Minimal `basti` IAM Policy Allows Shell Access
Summary The provided Minimal IAM Policy for bastic connect does not include ssm:SessionDocumentAccessCheck. This results in the ability to get a shell session on the bastion, not just the intended access for Port Forwarding. Details basti connect is designed to "securely connect to your RDS/Aurora/Elasticache/EC2 instances", using a bastion instance "with AWS Session Manager port forwarding capability to make the target available on your localhost." The Minimal IAM Policy allows …