AWS Session Manager
New AWS Systems Manager, including Session Manager is another step enhance security on Cloud. Here are step by step how to set up.
NOTE: There is NO need to require to have a Public IP on EC2 instance, and have network inbound rule setup with opened SSH port 22, and VPN connection.
- You have
ec2-user
account on AWS EC2 instance. On localhost:
1 | 𝜆 cat .aws/config |
NOTE: Need ROOT access key pair ASIANPOWERHOUSEBLAHBLAH
above setup in session
profile to run aws sts
command.
NOTE: IAM role for EC2 instance need to have AmazonSSMManagedInstanceCore
policy. So create a customised role CustomAmazonSSMManagedInstanceCore
in AWS IAM including AmazonSSMManagedInstanceCore
policy, and bind this IAM role with EC2 instance, also with security group and key pair.
- Install all the dependencies
- latest Systems Manager Agent on your EC2 instance; enabled “Agent auto update” under Managed Instances in AWS Systems Manager
- latest AWS CLI on localhost
- latest Session Manager Plugin on localhost, https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
- Add customised RunAs users via “Run Command”
To elevated SSM_pwr_user
, a customised user to allow login EC2 instance, with command:
1 | 𝜆 useradd -g wheel SSM_pwr_user |
Updated above solution and add a DIFFERENT user ssm-user
, if SSM throws error “Unable to start shell: failed to start pty since RunAs user ssm-user does not exist“:
1 | 𝜆 useradd -g wheel ssm-user |
- Update SSH config file on localhost to proxy commands through the AWS Session Manager for any EC2 instance id
1 | 𝜆 cat .ssh/config |
- Generate session token
1 | 𝜆 date |
If AWS user ec2-user
has MFA enabled, generate session token like this:
1 | 𝜆 aws sts get-session-token --duration-seconds 129600 --profile session \ |
- Add session token in AWS credentials file on localhost, and test
1 | 𝜆 cat .aws/credentials |
- Run Session Manager commands
1 | 𝜆 aws ssm send-command --instance-ids i-e2f189dashfdf65weqfwda2 --document-name AWS-RunShellScript --comment "IP config" --parameters commands=ifconfig --output text \ |
- Open a connection forwarding session to a remote port
1 | 𝜆 aws ssm start-session --target i-e2f189dashfdf65weqfwda2 --document-name AWS-StartPortForwardingSessionToRemoteHost \ |
Monitor AWS Session Manager log
/var/log/amazon/ssm/amazon-ssm-agent.log
on EC2 instanceTest
ssh
command with session token
1 | 𝜆 AWS_PROFILE=session ssh -i .ssh/aws-key.pem -l ec2-user i-e2f189dashfdf65weqfwda2 |
- Test
scp
command with session token
1 | 𝜆 AWS_PROFILE=session scp -i .ssh/aws-key.pem /tmp/stack-overflow.log ec2-user@i-e2f189dashfdf65weqfwda2:/tmp |
Without using scp
, transferring files directly is not possible with the AWS Session Manager. You should use S3 bucket and the AWS CLI to exchange data.
- Test
ssh
tunnel
1 | 𝜆 AWS_PROFILE=session ssh -i .ssh/aws-key.pem -L 443:www.google.com:443 -l ec2-user@i-e2f189dashfdf65weqfwda2 |
OKTA
Set up integrated OKTA authentication with session. Have you OKTA AWS CLI installed at first, and configure it:
1 | 𝜆 cat ~/.okta-aws |
Create session:
1 | 𝜆 bin/okta/okta --okta-profile default --force --profile session |
Azure
Set up integrated Azure authentication with session. Have you AWS Azure CLI installed at first, and configure it:
1 | 𝜆 cat ~/.aws/config |
Create session:
1 | 𝜆 bin/aws-azure-cli/aws-azure-cli --profile session --mode gui |
Login EC2 instance, overwritting default ap-southeast-2
region:
1 | 𝜆 aws ssm start-session --target i-04ee902e33625c4f3 --profile session --region us-east-2 --debug |
Attach a new key pair to EC2 instance by:
1 | 𝜆 ssh-keygen -y -f .ssh/aws-key.pem |
Find out EC2 Instance ID by querying Instance Name:
1 | 𝜆 aws ec2 describe-instances --profile session \ |
References
- Troubleshooting Systems Manager Run Command, https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-remote-commands.html#systems-manager-ssm-agent-log-files
- Provides Okta authentication for awscli, https://github.com/jmhale/okta-awscli
- How to add a new key pair to your exisitng AWS ec2 Instances, https://www.how2shout.com/linux/add-a-new-key-pair-to-your-exisitng-aws-ec2-instances/
- Use port forwarding in AWS Systems Manager Session Manager to connect to remote hosts, https://aws.amazon.com/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/