Amazon-ssm-agent: Session Manager - Feature Request - Allow read only user

Created on 9 Dec 2018  路  12Comments  路  Source: aws/amazon-ssm-agent

Anyone who has access to session manager on a specific instance currently has sudo access (as the ssm user on the ec2 instance is part of the sudoers group). We have a use case where we would like to give users access to session manager to ssh onto an instance, but they shouldn't have sudo access (i.e, read only access).
It would be great if session manager provides an option to support for read-only user access and sudo access based on IAM roles/policies.

Most helpful comment

Hi,
Thank you for the reply. However, my use case is different. The link you have provided either removes or grants sudo access to the ssm-user.
My use case is I will have teams of users:
Application-Support-Team: Users belonging to this team cannot have sudo access to the server
Infrastructure-Support-Team: This team can have sudo access to the same server
Users will assume IAM roles and start a session via Session Manager.
Hope I've clarified above.
Thanks

All 12 comments

Thank you for the feedback!

You should be able to configure the user on specific instances to remove sudo/admin access following instructions in this doc - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-ssm-user-permissions.html. To do this across multiple instances, you can use RunCommand.

Thanks!

Hi,
Thank you for the reply. However, my use case is different. The link you have provided either removes or grants sudo access to the ssm-user.
My use case is I will have teams of users:
Application-Support-Team: Users belonging to this team cannot have sudo access to the server
Infrastructure-Support-Team: This team can have sudo access to the same server
Users will assume IAM roles and start a session via Session Manager.
Hope I've clarified above.
Thanks

I have a similar use case and it would be nice to hear some updates/news on this matter!
Thank you

@akr257 Not saying this shouldn't be a feature, but you should consider different support instances that each have different IAM permissions associated with them to restrict access. Even if a read-only user can sudo on the read-only instance, there's very little they could do outside of the instance.

@phene Hi, I'm not sure if I understand you correctly. Can you explain further on what you mean by different IAM permissions?

Perhaps I should explain what I meant in my request : I have two teams of users with two different IAM roles attached.

These IAM roles currently provide users access to session manager. Any user assuming the role is now able to access an instance with sudo access. These instances are part of an Auto Scaling group.

My request is that only users belonging to one IAM role can have sudo access on the instance. Users belonging to the other IAM role can only have read only access.

Oh, I see what you mean -- My team doesn't give any non-admins users access to anything but a single administrative instance that provides scripts to probe services in the VPC and we control access from that host.

Seems to be we are facing the same issue, Here is the scenario.
We are having cloud engineer and developer IAM roles where it is configured through okta I like to get session manager to all the users belongs to both of roles but only cloud engineer should have allowed to root level ( sudo access ) where developer role should have not allowed to root level.

Will this can be achieved by updating policies attached to those IAM roles?

Please let me know if need more information

Hi thanks for the feature request, we will bring this to the session manager team.

@hiimtu why is this issue closed? it seem it is still a unresolved suggestion

Why this request is closed ? Do we have a solution for this use case? Please reopen this case as solution is not provided.

@jkpdinesh I believe it is because of the introduction of Run As feature that allow you to define the system user to be use. Now you can enable Run As and then create Read Only user and make that IAM user to login as that user

https://aws.amazon.com/about-aws/whats-new/2019/07/session-manager-launches-run-as-to-start-interactive-sessions-with-your-own-operating-system-user-account/

@jk2l, is it possible with ssm-user for two IAM role one for Sudo and non sudo.
and requested you all if there any other finding.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

thedevopsmachine picture thedevopsmachine  路  4Comments

timoteialbu picture timoteialbu  路  5Comments

JeremiahO1 picture JeremiahO1  路  4Comments

shockie picture shockie  路  3Comments

guizmaii picture guizmaii  路  3Comments