Simple AWS #3: Session Manager
An easier and safer way to SSH into your EC2 instances
Guille Ojeda
December 12, 2022
Welcome to Simple AWS! A free newsletter that helps you build on AWS without becoming an expert. This is issue #3. Shall we?
AWS Service: Session Manager
tl;dr: Forget the bastion host. Session Manager lets you connect through SSH to an EC2 instance without having SSH keys or open ports. You just set it up, grant permissions to IAM or IAM IC users and they connect with 2 clicks (console) or 1 command (CLI). You can even forward a connection to a database. Or use the SDK in your apps. And there's logs!
- No need to share or rotate SSH keys, just grant and remove IAM permissions
- No ports open and no bastion hosts (and if you want, not even a public IP)
- Monitor and alert on session start
- Log the whole session
- Limit available commands
Note: Session Manager is not a standalone service, it's "a fully managed AWS Systems Manager capability." That means it's a part of SSM that you can use on its own.
Actionable tips
- You can use it for these OSs:
- Linux with these versions
- macOS up to Monterrey with x86_64
- Windows server from 2012 to 2022
- Make sure you meet the requirements:
- SSM agent installed. Here's how to install it for Linux, Windows and macOS
- HTTPS (port 443) connection to these endpoints (internet access or with a VPC Endpoint):
- ec2messages.region.amazonaws.com
- ssm.region.amazonaws.com
- ssmmessages.region.amazonaws.com
- To encrypt sessions you'll also need kms.region.amazonaws.com, and to send logs to CloudWatch Logs.region.amazonaws.com or to S3 s3.region.amazonaws.com
- Then here's how to set it up:
- Finally, start a session from the EC2 Console or from the CLI (for a better experience install the CLI plugin)
Recommended tool
On issue #1 we talked about Organizations and multi-account. Here we're talking about the AWS CLI. You access multiple accounts with IAM Identity Center (formerly AWS SSO), but the CLI experience is not great.
aws-sso-util makes that experience much better.
Haiku(s)
Forget the bastion,
Go with Session Manager,
For safe SSH.
Misc.
I'm adding this section to talk about things like the fact that I'm adding this section (meta-announcement!).
First of all, I wanted to thank you all for subscribing! I hope you've liked the newsletter so far. If there's something that you thought was great, I'd love to know what it is, so I can write more of that. And if there's something you didn't enjoy, I'd like to know as well!
Also, what kinds of services would you like to know more about? I'm torn between support services like Config and core infrastructure services like ECS.
Hit reply! (it was broken, I fixed it now).
Thank you for reading! See ya on the next issue.