Secure Remote Administration: Accessing Your EC2 Instances

Overview

This week I’ll be walking you through accessing your EC2 instances securely. We’ll be:

• deploying an EC2 instance with the Linux operating system that you can access using SSH
• deploying an EC2 instance with the Windows operating system that you can access using RDP
• configuring the Linux EC2 to use AWS Session Manager instead of SSH

Everything we do in this walkthrough will be under the AWS Free Tier

Linux EC2 SSH Access:

It’s important when using any type of virtual machine that you have a way to access it securely. We’ll be setting up SSH access to our EC2 instance in this section. In the past, we would access our machines using the telnet protocol but this was unsafe due to the fact that data transfers were in plain text. In an SSH SSH data is sent in an encrypted format via a secure channel. To learn more about SSH, check out this article from CloudFlare.

First, let’s get our EC2 launched. In your AWS Console, navigate to the EC2 service and click on “Launch Instance”

Give your instance a name and select the Amazon Linux AMI. You’ll notice that this AMI is Free tier eligible.

If you don’t already have a key pair, go ahead and create one. Be sure you know where the .pem file is saved to on your local computer. You will need this later. Select the option to create a security group and check the box to allow SSH access from anywhere. Don’t worry, only users with your .pem file will have access.

That’s it for this one. Go ahead and launch your instance.

To see the status of your instance, you can click on the instance ID on the following page. This will populate a list of running instances with the selected ID (just the one!).

Click into the instance to see all the details.

Click “connect” once the instance is in the “running” state.

On your local machine, bring up your terminal program, navigate to the directory where your .pem file is stored, and run the following command to change the permissions for key (replace luit-keypair.pem with the name of your .pem file)

Now on the connect page in your console, you can copy thecommand displayed in the SSH client tab.

Make sure you are still in the same directory as your .pem file and run the command in your terminal to connect to your instance. Here is a breakdown of the command:
- ssh is the command to start an SSH client
- -i specifies the path to the private key file that you are using for authentication
- ec2-user is the default username for Amazon Linux
- and the rest of the command is your host name

Go ahead and run the whoami command.

That’s it for this section. You have a running EC2 instance that you can access using SSH.

Windows RDP Access:

Now we’ll be walking through a similar process but with the Windows operating system instead. Go through the steps to launch an instance again but this time pick Windows. Navigate to your instance details and click “connect” once the instance is running. Click on the “RDP Client” tab and download the remote desktop file.

That same .pem file is what we are going to use to get the password for our Windows instance.

Upload the file and click “decrypt password”.

Next, you’ll set up access using the host name, username, and password.

Configure AWS Session Manager on Linux:

The last thing we’ll do today is configure AWS Session Manager. AWS Session Manager is a great alternative to SSH for your instances for a few reasons. According to the AWS Documentation:

Use Session Manager to manage your edge devices and Amazon Elastic Compute Cloud (Amazon EC2) instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable edge device and instance management without needing to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to edge devices and instances, strict security practices, and fully auditable logs with edge device and instance access details, while still providing end users with simple one-click cross-platform access to your edge devices and EC2 instances.

We need to create an IAM role for our EC2 instance first. Navigate to IAM and click “Create Role”

Keep “AWS service” selected and choose “EC2 Instance” as our use case.

AmazonSSMManagedInstanceCore is the policy that we want to add here. Add that and click “next”. Name your role and click “Create Role”

Now that we have the role created, we want to modify the IAM role on our Linux Instance. Select the new role we created and click “Update IAM Role”.

Before we connect using session manager, we want to double check the SSM Agent on our instance. SSH to your instance and run:

sudo systemctl status amazon-ssm-agent

Now that we’ve determined that the agent is running, go back to your instance and click “connect”.

Navigate to the Session Manager tab and click “Connect”

And there! Run whoami and you should see the ssm-user

If you have any feedback, please feel to reach out to me on LinkedIn.