(ec2): BastionHostLinux should use AmazonSSMManagedInstanceCore policy

[clueleaf]

Describe the feature

BastionHostLinux currently has the following instance role.

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/bastion-host.ts

Lines 192 to 199 in 5ef3be5

	this.instance.addToRolePolicy(new PolicyStatement({
	actions: [
	'ssmmessages:*',
	'ssm:UpdateInstanceInformation',
	'ec2messages:*',
	],
	resources: ['*'],
	}));

This has insufficient permissions to be managed by SSM. AmazonSSMManagedInstanceCore should be used instead. (Especially ssm permissions)

Use Case

Manage instance by SSM.

Proposed Solution

Use AmazonSSMManagedInstanceCore policy instead of inline policy.

Other Information

According to my research, The code above first appeared in #3697
It seems like the instance role was not discussed then.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.144.0

Environment details (OS name and version, etc.)

macOS

[hoegertn]

Hi, can you elaborate on the missing permissions? I explicitly did not use it because of the broad permissions regarding parameter store etc.

But we can change that if it is deemed safe.

[clueleaf]

@hoegertn
Thank you for your response.
One thing I noticed is when I tried to scan the bastion host using Inspector, the State Manager association created automatically failed because of the lack of permission, which resulted in scan failure.

The execution history shows ssm:GetManifest was missing, which is included in AmazonSSMManagedInstanceCore. I'm not sure about other permissions, but I have a feeling that it would be safe to use AmazonSSMManagedInstanceCore so that bastion instances can be fully managed by SSM.

[pahud]

@clueleaf

Makes sense to me. Feel free to submit a PR for that if you like. Before that, I am afraid we'll need to manually attach that managed policy to the instance role like

    const bast = new ec2.BastionHostLinux(this, 'Bast', {
      vpc,
    });

    bast.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'));

[hoegertn]

Please consider adding the missing statements instead of adding the ManagedPolicy. The ManagedPolicy might be a breaking change for users as some companies do not allow the use of managed policies as they ofter are to wide.

[clueleaf]

The ManagedPolicy might be a breaking change for users as some companies do not allow the use of managed policies as they ofter are to wide.

Good point. Since we can work around by adding policies like @pahud shows, it is safe to keep the current state. Closing this issue.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.