cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

AWS permission relationships: correctly support AWS roles being able to remote into instances via SSM

Open achantavy opened this issue 6 months ago • 0 comments

Description:

Describe your idea. Please be detailed. If a feature request, please describe the desired behavior, what scenario it enables, and how it would be used.

With AWS SSM, role A can remotely access EC2 instance X under the following conditions:

(1) if role A has the ssm:StartSession permission on that instance, and (2) if X is managed by SSM

(1) can be determined in cartography by looking at the policy statements (2) is determined by looking if there exists an edge from X to an SSMInstanceInformation node.

There currently isn't a way to use the existing permission_relationships module to define condition (2). It would be helpful to map out these situations. We could use an analysis job, but it'd be nice to use the existing permission relationships construct.

achantavy avatar Jun 19 '25 23:06 achantavy