Listen to this Post
medium.com
In order to access infrastructure running in AWS when support access or configuration changes are needed, teams traditionally used SSH and Bastion hosts. A better approach with AWS is to use Systems Manager (SSM) Session Manager. The example below shows using Terraform for this.
Opening an SSH port to servers will result in numerous hacking attempts. When using SSM, you can set up hosts in private subnets on Virtual Private Clouds (VPCs). Instead of passwords, you can use IAM permissions to define who has access. You can also use your favorite SSH tools on top of SSM.
Michael Ortiz provides examples of setting up the hosts using Terraform and how to connect to them.
Terraform Code Example:
[hcl]
resource “aws_ssm_document” “session_manager_prefs” {
name = “SSM-SessionManagerRunShell”
document_type = “Session”
content = <<DOC
{
“schemaVersion”: “1.0”,
“description”: “Document to hold regional settings for Session Manager”,
“sessionType”: “Standard_Stream”,
“inputs”: {
“s3BucketName”: “”,
“s3KeyPrefix”: “”,
“s3EncryptionEnabled”: false,
“cloudWatchLogGroupName”: “”,
“cloudWatchEncryptionEnabled”: false
}
}
DOC
}
resource “aws_iam_role_policy” “ssm_policy” {
name = “ssm-policy”
role = aws_iam_role.ec2_role.id
policy = <<EOF
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ssm:StartSession”,
“ssm:TerminateSession”,
“ssm:ResumeSession”
],
“Resource”: “*”
}
]
}
EOF
}
[/hcl]
### AWS CLI Commands:
1. Start a session:
aws ssm start-session --target instance-id
2. List active sessions:
aws ssm describe-sessions --state Active
3. Terminate a session:
aws ssm terminate-session --session-id <session-id>
### What Undercode Say:
Using AWS Systems Manager (SSM) Session Manager is a secure and efficient alternative to traditional SSH and Bastion hosts. By leveraging SSM, you can eliminate the need to open SSH ports, reducing the attack surface and enhancing security. SSM allows you to manage access through IAM permissions, ensuring only authorized users can connect to your instances. Additionally, SSM integrates seamlessly with your existing SSH tools, providing a familiar interface for administrators.
For Linux-based systems, you can further enhance security by using commands like `iptables` to restrict access or `fail2ban` to block repeated failed login attempts. On Windows, you can use PowerShell to manage SSM sessions:
Start-SSMSession -Target instance-id
For monitoring and logging, consider using CloudWatch to track session activity:
aws logs create-log-group --log-group-name "/aws/ssm/sessions"
By adopting SSM Session Manager, you not only improve security but also streamline access management, making it easier to audit and control who accesses your infrastructure. For more advanced configurations, refer to the AWS SSM Documentation.
In conclusion, SSM Session Manager is a game-changer for cloud infrastructure management, offering a secure, scalable, and efficient way to handle remote access. Whether you’re managing Linux or Windows instances, SSM provides the tools you need to maintain a robust security posture while simplifying operational workflows.
References:
Hackers Feeds, Undercode AI
