Niccolo Lampa
The Data Life

The Data Life

Managing SSH Access via AWS Session Manager

Managing SSH Access via AWS Session Manager

Niccolo Lampa's photo
Niccolo Lampa

Published on Oct 31, 2021

6 min read

Are users in your organization still accessing your EC2 instances via SSH?

Managing private keys for multiple users for multiple instances is a nightmare and is a security risk.

So what is the solution?

AWS Session Manager provides centralized access control to instances using IAM policies.

Access is provided through AWS CLI and just like SSH, AWS Session Manager provides port forwarding.

Also as a security feature you can setup AWS CloudWatch logging to see all the commands run in sessions.

So let's get started:

STEP 1: Create an IAM service role for AWS Session Manager

To grant access to AWS Session Manager Service, we need to create the appropriate IAM role.

Go to AWS IAM Roles Dashboard and then click on Create Role Button.

iam-role-dashboard.png

On the succeeding page select the following:

Use Case: EC2 Screen Shot 2021-10-30 at 9.03.38 PM.png

For permissions attach AWS managed policies called : AmazonSSMFullAccess and AmazonSSMManagedInstanceCore Screen Shot 2021-10-31 at 2.13.12 PM.png

Then skip tags and proceed to Review. For this demo we will call our role: Test-SSMFullAccess Screen Shot 2021-10-30 at 9.11.28 PM.png

STEP 2: Attach IAM Role to your EC2 Instance

This demo assumes that you have an EC2 instance running already. If not, there are a lot of online resources available about the topic.

To allow Session Manager to manage connections to your EC2 instance, you will need to attach the IAM Role/Profile created in Step 1 to your EC2 instance.

Go to EC2 instances page and right click on your instance.

Select Security > Modify IAM Role. Screen Shot 2021-10-30 at 9.20.42 PM.png

Then select the Test-SSMFullAccess IAM Role we created in Step 1. Screen Shot 2021-10-30 at 9.22.09 PM.png

STEP 3: Check if AWS Session Manager Has Access To Your EC2 Instance

If all the previous steps are done correctly, then AWS Session Manager should have access to your instance.

To check go to AWS Systems Manager Page (Session Manager is under this Service).

Screen Shot 2021-10-30 at 9.33.06 PM.png

Then navigate to Session Manager > Start Session Screen Shot 2021-10-30 at 9.34.34 PM.png

Here you will see your instance which means you can connect via Session Manager. Screen Shot 2021-10-30 at 9.52.47 PM.png

For each of your EC2 instance just attach the IAM role we created in Step 1 to be able to connect to it via Session Manager.

Note: Make sure instance has SSM Agent installed. Usually all new EC2 instances have it installed already. If not see the official AWS documentation on how to install SSM Agent in your instance .

STEP 4: Create IAM Policy

Go back to AWS IAM Roles Dashboard and go to Policy tab. Click on Create Policy. Screen Shot 2021-10-31 at 1.37.01 PM.png

In the JSON tab insert the following

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:*:<YOUR ACCOUNT ID> :instance/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ssm:*::document/AWS-StartPortForwardingSession"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:TerminateSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:session/${aws:username}-*"
            ]
        }
    ]
}

Skip next sections until Review.

We will name our policy test-ssm-policy Screen Shot 2021-10-31 at 1.52.29 PM.png

Note: Here you can create multiple policies that will explicitly limit access to various ec2 instances or regions. For simplicity purposes we are allowing access to all ec2 instances in all regions.

STEP 5: Attach IAM Policy To An IAM User

We can determine which EC2 instance and what region a user can access by attaching the appropriate policy. Since we want our user to have access to all ec2 instances, we will attach the policy created in Step 5.

Rather than attach the policy the userwe will make things easier to manage we are going to create an IAM User Group.

Screen Shot 2021-10-31 at 1.59.43 PM.png

Name the group test-ssm-group. Add you user/users. And attach our IAM Policy test-ssm-policy. Screen Shot 2021-10-31 at 2.02.44 PM.png

Note: If you prefer directly attaching the policy to the user. You can go to IAM User's page > Permission tab > Add permission > Attach existing policies directly. Then search for the policy you created in Step 5. In our case test-ssm-policy.

STEP 6: Installing AWS CLI in your computer

To connect from your computer to your EC2 instances you need to have AWS CLI installed.

For more information on how to install AWS CLI for your specific machine, please refer to Official AWS CLI Documentation.

STEP 7: Installing Session Manager Plugin in your computer

Aside from installing AWS CLI, you also have to install the AWS CLI Session Manager Plugin.

Again for specific instructions on how to in your machine, please refer to AWS CLI Session Manager Plugin Official Documentation

STEP 8: Configuring your AWS CLI credentials

In order to connect via AWS CLI to your EC2 instance, you will need your AWS IAM user access key ID and secret key ready.

If you have no idea, where you access keys are. Go to your IAM page > Users. Click on your user name. Go to Security Credentials. Then click on Create access key button.

Screen Shot 2021-10-31 at 12.48.23 PM.png

Once you have your keys at hand. Go to your computer's terminal and run the following command.

aws configure

You may insert your region as Default Region, but totally fine to leave it as None. For output just type in json.

Screen Shot 2021-10-31 at 12.48.23 PM.png

STEP 9: Connect to your EC2 Instance Using Session Manager

To connect to your instance open your terminal and follow this syntax

aws ssm start-session --target <ec2-instance-id> --region <ec2-instance-region>

Screen Shot 2021-10-31 at 2.23.51 PM.png

Here we run command echo hello connected.

Congratulations you have successfully setup AWS Session Manager and now connected to your EC2 instance.

STEP 10: Port forwarding/tunneling to your EC2 instance via AWS Session Manager

AWS session manager also allows user to port forward/tunnel to EC2 instance:

aws ssm start-session --target <ec2-instance-id> --region <ec2-instance-region>
--document-name AWS-StartPortForwardingSession  --parameters '{"portNumber":["80"], "localPortNumber":["8080"]}'

Note: Unfortunately it looks like multiple port forwarding/tunneling is not supported for SSM. So you have to enter the command above multiple times to tunnel to multiple ports (As of writing)

OPTIONAL: Setup AWS CloudWatch for Session Manager Logging

To monitor sessions in your EC2 instances, we can setup AWS CloudWatch.

AWS Cloudwatch will record all commands run in your ec2 instance. This will be useful for debugging problems and for security purposes.

To start just go to AWS CloudWatch

Screen Shot 2021-10-30 at 10.18.16 PM.png

Then let's create a log group for our AWS Session Manager sessions. Logs> Log groups> Create log group

Screen Shot 2021-10-30 at 10.20.38 PM.png

We will then create a log group called test-ssm-log.

Screen Shot 2021-10-30 at 10.32.33 PM.png

After creating we will attach the test-ssm-log to our Session Manager.

Go back to Session Manager then go to Preferences> Edit. Screen Shot 2021-10-30 at 10.36.44 PM.png

Then scroll down to CloudWatch logging

Tick CloudWatch Logging Enable. Untick Allow only encrypted CloudWatch log groups Then select test-ssm-log group. Then save. Screen Shot 2021-10-30 at 10.40.22 PM.png

If CloudWatch was already setup before we ran the echo hello connected in Step 9, we should be able to see the command logged in our test-ssm-log log stream.

Screen Shot 2021-10-31 at 2.31.14 PM.png

Stay stoked and code.

 
Share this