sts::<aws account>:assumed-role/<ec2 instance iam role>/<ec2_instance_id>"
}
The output looks good and it is expecting in my case.
But How should I restrict access to SSM parameter store for the read&write and read-only users as mentioned above if they login to ec2 instance through ssm?
I've used below condition keys but no luck.
aws:username
arn:aws:sts::awsaccount:federated-user/m*@xyx.com
I am not sure If we can restrict because once user authorized to access EC2 then EC2 IAM permissions are applying as I understood.
Appreciate your help. Thanks.