IAM Policy for AWS Systems Manager "Run Command" Feature | DevOps Engineer Exam

Limiting "Run Command" Access in AWS Systems Manager for IAM Users

Prev Question Next Question

Question

In your team, AWS Systems Manager is used to maintain EC2 instances.

For example, you can run a command to execute a shell script for instances with a tag of “QA”

However, you want to limit the usage of the “Run Command” feature for some IAM users for security concerns.

For these specific users, you need an IAM policy to only allow them to run commands for instances that have the “department” tag of “dev1” or “dev2”

Which IAM policy can help you to achieve this requirement?

Answers

A. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["*"], "Resource": "*", "Condition": { "StringLike": { "ssm:resourceTag/department":[ "dev1" ], "ssm:resourceTag/department":[ "dev2" ] }} }] }

B. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringNotEquals":{ "ssm:resourceTag/department":[ "dev1", "dev2" ] }} }] }

C. { "Version": "2012-10-17", "Statement": [{ "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/department":[ "dev1" ], "ssm:resourceTag/department":[ "dev2" ] }} } ] }

D. { "Version": "2012-10-17", "Statement": [{ "Effect":"Allow", "Action":[ "ssm:RunCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:department":[ "dev1" ], "ssm:department":[ "dev2" ] } } } ] }

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - C.

If a restriction is required for Systems Manager Run Command, it is the best practice to put a suitable IAM policy for IAM users or groups.

Details on how to use the IAM policy for “Run Command” can be found in the below links:

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-rc-setting-up-cmdsec.html https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs-tagging.html

Please notice that for a user to use Run Command, the IAM permission "ssm:SendCommand" is required.

The reference can be found in https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-rc-setting-up.html.

Option A is incorrect: Because the action part should be limited as ssm:SendCommand for “Run Command” in Systems Manager.

Option B is incorrect: Because the condition part should be StringLike instead of StringNotEquals.

Option C is CORRECT: For this IAM policy, only the tag of “dev1” or “dev2” is allowed for Run Command.

Option D is incorrect: Because the action part should be limited as ssm:SendCommand for “Run Command” in Systems Manager.

Secondly, to determine the resources by tags in the condition part, ssm:resourceTag/department should be used.

The correct IAM policy that can help achieve the requirement of limiting the usage of the “Run Command” feature for some IAM users to only allow them to run commands for instances that have the “department” tag of “dev1” or “dev2” is option C.

Option A:

json
{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Action": ["*"],       "Resource": "*",       "Condition": {         "StringLike": {           "ssm:resourceTag/department": ["dev1"],           "ssm:resourceTag/department": ["dev2"]         }       }     }   ] }

This IAM policy grants permission for any action on any resource as long as the resource has the “department” tag of either “dev1” or “dev2”. However, this policy does not limit the usage of the “Run Command” feature, as it allows any action on any resource.

Option B:

json
{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Action": ["ssm:SendCommand"],       "Resource": "*",       "Condition": {         "StringNotEquals": {           "ssm:resourceTag/department": ["dev1", "dev2"]         }       }     }   ] }

This IAM policy only allows the “ssm:SendCommand” action for instances that do not have the “department” tag of either “dev1” or “dev2”. This policy does not achieve the requirement of limiting the usage of the “Run Command” feature for some IAM users to only allow them to run commands for instances that have the “department” tag of “dev1” or “dev2”.

Option C:

json
{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Action": ["ssm:SendCommand"],       "Resource": "*",       "Condition": {         "StringLike": {           "ssm:resourceTag/department": ["dev1", "dev2"]         }       }     }   ] }

This IAM policy only allows the “ssm:SendCommand” action for instances that have the “department” tag of either “dev1” or “dev2”. This policy achieves the requirement of limiting the usage of the “Run Command” feature for some IAM users to only allow them to run commands for instances that have the “department” tag of “dev1” or “dev2”.

Option D:

json
{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Action": ["ssm:RunCommand"],       "Resource": "*",       "Condition": {         "StringLike": {           "ssm:department": ["dev1"],           "ssm:department": ["dev2"]         }       }     }   ] }

This IAM policy grants permission for the “ssm:RunCommand” action on any resource as long as the resource has the “department” tag of either “dev1” or “dev2”. However, the correct resource condition key is “ssm:resourceTag/department”, not “ssm:department”. This policy does not achieve the requirement of limiting the usage of the “Run Command” feature for some IAM users to only allow them to run commands for instances that have the “department” tag of “dev1” or “dev2”.

Prev Question Next Question