Image

“On the Attach policy page, select the check box next to AmazonEC2RoleforSSM, and then choose Attach policy.”If you’ve got an eagle eye and thoroughly read all of the text, you may notice the following note concerning the AmazonEC2RoleforSSM managed policy :
“The policy AmazonEC2RoleforSSM provides wildcard (*) access to Amazon S3 buckets. We recommend that you review this policy and adjust if required.”If like most people, you just start working on the instructions, then you have just enabled full access to all your S3 resources to each EC2 instance with Session Manager. The relevant AmazonEC2RoleforSSM s3 privileges granted look like the following:
{ "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:PutObject", "s3:GetObject", "s3:GetEncryptionConfiguration", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:ListBucket", "s3:ListBucketMultipartUploads" ], "Resource": "*" }You can see above that the AmazonEC2RoleforSSM pre-defined policy grants nearly all permissions, read and write, to the wildcard s3 resource. Amazon does provide instructions on creating a policy with the minimum needed permissions. The relevant s3 portion of the minimal policy looks like the following:
{ "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::aws-ssm-us-east-2/*", "arn:aws:s3:::aws-windows-downloads-us-east-2/*", "arn:aws:s3:::amazon-ssm-us-east-2/*", "arn:aws:s3:::amazon-ssm-packages-us-east-2/*", "arn:aws:s3:::us-east-2-birdwatcher-prod/*", "arn:aws:s3:::patch-baseline-snapshot-us-east-2/*" ] }The minimum-needed permission is actually only read access on a few system manager-specific s3 buckets. This is far more restrictive than the default recommended role shown in the getting started guide. Anyone looking to follow the principle of least privilege will want to create a custom role with the minimal permission version given by Amazon. In the excitement to try new features, important notes on security may be overlooked, and it may be tempting to use the predefined role at any time in the future when you are no longer reading the Getting Started guide. In some cases, pre-defined roles may be adding risk in areas that seem completely disconnected from what you are trying to achieve. Each role used should be periodically checked to ensure that the principle of least privilege is being applied.