AWS EC2 instance using Systems Manager Session Manager
- for testing and demonstration of different Session Manager connection options
Session Manager is a much more secure way of accessing EC2 instances than a Bastion.
It can eliminate the risk of SSH / RDP attacks from the public Internet using brute force attack or stolen credentials:
- no need for public IPs on EC2 instances
- no security group rules allowing inbound SSH or RDP
- no need for SSH keys or SSH passwords
- uses AWS IAM identities
- access logs in S3 and/or CloudWatch Logs
- no need for separate Bastion server
- access EC2 instances in public or private subnets
- can even work without an Internet Gateway using VPC Endpoint
- supports SSH, RDP and port forwarding
- if deploying from your laptop, duplicate
terraform.tfvars.example
- rename without the
.example
suffix - enter details and save
- if deploying via a CI/CD pipeline, enter variable values in your pipeline
terraform workspace new dev
terraform plan
terraform apply
- you don't need a SSH key for Linux options 1, 2 and 3 below
- in this case exclude the AWS key pair from your environment
- from a security perspective, it's better not to use SSH keys
- avoids issues with SSH key management
- there is also no S3 / Cloudwatch logging of connections made with SSH keys
5 ways to connect to a Linux EC2 instance:
- A remote SSH session in the AWS console doesn't require a SSH key
- In the AWS Console, EC2, select the instance
- allows copying and pasting but not SCP
- ensure you have AWS CLI v2
- install the AWS CLI Session Manager plugin
- open Terminal
- use default credentials, or export AWS credentials to your session
- replace the example instance ID in the command below:
aws ssm start-session --target i-08d33c2c6302550fa --region eu-west-1
- set up port forwarding
aws ssm start-session --target i-08d33c2c6302550fa --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["80"], "localPortNumber":["9999"]}'
- browse to
localhost:9999
SSH from your laptop allowing use of SCP to transfer files
- requires SSH public key on instance
- ensure you have AWS CLI v2
- install the AWS CLI Session Manager plugin
- open Terminal
- add the following to your SSH config file at
~/.ssh/config
# SSH over Session Manager
host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
SSH from your laptop allowing use of SCP to transfer files
- open Terminal
- use default credentials, or set environment variables for AWS credentials
- if AWS region isn't specified:
export AWS_REGION=eu-west-1
- connect using SSH from laptop (assuming default SSH key used)
ssh ec2-user@i-08d33c2c6302550fa
- requires SSH public key on instance
- SCP from laptop (assuming default SSH key used)
scp Desktop/sample-file.txt ec2-user@i-08d33c2c6302550fa:~
2 ways to connect to Windows servers
- In the AWS Console, EC2, select the Windows instance
- Press Connect
- Choose the Session Manager tab
- Press Connect
- You now have a remote PowerShell session in your browser
- An AWS key pair is needed to retrieve the administrator password
- Open the AWS console and select the Windows instance
- Select Actions, Security, Get Windows password
- Paste your private key into the box, or browse to the file
- Copy the Windows password
- Start a port forwarding session (replace the example instance ID)
aws ssm start-session --target i-0c09d80c16edef9d8 --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"], "localPortNumber":["3389"]}'
- open Microsoft Remote Desktop
- add a new PC with the destination
localhost
- enter username
Administrator
and paste in the Windows password - accept the certificate when prompted
- test Internet access using the Edge browser
- connect from your laptop to an RDS database in an AWS private subnet
- requires socat which has already been installed using user-data
- login to Linux server using Session Manager via the console
- set up bidirectional byte stream from Linux EC2 instance to RDS
- replace database address with output value from Terraform
socat TCP-LISTEN:3306,reuseaddr,fork TCP4:terraform-20220317154901310000000001.ccrkfpq3j6wo.eu-west-1.rds.amazonaws.com:3306
- using terminal from your laptop, set up port forwarding
aws ssm start-session --target i-075256981bbf40bc5 --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3306"], "localPortNumber":["3306"]}'
- use a SQL client such as Sequel Ace to connect
- replace database username and password with output from Terraform
- press Connect
- select a database
- run a query
- Port forwarding to RDS based on Gert Leenders blog