Step 7: (Optional) Turn on or turn off ssm-user account administrative permissions
Starting with version 2.3.50.0 of AWS Systems Manager SSM Agent, the agent creates a local
user account called ssm-user
and adds it to
/etc/sudoers
(Linux and macOS) or to the
Administrators group (Windows). On agent versions earlier than
2.3.612.0, the account is created the first time SSM Agent starts or restarts after
installation. On version 2.3.612.0 and later, the ssm-user
account is
created the first time a session is started on a node. This ssm-user
is
the default operating system (OS) user when a AWS Systems Manager Session Manager session is started.
SSM Agent version 2.3.612.0 was released on May 8th, 2019.
If you want to prevent Session Manager users from running administrative commands on a
node, you can update the ssm-user
account permissions. You can also
restore these permissions after they have been removed.
Topics
Managing ssm-user sudo account permissions on Linux and macOS
Use one of the following procedures to turn on or turn off the ssm-user account sudo permissions on Linux and macOS managed nodes.
Use Run Command to modify ssm-user sudo permissions (console)
-
Use the procedure in Running commands from the console with the following values:
-
For Command document, choose
AWS-RunShellScript
. -
To remove sudo access, in the Command parameters area, paste the following in the Commands box.
cd /etc/sudoers.d echo "#User rules for ssm-user" > ssm-agent-users
-or-
To restore sudo access, in the Command parameters area, paste the following in the Commands box.
cd /etc/sudoers.d echo "ssm-user ALL=(ALL) NOPASSWD:ALL" > ssm-agent-users
-
Use the command line to modify ssm-user sudo permissions (AWS CLI)
-
Connect to the managed node and run the following command.
sudo -s
-
Change the working directory using the following command.
cd /etc/sudoers.d
-
Open the file named
ssm-agent-users
for editing. -
To remove sudo access, delete the following line.
ssm-user ALL=(ALL) NOPASSWD:ALL
-or-
To restore sudo access, add the following line.
ssm-user ALL=(ALL) NOPASSWD:ALL
-
Save the file.
Managing ssm-user Administrator account permissions on Windows Server
Use one of the following procedures to turn on or turn off the ssm-user account Administrator permissions on Windows Server managed nodes.
Use Run Command to modify Administrator permissions (console)
-
Use the procedure in Running commands from the console with the following values:
For Command document, choose
AWS-RunPowerShellScript
.To remove administrative access, in the Command parameters area, paste the following in the Commands box.
net localgroup "Administrators" "ssm-user" /delete
-or-
To restore administrative access, in the Command parameters area, paste the following in the Commands box.
net localgroup "Administrators" "ssm-user" /add
Use the PowerShell or command prompt window to modify Administrator permissions
-
Connect to the managed node and open the PowerShell or Command Prompt window.
-
To remove administrative access, run the following command.
net localgroup "Administrators" "ssm-user" /delete
-or-
To restore administrative access, run the following command.
net localgroup "Administrators" "ssm-user" /add
Use the Windows console to modify Administrator permissions
-
Connect to the managed node and open the PowerShell or Command Prompt window.
-
From the command line, run
lusrmgr.msc
to open the Local Users and Groups console. -
Open the Users directory, and then open ssm-user.
-
On the Member Of tab, do one of the following:
-
To remove administrative access, select Administrators, and then choose Remove.
-or-
To restore administrative access, enter
Administrators
in the text box, and then choose Add.
-
-
Choose OK.