Removed ssm:DeregisterManagedInstance from IAM SSHSageMakerClientPolicy since it's an admin cleanup action

ivan-khvostishkov · ivan-khvostishkov · commit 590dbf8fbc45 · 2023-08-16T08:48:29.000+02:00
diff --git a/IAM_SSM_Setup.md b/IAM_SSM_Setup.md
@@ -183,16 +183,6 @@ a. Attach the inline policy named `SSHSageMakerClientPolicy`. Replace `<<ACCOUNT
             "Resource": "*",
             "Effect": "Allow"
         },
-        {
-            "Condition": {
-                "StringLike": {
-                    "ssm:resourceTag/SSHOwner": "*"
-                }
-            },
-            "Action": "ssm:DeregisterManagedInstance",
-            "Resource": "arn:aws:ssm:*:<<ACCOUNT_ID>>:managed-instance/mi-*",
-            "Effect": "Allow"
-        },
         {
             "Condition": {
                 "StringEquals": {
diff --git a/sagemaker_ssh_helper/cdk/iam_ssm/iam_ssm_stack.py b/sagemaker_ssh_helper/cdk/iam_ssm/iam_ssm_stack.py
@@ -32,18 +32,6 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
                                   ],
                                   resources=["*"]
                               ),
-                              PolicyStatement(
-                                  effect=Effect.ALLOW,
-                                  actions=[
-                                      "ssm:DeregisterManagedInstance",
-                                  ],
-                                  resources=[f"arn:{Aws.PARTITION}:ssm:*:{Aws.ACCOUNT_ID}:managed-instance/mi-*"],
-                                  conditions={
-                                      "StringLike": {
-                                          "ssm:resourceTag/SSHOwner": "*"
-                                      }
-                                  }
-                              ),
                               PolicyStatement(
                                   effect=Effect.ALLOW,
                                   actions=[
diff --git a/sagemaker_ssh_helper/cdk/iam_ssm/iam_ssm_stack_tests.py b/sagemaker_ssh_helper/cdk/iam_ssm/iam_ssm_stack_tests.py
@@ -160,6 +160,18 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
                                   resources=[
                                       f"arn:{Aws.PARTITION}:logs:{Aws.REGION}:{Aws.ACCOUNT_ID}:log-group:/aws/codebuild/sagemaker-studio-image-build-*:log-stream:*"]
                               ),
+                              PolicyStatement(
+                                  effect=Effect.ALLOW,
+                                  actions=[
+                                      "ssm:DeregisterManagedInstance",
+                                  ],
+                                  resources=[f"arn:{Aws.PARTITION}:ssm:*:{Aws.ACCOUNT_ID}:managed-instance/mi-*"],
+                                  conditions={
+                                      "StringLike": {
+                                          "ssm:resourceTag/SSHOwner": "*"
+                                      }
+                                  }
+                              ),
                           ]))
 
         sagemaker_core_policy.attach_to_role(user_role)
