SSM run as

[anhkhoa45]

We have a document described as below (lets call it DevSSMRunShell)

{
  "schemaVersion": "1.0",
  "description": "Session Document for developer",
  "sessionType": "Standard_Stream",
  "inputs": {
    "s3BucketName": "dev-ssm-session-logs",
    "s3KeyPrefix": "",
    "s3EncryptionEnabled": true,
    "cloudWatchLogGroupName": "",
    "cloudWatchEncryptionEnabled": true,
    "idleSessionTimeout": "20",
    "cloudWatchStreamingEnabled": true,
    "kmsKeyId": "",
    "runAsEnabled": true,
    "runAsDefaultUser": "dev-user",
    "shellProfile": {
      "windows": "",
      "linux": "exec bash -l"
    }
  }
}

The dev IAM users only have policy to start the session on DevSSMRunShell:

{
    "Sid": "CustomSSMActions2",
    "Effect": "Allow",
    "Action": [
        "ssm:StartSession"
    ],
    "Resource": [
        "arn:aws:ec2:*:*:instance/*",
                 "arn:aws:ssm:<region>:<acc_id>:document/DevSSMRunShell",
        "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
    ],
    "Condition": {
        "BoolIfExists": {
            "ssm:SessionDocumentAccessCheck": "true"
        }
    }
}

Does this guaranty that the dev IAM users only have permission to start session on OS's dev-user?

I don't want to strictly use SSMSessionRunAs tag on IAM role since maybe in the future I want to start session as different OS user as well.

[yuting-fan]

Hi anhkhoa45@, what you mentioned is partially correct! The IAM role defines that all dev users are only able to call StartSession against AWS-StartSSHSession and DevSSMRunShell documents. Then in DevSSMRunShell document, the runAsDefaultUser configuration means the session will start with this system user by default. However, if the dev has the password to switch to another system user, he/she can still do so. This leaves the access control to how you manage the system users. If devs are not supposed to use any other system user, then your assumption is correct.