Are users in your organization still accessing your EC2 instances via SSH?
Managing private keys for multiple users for multiple instances is a nightmare and is a security risk.
So what is the solution?
AWS Session Manager provides centralized access control to instances using IAM policies.
Access is provided through AWS CLI and just like SSH, AWS Session Manager provides port forwarding.
Also as a security feature you can setup AWS CloudWatch logging to see all the commands run in sessions.
So let's get started:
STEP 1: Create an IAM service role for AWS Session Manager
To grant access to AWS Session Manager Service, we need to create the appropriate IAM role.
Go to AWS IAM Roles Dashboard and then click on Create Role Button.
On the succeeding page select the following:
Use Case: EC2
For permissions attach AWS managed policies called : AmazonSSMFullAccess and AmazonSSMManagedInstanceCore
Then skip tags and proceed to Review. For this demo we will call our role: Test-SSMFullAccess
STEP 2: Attach IAM Role to your EC2 Instance
This demo assumes that you have an EC2 instance running already. If not, there are a lot of online resources available about the topic.
To allow Session Manager to manage connections to your EC2 instance, you will need to attach the IAM Role/Profile created in Step 1 to your EC2 instance.
Go to EC2 instances page and right click on your instance.
Select Security > Modify IAM Role.
Then select the Test-SSMFullAccess IAM Role we created in Step 1.
STEP 3: Check if AWS Session Manager Has Access To Your EC2 Instance
If all the previous steps are done correctly, then AWS Session Manager should have access to your instance.
To check go to AWS Systems Manager Page (Session Manager is under this Service).
Then navigate to **Session Manager > Start Session **
Here you will see your instance which means you can connect via Session Manager.
For each of your EC2 instance just attach the IAM role we created in Step 1 to be able to connect to it via Session Manager.
**Note: Make sure instance has SSM Agent installed. Usually all new EC2 instances have it installed already. If not see the official AWS documentation on how to install SSM Agent in your instance . **
** Note : If SSM Agent is installed. And instance is still not appearing in the target instance. Check official documentation to troubleshoot **
STEP 4: Create IAM Policy
Go back to AWS IAM Roles Dashboard and go to Policy tab. Click on Create Policy.
In the JSON tab insert the following
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:*:<YOUR ACCOUNT ID> :instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ssm:*::document/AWS-StartPortForwardingSession"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:username}-*"
]
}
]
}
Skip next sections until Review.
We will name our policy test-ssm-policy
Note: Here you can create multiple policies that will explicitly limit access to various ec2 instances or regions. For simplicity purposes we are allowing access to all ec2 instances in all regions.
STEP 5: Attach IAM Policy To An IAM User
We can determine which EC2 instance and what region a user can access by attaching the appropriate policy. Since we want our user to have access to all ec2 instances, we will attach the policy created in Step 5.
Rather than attach the policy the userwe will make things easier to manage we are going to create an IAM User Group.
Name the group test-ssm-group. Add you user/users. And attach our IAM Policy test-ssm-policy.
**Note: If you prefer directly attaching the policy to the user. You can go to IAM User's page > Permission tab > Add permission > Attach existing policies directly. Then search for the policy you created in Step 5. In our case test-ssm-policy. **
STEP 6: Installing AWS CLI in your computer
To connect from your computer to your EC2 instances you need to have AWS CLI installed.
For more information on how to install AWS CLI for your specific machine, please refer to Official AWS CLI Documentation.
STEP 7: Installing Session Manager Plugin in your computer
Aside from installing AWS CLI, you also have to install the AWS CLI Session Manager Plugin.
Again for specific instructions on how to in your machine, please refer to AWS CLI Session Manager Plugin Official Documentation
STEP 8: Configuring your AWS CLI credentials
In order to connect via AWS CLI to your EC2 instance, you will need your AWS IAM user access key ID and secret key ready.
If you have no idea, where you access keys are. Go to your** IAM page > Users**. Click on your user name. Go to Security Credentials. Then click on Create access key button.
Once you have your keys at hand. Go to your computer's terminal and run the following command.
aws configure
You may insert your region as Default Region, but totally fine to leave it as None. For output just type in json.
STEP 9: Connect to your EC2 Instance Using Session Manager
To connect to your instance open your terminal and follow this syntax
aws ssm start-session --target <ec2-instance-id> --region <ec2-instance-region>
Here we run command echo hello connected
.
Congratulations you have successfully setup AWS Session Manager and now connected to your EC2 instance.
STEP 10: Port forwarding/tunneling to your EC2 instance via AWS Session Manager
AWS session manager also allows user to port forward/tunnel to EC2 instance:
aws ssm start-session --target <ec2-instance-id> --region <ec2-instance-region>
--document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["80"], "localPortNumber":["8080"]}'
Note: Unfortunately it looks like multiple port forwarding/tunneling is not supported for SSM. So you have to enter the command above multiple times to tunnel to multiple ports (As of writing)
OPTIONAL: Setup AWS CloudWatch for Session Manager Logging
To monitor sessions in your EC2 instances, we can setup AWS CloudWatch.
AWS Cloudwatch will record all commands run in your ec2 instance. This will be useful for debugging problems and for security purposes.
To start just go to AWS CloudWatch
Then let's create a log group for our AWS Session Manager sessions. Logs> Log groups> Create log group
We will then create a log group called** test-ssm-log**.
After creating we will attach the test-ssm-log to our Session Manager.
Go back to Session Manager then go to** Preferences> Edit**.
Then scroll down to CloudWatch logging
Tick CloudWatch Logging Enable
. Untick Allow only encrypted CloudWatch log groups
Then select test-ssm-log group. Then save.
If CloudWatch was already setup before we ran the echo hello connected
in Step 9, we should be able to see the command logged in our test-ssm-log log stream.
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)