In your team, AWS Systems Manager is used to maintain EC2 instances. For example, you can run a command to execute a shell script for instances with a tag of “QA”. However, you want to limit the usage of the “Run Command” feature for some IAM users for security concerns. For these specific users, you need an IAM policy to only allow them to run commands for instances that have the “department” tag of “dev1” or “dev2”. Which IAM policy can help you to achieve this requirement?

Answer options:

A. { "Version": "2012-10-17",
 "Statement": [{
 "Effect": "Allow",
 "Action": ["*"],
 "Resource": "*",
 "Condition": {
"StringLike": {
 "ssm:resourceTag/department":[ "dev1" ],
 "ssm:resourceTag/department":[ "dev2" ]
}}
}]
}
B. { "Version": "2012-10-17",
 "Statement": [{
 "Effect": "Allow",
 "Action": [ "ssm:SendCommand" ],
 "Resource":"*",
 "Condition":{
"StringNotEquals":{
 "ssm:resourceTag/department":[ "dev1", "dev2" ]
}}
}]
}
C. { "Version": "2012-10-17",
 "Statement": [{
 "Effect":"Allow",
 "Action":[ "ssm:SendCommand" ],
 "Resource":"*",
 "Condition":{
"StringLike":{
 "ssm:resourceTag/department":[ "dev1" ],
 "ssm:resourceTag/department":[ "dev2" ]
}}
} ]
}
D. { "Version": "2012-10-17",
 "Statement": [{
 "Effect":"Allow",
 "Action":[ "ssm:RunCommand" ],
 "Resource":"*",
 "Condition":{
"StringLike":{
 "ssm:department":[ "dev1" ],
 "ssm:department":[ "dev2" ]
} }
} ]
}

Correct Answer – C
If a restriction is required for Systems Manager Run Command, it is the best practice to put a suitable IAM policy for IAM users or groups. Details on how to use the IAM policy for “Run Command” can be found in the below links:
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-rc-setting-up-cmdsec.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs-tagging.html
Please notice that for a user to use Run Command, the IAM permission "ssm:SendCommand" is required. The reference can be found in https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-rc-setting-up.html.
Option A is incorrect: Because the action part should be limited as ssm:SendCommand for “Run Command” in Systems Manager.
Option B is incorrect: Because the condition part should be StringLike instead of StringNotEquals.
Option C is CORRECT: For this IAM policy, only the tag of “dev1” or “dev2” is allowed for Run Command.
Option D is incorrect: Because the action part should be limited as ssm:SendCommand for “Run Command” in Systems Manager. Secondly, to determine the resources by tags in the condition part, ssm:resourceTag/department should be used.