AWS SSO and SSMSessionRunAs session tag

One of the cool new feature with aws sso is the possibility to pass user attributes also known as session tags. This can be very useful for Attribute-Based Access Control (ABAC) as described on the previous article. Another useful case is using the SSMSessionRunAs TAG to specify with which credential an AWS system session manager session is launched which will allow for better security as the default user “ssm-user” has full administrative privilege on the target instance .

In this example i used the default AWS SSO Identity source but the same can be done using Active Directory or an external identity provider. First i created a test ec2 instance (I also created two different user on it test and hatem) and enabled the Run AS support.

Then i configured AWS SSO in my AWS organization account using the SSO Identity source and created a new user HATEM with privilege to launch an ssm session. The important part is that we must enable attribute for access control and add our new tag.

That’s it now connect the AWS User portal using the new created user and launch a new session on the target instance using session manager.

We are now connected ad user hatem , coool !

We can of course also start an ssm tunnel to access other services such for example our oracle database running on port 1521.

That’s it 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s