Check "ssm:start-session" is denied in principal's IAM policy
toricls opened this issue · comments
What we're going to add
We're going to add an additional check in the Can I ExecuteCommand? check, to make sure the ssm:StartSession action is explicitly denied for the caller identity.
Currently the Can I ExecuteCommand? check only checks the following items:
- is
ecs:ExecuteCommandallowed? - is
kms:GenerateDataKeyallowed? (Only when the executeCommandConfiguration has configured with a KMS key ID)
but it also should check on:
- is
ssm:StartSessiondenied?
Background
Today we can start SSM sessions on a container in task outside of ECS Exec, and this could potentially result in the sessions not being logged.
As per we described in the "Limiting access to the Start Session action" section in the ECS documentation, the check-ecs-exec.sh should check and show if the caller principal is explicitly denied to use ssm:StartSession by its IAM policy from the principle of least privilege perspective.
Item type
The item type (yellow or red) will be determined later.
Note: Considering the check-ecs-exec.sh's original goal to show if users can use ECS exec, this check item would a yellow item as a warning. But it also should be a red item from the security perspective.