ssm:resourceTag Cross Account Issues

0
votes

I am using ssm:tag of documents to restrict access to users based on user role and document tag. I have added a condition to IAM policy and it's working. But when I try to do this with cross account, it's not working.

1) My SSM documents are in Master account, shared with Child account

2) IAM Policy to restrict access based on tags is in Child account (Tag key: Role)

3) The request is made to Child account

Scenario 1: I can execute the documents successfully, when condition from the IAM Policy is removed. So the Child AWS account can fetch the SSM Documents from Master AWS account.

Scenario 2: I cannot execute the documents when filtered based on tags, i.e. condition added to teh IAM policy. This shows the Child AWS account is unable to fetch tags of SSM documents from Master AWS account. Could someone please help me with this? Attaching the IAM Policy for reference.

IAM Policy Document:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": [
                "arn:aws:s3:::ssm-deliverables/ssm-*",
                "arn:aws:ec2:ap-south-1:20**********:instance/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ssm:ListCommandInvocations",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "arn:aws:ssm:::document/*",
            "Condition": {
                "StringEquals": {
                    "ssm:resourceTag/Role": "${aws:PrincipalTag/Role}"
                }
            }
        }
    ]
}
1
amazon-web-servicesamazon-iamdocumentssm

1 Answers

1
votes

aws:PrincipalTag used here is one of the aws global condition context keys. We have to use the above key to compare the tag attached to a principal making request with the tag that you specify in the policy.

In this case, the principal is IAM User/Role to which the above policy is attached. So the IAM User/Role itself should be tagged with the same values mentioned in the IAM Policy.

For Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:StartInstances",
      "Resource": "*",
      "Condition": {"StringEquals": {"ec2:resourceTag/Name": "${aws:PrincipalTag/Name}" 
       }
      }
    }
  ]
}

Assume that the above policy is attached to an IAM user who has wants to start an EC2 Instance, the user will be able to start the EC2 Instance if the user is tagged with the same tags as the resource tags mentioned in the IAM Policy.

So, you have to tag the IAM User making request to SSM, with the key 'Role' and Value set the role name or arn same as ssm document tags.