Cómo configurar acceso justo a tiempo con Systems Manager
Configurar el acceso a los nodos justo a tiempo con Systems Manager implica varios pasos. En primer lugar, debe elegir los destinos en los que desee configurar el acceso a los nodos justo a tiempo. Los destinos consisten en unidades organizativas (OU) de AWS Organizations y Regiones de AWS. De forma predeterminada, los mismos destinos que eligió al configurar la consola unificada de Systems Manager se seleccionan para el acceso a los nodos justo a tiempo. Puede elegir configurar el acceso a los nodos justo a tiempo para todos los mismos destinos o para un subconjunto de los destinos que especificó al configurar la consola unificada de Systems Manager. No es posible añadir nuevos destinos que no se seleccionaron al configurar la consola unificada de Systems Manager.
A continuación, creará políticas de aprobación para determinar cuándo se requiere una aprobación manual para conectarse a los nodos y cuándo se aprueba automáticamente. Cada cuenta de la organización administra las políticas de aprobación. También puede compartir una política desde la cuenta de administrador delegado para denegar explícitamente la aprobación automática de conexiones a nodos específicos.
nota
La configuración del acceso a los nodos justo a tiempo no afecta las políticas de IAM o preferencias existentes que haya configurado para Session Manager. Debe eliminar de las políticas de IAM los permisos para acciones de Session Manager, como StartSession, a fin de garantizar que solo se utilice el acceso a los nodos justo a tiempo cuando los usuarios intenten conectarse a los nodos. Tras configurar el acceso a los nodos justo a tiempo, le recomendamos que pruebe las políticas de aprobación con un subconjunto de usuarios y nodos para verificar que funcionen como se desee antes de eliminar los permisos para Session Manager.
Soporte de autenticación
Tenga en cuenta los siguientes detalles sobre el soporte de autenticación utilizado para el acceso a nodos justo a tiempo:
-
El acceso a nodos justo a tiempo no admite el tipo de autenticación de inicio de sesión único cuando se conecta a instancias de Windows Server con escritorio remoto.
-
Solo se admiten las credenciales de
AssumeRolede AWS Security Token Service (AWS STS) de seguridad temporales. Para obtener más información, consulte los siguientes temas de la guía del usuario de IAM:
En las siguientes políticas de IAM, se describen los permisos necesarios para administrar y permitir que los usuarios creen solicitudes de acceso a los nodos justo a tiempo con Systems Manager. Tras comprobar que dispone de los permisos necesarios para utilizar el acceso a los nodos justo a tiempo con Systems Manager, puede continuar con el proceso de configuración. Reemplace cada example resource placeholder con su propia información.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QuickSetupConfigurationManagers", "Effect": "Allow", "Action": [ "ssm-quicksetup:CreateConfigurationManager", "ssm-quicksetup:DeleteConfigurationManager", "ssm-quicksetup:GetConfiguration", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:GetServiceSettings", "ssm-quicksetup:ListConfigurationManagers", "ssm-quicksetup:ListConfigurations", "ssm-quicksetup:ListQuickSetupTypes", "ssm-quicksetup:ListTagsForResource", "ssm-quicksetup:TagResource", "ssm-quicksetup:UntagResource", "ssm-quicksetup:UpdateConfigurationDefinition", "ssm-quicksetup:UpdateConfigurationManager", "ssm-quicksetup:UpdateServiceSettings" ], "Resource": "*" }, { "Sid": "QuickSetupDeployments", "Effect": "Allow", "Action": [ "cloudformation:DescribeStackSetOperation", "cloudformation:ListStacks", "cloudformation:DescribeStacks", "cloudformation:DescribeStackResources", "cloudformation:ListStackSetOperations", "cloudformation:ListStackInstances", "cloudformation:DescribeStackSet", "cloudformation:ListStackSets", "cloudformation:DescribeStackInstance", "cloudformation:DescribeOrganizationsAccess", "cloudformation:ActivateOrganizationsAccess", "cloudformation:GetTemplate", "cloudformation:ListStackSetOperationResults", "cloudformation:DescribeStackEvents", "cloudformation:UntagResource", "ssm:DescribeAutomationExecutions", "ssm:GetAutomationExecution", "ssm:ListAssociations", "ssm:DescribeAssociation", "ssm:GetDocument", "ssm:ListDocuments", "ssm:DescribeDocument", "ssm:GetOpsSummary", "organizations:DeregisterDelegatedAdministrator", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators", "organizations:ListRoots", "organizations:ListParents", "organizations:ListOrganizationalUnitsForParent", "organizations:DescribeOrganizationalUnit", "organizations:ListAWSServiceAccessForOrganization", "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRole", "iam:CreatePolicy", "cloudformation:TagResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:RollbackStack", "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-JITNA*", "arn:aws:cloudformation:*:*:stack/AWS-QuickSetup-*", "arn:aws:cloudformation:*:*:type/resource/*", "arn:aws:cloudformation:*:*:stack/StackSet-SSMQuickSetup" ] }, { "Sid": "StackSetOperations", "Effect": "Allow", "Action": [ "cloudformation:CreateStackSet", "cloudformation:UpdateStackSet", "cloudformation:DeleteStackSet", "cloudformation:DeleteStackInstances", "cloudformation:CreateStackInstances", "cloudformation:StopStackSetOperation" ], "Resource": [ "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-JITNA*", "arn:aws:cloudformation:*:*:type/resource/*", "arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-JITNA*:*" ] }, { "Sid": "IamRolesMgmt", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:DetachRolePolicy", "iam:GetRolePolicy", "iam:ListRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/AWS-QuickSetup-JITNA*", "arn:aws:iam::*:role/service-role/AWS-QuickSetup-JITNA*" ] }, { "Sid": "IamPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/AWS-QuickSetup-JITNA*", "arn:aws:iam::*:role/service-role/AWS-QuickSetup-JITNA*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com", "ssm-quicksetup.amazonaws.com", "cloudformation.amazonaws.com" ] } } }, { "Sid": "SSMAutomationExecution", "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:region:account id:automation-definition/AWS-EnableExplorer:*" }, { "Sid": "SSMAssociationPermissions", "Effect": "Allow", "Action": [ "ssm:DeleteAssociation", "ssm:CreateAssociation", "ssm:StartAssociationsOnce" ], "Resource": "arn:aws:ssm:region:account id:association/*" }, { "Sid": "SSMResourceDataSync", "Effect": "Allow", "Action": [ "ssm:CreateResourceDataSync", "ssm:UpdateResourceDataSync" ], "Resource": "arn:aws:ssm:region:account-id:resource-data-sync/AWS-QuickSetup-*" }, { "Sid": "ListResourceDataSync", "Effect": "Allow", "Action": [ "ssm:ListResourceDataSync" ], "Resource": "*" }, { "Sid": "CreateServiceLinkedRoles", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Condition": { "StringEquals": { "iam:AWSServiceName": [ "accountdiscovery.ssm.amazonaws.com", "ssm.amazonaws.com", "ssm-quicksetup.amazonaws.com", "stacksets.cloudformation.amazonaws.com" ] } }, "Resource": "*" }, { "Sid": "CreateStackSetsServiceLinkedRole", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin" }, { "Sid": "AllowSsmJitnaPoliciesCrudOperations", "Effect": "Allow", "Action": [ "ssm:CreateDocument", "ssm:UpdateDocument", "ssm:UpdateDocumentDefaultVersion", "ssm:GetDocument", "ssm:DescribeDocument", "ssm:DeleteDocument" ], "Resource": [ "arn:aws:ssm:region:account id:document/SSM-JustInTimeAccessDenyAccessOrgPolicy" ], "Condition": { "StringEquals": { "ssm:DocumentType": [ "AutoApprovalPolicy" ] } } }, { "Sid": "AllowAccessRequestOpsItemOperations", "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:DescribeOpsItems", "ssm:GetOpsSummary", "ssm:DeleteOpsItem", "ssm:ListOpsItemEvents" ], "Resource": "*" }, { "Sid": "IdentityCenterPermissions", "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:ListDirectoryAssociations", "identitystore:GetUserId", "identitystore:DescribeUser", "identitystore:DescribeGroup", "identitystore:ListGroupMembershipsForMember" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSsmJitnaPoliciesCrudOperations", "Effect": "Allow", "Action": [ "ssm:CreateDocument", "ssm:UpdateDocument", "ssm:UpdateDocumentDefaultVersion", "ssm:GetDocument", "ssm:DescribeDocument", "ssm:DeleteDocument" ], "Resource": [ "arn:aws:ssm:region:account id:document/*" ], "Condition": { "StringEquals": { "ssm:DocumentType": [ "ManualApprovalPolicy", "AutoApprovalPolicy" ] } } }, { "Sid": "AllowSsmJitnaPoliciesListOperations", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListDocumentVersions" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::account id:role/SSM-JustInTimeAccessTokenRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "justintimeaccess.ssm.amazonaws.com" ] } } }, { "Sid": "AllowAccessRequestOpsItemOperations", "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:DescribeOpsItems", "ssm:GetOpsSummary", "ssm:DeleteOpsItem", "ssm:ListOpsItemEvents" ], "Resource": "*" }, { "Sid": "AllowSessionManagerPreferencesOperation", "Effect": "Allow", "Action": [ "ssm:CreateDocument", "ssm:GetDocument", "ssm:DescribeDocument", "ssm:UpdateDocument", "ssm:DeleteDocument" ], "Resource": "arn:aws:ssm:region:account id:document/SSM-SessionManagerRunShell", "Condition": { "StringEquals": { "ssm:DocumentType": "Session" } } }, { "Sid": "AllowSessionManagerOperations", "Effect": "Allow", "Action": [ "ssm:DescribeSessions", "ssm:GetConnectionStatus", "ssm:TerminateSession" ], "Resource": "*" }, { "Sid": "AllowRDPConnectionRecordingOperations", "Effect": "Allow", "Action": [ "ssm-guiconnect:UpdateConnectionRecordingPreferences", "ssm-guiconnect:GetConnectionRecordingPreferences", "ssm-guiconnect:DeleteConnectionRecordingPreferences" ], "Resource": "*" }, { "Sid": "AllowRDPConnectionRecordingKmsOperation", "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": "arn:aws:kms:region:account id:key/*", "Condition": { "StringEquals": { "aws:ResourceTag/SystemsManagerJustInTimeNodeAccessManaged": "true" }, "StringLike": { "kms:ViaService": "ssm-guiconnect.*.amazonaws.com" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "AllowFleetManagerOperations", "Effect": "Allow", "Action": [ "ssm-guiconnect:GetConnection", "ssm-guiconnect:ListConnections" ], "Resource": "*" }, { "Sid": "SNSTopicManagement", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": [ "arn:aws:sns:region:account id:SSM-JITNA*" ] }, { "Sid": "SNSListTopics", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "EventBridgeRuleManagement", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets" ], "Resource": [ "arn:aws:events:region:account id:rule/SSM-JITNA*" ] }, { "Sid": "ChatbotSlackManagement", "Effect": "Allow", "Action": [ "chatbot:CreateSlackChannelConfiguration", "chatbot:UpdateSlackChannelConfiguration", "chatbot:DescribeSlackChannelConfigurations", "chatbot:DescribeSlackWorkspaces", "chatbot:DeleteSlackChannelConfiguration", "chatbot:RedeemSlackOauthCode", "chatbot:DeleteSlackWorkspaceAuthorization", "chatbot:GetSlackOauthParameters" ], "Resource": "*" }, { "Sid": "ChatbotTeamsManagement", "Effect": "Allow", "Action": [ "chatbot:ListMicrosoftTeamsChannelConfigurations", "chatbot:CreateMicrosoftTeamsChannelConfiguration", "chatbot:UpdateMicrosoftTeamsChannelConfiguration", "chatbot:ListMicrosoftTeamsConfiguredTeams", "chatbot:DeleteMicrosoftTeamsChannelConfiguration", "chatbot:RedeemMicrosoftTeamsOauthCode", "chatbot:DeleteMicrosoftTeamsConfiguredTeam", "chatbot:GetMicrosoftTeamsOauthParameters", "chatbot:TagResource" ], "Resource": "*" }, { "Sid": "SSMEmailSettings", "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting", "ssm:GetServiceSetting" ], "Resource": [ "arn:aws:ssm:region:account id:servicesetting/ssm/access-request/email-role-mapping", "arn:aws:ssm:region:account id:servicesetting/ssm/access-request/enabled-email-notifications" ] }, { "Sid": "AllowViewingJitnaCloudWatchMetrics", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/SSM/JustInTimeAccess" } } }, { "Sid": "QuickSetupConfigurationManagers", "Effect": "Allow", "Action": [ "ssm-quicksetup:ListConfigurationManagers", "ssm-quicksetup:ListConfigurations", "ssm-quicksetup:ListQuickSetupTypes", "ssm-quicksetup:GetConfiguration", "ssm-quicksetup:GetConfigurationManager" ], "Resource": "*" }, { "Sid": "QuickSetupDeployments", "Effect": "Allow", "Action": [ "cloudformation:ListStacks", "cloudformation:DescribeStacks", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators" ], "Resource": "*" }, { "Sid": "ManualPolicy", "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "ssm:GetServiceSetting", "iam:ListRoles" ], "Resource": "*" }, { "Sid": "SessionPreference", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AllowIamListForKMS", "Effect": "Allow", "Action": [ "iam:ListUsers" ], "Resource": "arn:aws:iam::account id:user/*" }, { "Sid": "KMSPermission", "Effect": "Allow", "Action": [ "kms:TagResource", "kms:ListAliases", "kms:CreateAlias" ], "Resource": "*" }, { "Sid": "KMSCreateKey", "Effect": "Allow", "Action": [ "kms:CreateKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/SystemsManagerJustInTimeNodeAccessManaged": "true" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "SystemsManagerJustInTimeNodeAccessManaged" ] } } }, { "Sid": "AllowIamRoleForChatbotAction", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::account id:role/role name", "Condition": { "StringEquals": { "iam:PassedToService": [ "chatbot.amazonaws.com" ] } } }, { "Sid": "AllowIamServiceRoleForChat", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::account id:role/aws-service-role/management.chatbot.amazonaws.com/AWSServiceRoleForAWSChatbot" }, { "Sid": "CloudWatchLogs", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "arn:aws:logs:*:account id:log-group::log-stream:" }, { "Sid": "IdentityStorePermissions", "Effect": "Allow", "Action": [ "sso:ListDirectoryAssociations", "identitystore:GetUserId", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "identitystore:DescribeGroup", "identitystore:DescribeUser" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessRequestDescriptions", "Effect": "Allow", "Action": [ "ssm:DescribeOpsItems", "ssm:GetOpsSummary", "ssm:ListOpsItemEvents" ], "Resource": "*" }, { "Sid": "AllowGetSpecificAccessRequest", "Effect": "Allow", "Action": [ "ssm:GetOpsItem" ], "Resource": "arn:aws:ssm:region:account id:opsitem/*" }, { "Sid": "AllowApprovalRejectionSignal", "Effect": "Allow", "Action": [ "ssm:SendAutomationSignal" ], "Resource": "arn:aws:ssm:*:*:automation-execution/*", "Condition": { "StringEquals": { "aws:ResourceTag/SystemsManagerJustInTimeNodeAccessManaged": "true" } } }, { "Sid": "QuickSetupConfigurationManagers", "Effect": "Allow", "Action": [ "ssm-quicksetup:ListConfigurationManagers", "ssm-quicksetup:ListConfigurations", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:ListQuickSetupTypes", "ssm-quicksetup:GetConfiguration" ], "Resource": "*" }, { "Sid": "QuickSetupDeployments", "Effect": "Allow", "Action": [ "cloudformation:ListStacks", "cloudformation:DescribeStacks", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators" ], "Resource": "*" }, { "Sid": "AllowSsmJitnaPoliciesCrudOperations", "Effect": "Allow", "Action": [ "ssm:GetDocument", "ssm:DescribeDocument" ], "Resource": [ "arn:aws:ssm:region:account id:document/*" ], "Condition": { "StringEquals": { "ssm:DocumentType": [ "ManualApprovalPolicy", "AutoApprovalPolicy" ] } } }, { "Sid": "AllowSsmJitnaPoliciesListOperations", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListDocumentVersions" ], "Resource": "*" }, { "Sid": "IDCPermissions", "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:ListDirectoryAssociations", "identitystore:GetUserId", "identitystore:DescribeUser", "identitystore:DescribeGroup", "identitystore:ListGroupMembershipsForMember" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowJITNAOperations", "Effect": "Allow", "Action": [ "ssm:StartAccessRequest", "ssm:GetAccessToken" ], "Resource": "*" }, { "Sid": "AllowOpsItemCreationAndRetrieval", "Effect": "Allow", "Action": [ "ssm:CreateOpsItem", "ssm:GetOpsItem" ], "Resource": "arn:aws:ssm:*:*:opsitem/*" }, { "Sid": "AllowListAccessRequests", "Effect": "Allow", "Action": [ "ssm:DescribeOpsItems", "ssm:GetOpsSummary", "ssm:ListOpsItemEvents", "ssm:DescribeSessions" ], "Resource": "*" }, { "Sid": "RequestManualApprovals", "Action": "ssm:StartAutomationExecution", "Effect": "Allow", "Resource": "arn:aws:ssm:*:*:document/*", "Condition": { "StringEquals": { "ssm:DocumentType": "ManualApprovalPolicy" } } }, { "Sid": "StartManualApprovalsAutomationExecution", "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-execution/*" }, { "Sid": "AllowManualApprovalAutomationExecutionTagging", "Effect": "Allow", "Action": [ "ssm:AddTagsToResource" ], "Resource": [ "arn:aws:ssm:*:*:automation-execution/*" ], "Condition": { "StringEquals": { "aws:RequestTag/SystemsManagerJustInTimeNodeAccessManaged": "true" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "SystemsManagerJustInTimeNodeAccessManaged" ] } } }, { "Sid": "CancelAccessRequestManualApproval", "Effect": "Allow", "Action": "ssm:StopAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-execution/*", "Condition": { "StringEquals": { "aws:ResourceTag/SystemsManagerJustInTimeNodeAccessManaged": "true" } } }, { "Sid": "DescribeEC2Instances", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeTags", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "AllowListSSMManagedNodesAndTags", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceInformation", "ssm:ListTagsForResource" ], "Resource": "*" }, { "Sid": "QuickSetupConfigurationManagers", "Effect": "Allow", "Action": [ "ssm-quicksetup:ListConfigurationManagers", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:ListConfigurations", "ssm-quicksetup:ListQuickSetupTypes", "ssm-quicksetup:GetConfiguration" ], "Resource": "*" }, { "Sid": "AllowSessionManagerOperations", "Effect": "Allow", "Action": [ "ssm:DescribeSessions", "ssm:GetConnectionStatus" ], "Resource": "*" }, { "Sid": "AllowRDPOperations", "Effect": "Allow", "Action": [ "ssm-guiconnect:ListConnections", "ssm:GetConnectionStatus" ], "Resource": "*" }, { "Sid": "QuickSetupDeployments", "Effect": "Allow", "Action": [ "cloudformation:ListStacks", "cloudformation:DescribeStacks", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators" ], "Resource": "*" }, { "Sid": "AllowSsmJitnaPoliciesReadOnly", "Effect": "Allow", "Action": [ "ssm:GetDocument", "ssm:DescribeDocument" ], "Resource": [ "arn:aws:ssm:*:account id:document/*" ], "Condition": { "StringEquals": { "ssm:DocumentType": [ "ManualApprovalPolicy", "AutoApprovalPolicy" ] } } }, { "Sid": "AllowSsmJitnaPoliciesListOperations", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListDocumentVersions" ], "Resource": "*" }, { "Sid": "ExploreNodes", "Effect": "Allow", "Action": [ "ssm:ListNodesSummary", "ssm:ListNodes", "ssm:DescribeInstanceProperties" ], "Resource": "*" }, { "Sid": "IdentityStorePermissions", "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:ListDirectoryAssociations", "identitystore:GetUserId", "identitystore:DescribeUser", "identitystore:DescribeGroup" ], "Resource": "*" } ] }
nota
Para restringir el acceso a las operaciones de la API que crean, actualizan o eliminan políticas de aprobación, utilice la clave de condición ssm:DocumentType para los tipos de documento AutoApprovalPolicy y ManualApprovalPolicy . Las operaciones StartAccessRequest y GetAccessToken de la API no admiten las siguientes claves de contexto globales:
-
aws:ViaAwsService
-
aws:MultiFactorAuthPresent
-
aws:SourceVpce
-
aws:UserAgent
Para obtener más información sobre las claves de contexto de condición para Systems Manager, consulte Claves de condición para AWS Systems Manager en la Referencia de autorizaciones de servicio.
En el siguiente procedimiento, se describe cómo completar el primer paso de la configuración del acceso a los nodos justo a tiempo.
Cómo configurar el acceso a los nodos justo a tiempo
-
Inicie sesión en la cuenta de administrador delegado de Systems Manager de la organización.
Abra la consola de AWS Systems Manager en https://console.aws.amazon.com/systems-manager/
. -
En el panel de navegación, seleccione Acceso a nodos justo a tiempo.
-
Seleccione Habilitar la nueva experiencia.
-
Elija las regiones donde desee habilitar el acceso a los nodos justo a tiempo. De forma predeterminada, las mismas regiones que eligió al configurar la consola unificada de Systems Manager se seleccionan para el acceso a los nodos justo a tiempo. No es posible añadir nuevas regiones que no se seleccionaron al configurar la consola unificada de Systems Manager.
-
Seleccione Habilitar el acceso a los nodos justo a tiempo.
No se aplica ningún cargo por usar el acceso a los nodos justo a tiempo durante los 30 días posteriores a la activación de la característica. Después del periodo de prueba de 30 días, se aplicará un cargo por utilizarla. Para más información, consulte Precios de AWS Systems Manager
