Tuesday, October 29, 2019

Say good bye to Bastion hosts by using AWS Session Manager

Previously if you want to access an EC2 instances inside a private subnet securely, you either use a Bastion host or a VPN connection. If you are using a Bastion host, that means there is another EC2 instance in the public subnet which also expose SSH port to internet, which can be a security risk if it is not properly hardened.

I recently found out that AWS offer a great alternative for this, in the form of "AWS Session Manager". AWS Session Manager is a part of AWS System Manager. First, you need to include the EC2 instances you are planning to connect to the AWS SYstem Manager, as "managed instances" in AWS System Manager by installing ssm-agent (which is already bundled in some AMI versions) and granting relevant IAM permissions.  Then you can go to "Session Manager" link in AWS System Manager, and click "Create a Session". It then ask you to select one of EC2 instances in the managed instances, and you can click start a session. This will open another web page tab, which gives you a nice representation of a shell inside the connected EC2 instance. The user used by session manager to login to EC2 instance is "ssm-user", but you can use ssm-user to run commands including privileged commands similar to ec2-user.



You no longer have to manage a separate EC2 instance as a Bastion Host and expose it to internet  because of this Session Manager feature.

Also you can use IAM policies to restrict access to EC2 instances instead of managing SSH keys, which is another plus for security as it allow you to centralize access management.

Another benefit is you can use CloudTrail for logging and auditing the access and activities done to EC2 instances.


I noticed that, if you are using a AMI from AWS Marketplace which requires running some initialization scripts at the first login, may not work if you use ssm-user to login if the product did not anticipate user login using ssm-user.

See https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html for more details.

Update:

Later I encountered difficulties when trying to use Session Manager to login to EC2 instances which were in private subnet (or VPC without attached Internet Gateway). Please follow these instructions to solve the issue using VPC endpoints: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/ 

No comments: