Connect EC2 Private Instance using Session Manager -GO bastion-less

Session Manager is fully managed by the AWS system manager that can be used to manage the EC2 instance and allow users to connect to the instances without using RDP or SSH. It provides secure instance management without opening inbound ports or setting up bastion hosts or managing the SSH keys.

It is well known that one are not able to directly access EC2 instances unless there is VPN Connectivity or Direct Connect or other network connectivity source with the VPC. Alternatively, connecting to VPC requires an intermediate instance, such as a bastion host or a jump box, which is hosted on a public subnet and connects private subnet instances. Using SSM Session Manager, one can connect to private instances directly without using bastion hosts or opening any ports in security groups or whitelisting ports in the CIDR. Session Manager adds the additional layer of security to the EC2 instances.

Benefits of Session Manager

  • Supports Linux / Windows and public or private instances.
  • No need to open the ports in the security groups
  • No bastion host required to connect to the private hosts
  • No need for SSH keys or passwords to connects the instances
  • Manage and record the entire sessions and store the recordings in Cloudwatch and S3
  • One click accesses to the instances from console.
  • Managed centralised access control to the instances using IAM policies.

Scenario:

Considering that the production and development instances are in the same region, the user must log in to the instances via the bastion host for both environments. To make it seamless, the admin needs to create a user in all instances, or it needs to share a PEM file with the users. The AWS Session Manager shall be a perfect solution for this scenario. The user does not need to use bastion host and Public IPs. One shall be able to connect to the instance using AWS Session Manager and save the cost of bastion host and adds the additional layer of security to the instances.

 

Prerequisites:

  1. Ensure that the OS is either Windows or Linux as only these OS are supported currently.
  2. Create Amazon EC2 Tags.
  3. AWS CLI must be enabled to configure the destination instance in the local machine using programmatic access.
  4. Ensure SSM Agent has been installed in destination instances.
  5. To enable the console access to connect the session manager a new user should be created in IAM.
  6. Create a IAM Role and attach the AmazonEC2RoleforSSM policy for the role
  7. Finally attach the created IAM Role to the destination instance.

The code below for restricting access to the instances using the amazon ec2 tags. (Environment: Production)

In the AWS System Manager Service Console, the user should select the Session Manager to choose the instance that the user would like to start the session. The user will be able to track and record the session in the History tab of the Session Manager.

 

If necessary, the session outputs are routed to the Cloudwatch log groups as well as to the s3 bucket.

 

 

 

 

Limitations

The limitation in using AWS Session Manager instead of SSH is that it doesn’t  allow files to be transferred. The workaround to address this issue is to use s3 bucket and configure AWSCLI to exchange data.

Pricing

Session Manger service is free of charge. Users need to pay only for the use of the underlying AWS resources EC2, S3, Cloudwatch and data out.

For more information on AWS Session manager and its recources , you can get in touch with our experts at 1CloudHub and request this topic specifically.

Written by :

Mahavishnu G & Umashankar N

Sharing is caring!

Tags: