Introduction
Managing Amazon EC2 instances securely from remote locations has always been a critical concern for organizations. AWS Systems Manager (SSM) offers a secure, scalable, and efficient way to manage your infrastructure without exposing your instances to the internet. One of the most powerful tools within SSM is Session Manager, which allows you to interactively connect to EC2 instances without needing SSH or bastion hosts.
In this hands-on tutorial, we’ll walk through how to securely manage EC2 instances using Session Manager, eliminating the need for inbound ports or public IP addresses, and maintaining the highest levels of security.
For a visual walkthrough of the concepts covered in this article, check out my YouTube Video:-
Prerequisites
Before we dive into the hands-on part, ensure that you have the following:
- An AWS account with necessary permissions.
- EC2 instance with SSM Agent installed (most Amazon Machine Images (AMIs) come pre-installed).
- AWS CLI installed and configured on your local machine.
- IAM Role attached to the EC2 instance with the necessary permissions to use SSM.
Step 1: Create an EC2 Instance
- Navigate to the EC2 Dashboard: In the AWS Console, go to the EC2 dashboard and launch an instance.
- Choose an AMI: Select an AMI that has the SSM Agent pre-installed, such as an Amazon Linux 2 or Ubuntu 18.04.
- Configure Instance Details: When configuring your instance, ensure that you assign an IAM Role with the
AmazonSSMManagedInstanceCore
policy. This will give the instance the necessary permissions to communicate with SSM. - Review and Launch: Complete the remaining configurations (storage, tags, security groups) and launch your instance.
Step 2: Attach IAM Role to Your EC2 Instance
If you didn’t attach an IAM role during the launch process, you can add it after the instance is running:
- Go to the EC2 Console and select your running instance.
- Click Actions > Security > Modify IAM Role.
- Select the IAM Role with the
AmazonSSMManagedInstanceCore
policy and click Update IAM Role.
Step 3: Enable Session Manager
Now that your EC2 instance is running with the correct permissions, it’s time to set up and enable Session Manager.
- Navigate to AWS Systems Manager from the AWS Management Console.
- In the left panel, go to Session Manager under Instances & Nodes.
- You’ll see your instance listed under Managed Instances if the setup is correct. Select the instance and click Start Session.
Step 4: Connect to Your EC2 Instance
Using Session Manager, you can now securely connect to your EC2 instance:
- Click Start Session next to your EC2 instance.
- A terminal window will open in the browser, allowing you to interact with your instance as if you were using SSH.
- Execute any command on your EC2 instance to confirm the session is live (e.g.,
ls
,top
).
Step 5: Access EC2 Instances via AWS CLI
Session Manager also allows you to connect using the AWS CLI, providing greater flexibility.
- Open your terminal and run the following command:
aws ssm start-session --target <INSTANCE_ID>
2. You will now be connected to your EC2 instance directly from the terminal, without needing SSH.
Step 6: Enable Logging for Session Manager
For compliance and auditing purposes, you can log all Session Manager activity to Amazon S3 or Amazon CloudWatch Logs.
- In the Session Manager Settings (found in the SSM dashboard), enable session logging and specify an S3 bucket or CloudWatch log group to store the session data.
- This ensures that all activity performed through Session Manager is securely recorded.
Step 7: Advanced Security with Session Manager
Session Manager offers several advanced features to enhance security:
- Session Encryption: By default, all sessions are encrypted using AWS Key Management Service (KMS). You can configure custom keys if required.
- Disable SSH and RDP: By relying solely on Session Manager, you can close all inbound ports (such as port 22 for SSH or 3389 for RDP) on your instances, significantly reducing the attack surface.
- Control Session Permissions: You can restrict which users in your AWS account are allowed to start sessions by applying IAM policies to manage access.
Benefits of Using AWS Session Manager
- No Open Ports: You no longer need to expose your instances through public IPs or configure inbound firewall rules.
- Centralized Access: All EC2 instance access is managed centrally via the AWS Management Console or CLI.
- Session Logging: Full session activity can be captured and audited.
- Enhanced Security: By eliminating SSH keys and bastion hosts, you drastically reduce the risk of unauthorized access.
- Cost Efficiency: No need for additional infrastructure such as bastion servers or VPNs.
Conclusion
AWS Systems Manager Session Manager is a game-changer for secure EC2 instance management. It not only enhances security by removing the need for open ports but also simplifies infrastructure management. Whether you’re managing a fleet of EC2 instances across multiple regions or a single instance, Session Manager offers a powerful, secure, and scalable solution.
If you haven’t tried AWS Systems Manager Session Manager yet, this hands-on guide is your gateway to mastering it and boosting your cloud infrastructure’s security.
Connect with Me:
- YouTube ► S3 CloudHub Channel
- Facebook ► S3 CloudHub Page
- Medium ► S3 CloudHub Blog
- Demo Reference ► GitHub Repository
- Blog ► S3 CloudHub Blogspot
- Dev ► S3 CloudHub on Dev.to
No comments:
Post a Comment