Posted On: Sep 18, 2017
Amazon EC2 Systems Manager Run Command now supports additional access control with tag-based permissions and multi-tag targeting.
Previously, you could only restrict Run Command access based on instance IDs, which required manual permission updates as your environment scaled up or down. Now, you can control Run Command access based on instance tags using your existing AWS Identity and Access Management (IAM) policies. For example, you can tag instances based on business units and only allow access to those instances to members of that business unit. When new instances are launched with tags, the corresponding IAM permissions are automatically applied.
In addition, you can now target instances using multiple tags. Previously, you could only target instances with Run Command using one tag and one value, but many instances are identified by multiple tags. For example, now you can send a command to instances tagged as production and webservers, to instances in a test or development environment and tagged as databases, or to any combination. Multi-tag targeting is available through AWS Command Line Interface (CLI), SDKs, and APIs.
With this launch, you can increase your access control to instances based on tags. You can control the users who can access an instance and the actions that they can perform on that instance. Combined with the control you have through Systems Manager Document permissions, you can create more flexible instance access. In addition, you can still keep an audit of trail of who performed actions and when they were performed.