← Back to Ideas

Remote Execution via SSM

Rex policies live on the managed instance, not with the caller. The caller sends a script — the endpoint decides what it's allowed to do.

Each SSM document embeds a different Cedar policy, and IAM controls which documents a caller can invoke. This creates two layers of access control: IAM decides which sandbox you get, Cedar decides what you can do inside it.

IAM + SSM + Rex: Layered Access Control Caller (agent, service, or individual) Caller provides only the script. assumes role CALLER'S AWS ACCOUNT IAM Role IAM controls: Which SSM documents this caller can invoke ✓ allowed ✓ allowed ✗ denied SERVICE OWNER'S AWS ACCOUNT SSM Document A + Cedar Policy A SSM Document B + Cedar Policy B SSM Document C + Cedar Policy C Rex Engine MANAGED INSTANCE Each SSM document embeds a different Cedar policy. The caller cannot modify them.

Each SSM document is a pre-configured endpoint that embeds a Cedar policy as immutable configuration. The caller sends only a script — they never see or control the policy. IAM determines which endpoints a caller can invoke, and Cedar determines what the script can do once it arrives. Creating a new access tier is as simple as creating a new SSM document with a different embedded policy.

What This Looks Like

Three artifacts work together: an IAM policy that gates access to SSM documents, an SSM document that embeds a Cedar policy, and the caller who sends a script.

1. IAM Policy (caller's account)
{
  "Effect": "Allow",
  "Action": "ssm:SendCommand",
  "Resource": [
    "arn:aws:ssm:*:*:document/Rex-RO"
  ]
}

This caller can only invoke Rex-RO (read-only). They cannot invoke Rex-RW.

2. SSM Document: Rex-RO (service owner's account)
{
  "schemaVersion": "2.2",
  "description": "Read-only Rex endpoint",
  "parameters": {
    "script": { "type": "String" }
  },
  "mainSteps": [{
    "action": "aws:runShellScript",
    "inputs": {
      "runCommand": [
        "# Cedar policy is embedded here — caller cannot change it",
        "cat <<'POLICY' > /tmp/policy.cedar",
        "permit(",
        "    principal,",
        "    action in [",
        "        file_system::Action::\"open\",",
        "        file_system::Action::\"read\",",
        "        file_system::Action::\"stat\"",
        "    ],",
        "    resource",
        ") when {",
        "    resource in file_system::Dir::\"/tmp/rex\"",
        "};",
        "POLICY",
        "",
        "# Script comes from the caller",
        "echo '{{ script }}' > /tmp/script.rhai",
        "",
        "# Run Rex with the embedded policy",
        "rex-runner -s /tmp/script.rhai -p /tmp/policy.cedar"
      ]
    }
  }]
}

The Cedar policy is baked into the document. The caller provides only the script parameter.

3. Caller invocation
aws ssm send-command \
  --document-name Rex-RO \
  --targets 'Key=instanceids,Values=i-0123456789' \
  --parameters '{"script":["let x = cat(\"/tmp/rex/hello.txt\"); info(x);"]}'

The caller sends a Rhai script. The policy is already on the instance — the caller never touches it.