Traditional methods of accessing Amazon EC2 instances, such as SSH keys and passwords, while effective can be cumbersome especially in large-scale environments, managing them is complex and prone to errors. In this blog, we explore how to use AWS Systems Manager Session Manager to securely access your private EC2 instances without the need for SSH keys or passwords.
If you’d like to explore the code in more detail or try it out yourself, I’ve uploaded the project to my GitHub repository.
The Challenges of Traditional SSH Access
Compromised Keys: SSH keys can be compromised without being detected for long periods.
Full Access: SSH keys often provide full access to a system, making it difficult to implement least-privilege access.
Complex Management: Managing keys for large numbers of users and systems is increasingly complex.
Key Sharing: Users may share keys for convenience, which is a significant security risk.
Key Invalidation: Manually invalidating keys can be a time-consuming process.
Loss of Access: Losing keys can result in the loss of access to critical systems.
Introducing AWS Systems Manager Session Manager
AWS Systems Manager Session Manager is a fully managed service that provides secure and interactive access to your EC2 instances, on-premises servers, and virtual machines without the need for SSH keys or passwords.
Key Features of Session Manager
✅ No Public IP Addresses: No need for public IP addresses or inbound SSH access.
✅ Private Subnets Only: Instances can be in private subnets, enhancing security.
✅ Minimal Security Group Rules: No inbound rules are required, reducing the attack surface.
✅ SSM Access Only: Access is controlled through IAM policies and SSM.
✅ No Direct Internet Access: Traffic remains within the AWS network using VPC endpoints.
Prerequisites
Active AWS Account: You need an active AWS account to use Session Manager.
IAM Access: Access to IAM to create policies, roles, and users.
VPC Access: Access to VPC to create VPC endpoints, security groups, and private subnets if not already present.
EC2 Instance: An EC2 instance to test the connection.
Setting Up Session Manager
Step 1: Create IAM Policies and Roles
First lets create a user, I am using Identity provider to manage users, you can also use the traditional way of creating the user, just make sure user has the access to their access key and secret key.
IAM Identity Center
A user “Pixie” has been created , we haven’t given this user any permissions yet.
You need to create two IAM policies: one for the user and one for the EC2 instance.
User Policy: ssm-user-policy.json
Attaching the user with ssm-user-policy
And 1 more policy that we will attach to the EC2 instance’s role.
EC2 Instance Policy: ssm-instance-policy
Step 2: Setting up the EC2 Instance
Launch an EC2 instance with the necessary configuration:
Select the appropriate AMI (e.g., Amazon Linux 2023).
Ensure the instance is in a private subnet.
Disable the auto-assign public IP option.
Attach the security group that allows only outbound traffic to the internet.
Attach the IAM role created for the EC2 instance.
Create the EC2 Instance’s role
Attaching Instance role with ssm-instance-policy
Before Creating the EC2 instance, lets first create 2 security groups, 1 for the instance and 1 for the VPC endpoints.
Also if you don’t have a VPC, make sure to create one with private subnets.
Configuring the VPC
For the Instance Security group, make sure to not add any inbound rule, and for the outbound rule, we will allow all traffic to the internet.
Configuring Instance Security Group
And for the Endpoint Security group, for the inbound rule we will allow only the instance security group that we just created on port 443 and for the outbound traffic we will allow all traffic to the internet.
Configuring VPC Endpoint Security Group
Lets now create the EC2 instance with the below config, we are going with least configuration for the instance, t2.micro with Amazon linux 2023.
Sample Instance Configuration
For the key pair , make sure to select “Proceed without a key pair”
No Key-Pair selected
For the network setting, select your vpc and any of the private subnets, disable the Auto-assign public IP and attach the security group we created for the instance.
Instance Network Configuration
Under the configure storage, click on the Advanced details and attach the role we created earlier for this instance and launch the instance.
Instance Role Configuration
Lets check the instance, and we can see it doesnt have Public IPv4 address or Public IPv4 DNS.
And as for the Security details, no inbound rule and only outbound to the internet is allowed.
Step 3: Creating VPC Endpoints
And for the final part lets head to VPC Endpoints, we are using VPC endpoints for Systems Manager to keep traffic within AWS network . For this we will require 2 endpoints, 1 for the service ssm and another for the service ssmmessges.
Endpoint for the service SSM :-
SSM Handles general Systems Manager API operations
Search for ssm and select “com.amazonaws.us-east-1.ssm”
SSM endpoint creation
For the vpc, select the vpc with the private subnets, and under subnets select the private subnets respective to the availability zones, and at last select the endpoint security group we created earlier.
SSM endpoint netowrk configuration
For policy we will leave it to Full Access
SSM endpoint
Endpoint for the SSMMESSAGES :-
SSMMESSAGES Manages the communication channel for Session Manager
Search for ssm and select “com.amazonaws.us-east-1.ssmmessages”
SSMMESSAGES configuration
For the vpc, select the vpc with the private subnets, and under subnets select the private subnets respective to the availability zones, and at last select the endpoint security group we created earlier.
SSMMESSAGES network configuration
For policy we will leave it to Full Access
Wait for the endpoints to be available
Step 4: Connecting to the Instance
Lets switch to the user “Pixie” we created earlier
Lets grab the instance id which we need to connect to the instance
Lets open local machine terminal and configure our user, and make sure we have aws cli and session-manager plugin installed for us to connect to the instance.
And configure the user “Pixie” credentials in the terminal, for this return to the aws access portal, and click on Acess keys and use the keys for your respective machine. For the users not using IDP, get the secret key and access key and use the command “aws configure” to set your credentials. I like to use IDP because the below credentials gets automatically rotated after 8hrs (can be configured in the IDP admin dashboard) and no need for manual rotation of the keys or infact create any key in the 1st place.
And now we can connect to our private instance from our local machine with the command
As we can see, we connected to our private instance without using any ssh key or password, infact our security group didnt have any inbound rule either.
Head to AWS Systems Manager, and we can see the current session, session history, and configure logging method and shell commands on startup
Current Session
Session History
Challenges/Limitations
User accounts/session logging/auditing
Manage multiple users on the same EC2 instance through AWS Systems Manager with different access levels
Requires specific IAM permissions
Hope this was helpful, Thank You for reading :)
Feel free to leave comments, questions, or any feedback you may have or reach out to me on linkedin.
