In my previous post, I explained how you could finally ditch having to manage(deploy/rotate/delete) SSH keys for your cloud EC2 instances, and instead connect to them by simply using AWS SSM and an IAM user or role.
aws ssm start-session --target i-38b47b343425263 Starting session with SessionId: prd-0c3d925d252352
$ When a user creates a new session, the ssm-agent on the node will create a new Linux user called ssm-user . This Linux user has root permissions. This is fine if your servers are only ever logged into by people who need root, but it’s less than ideal when that isn’t the case.
To fix this, you need to do the below:
- Create a non-root user (via user data, or baking it into an AMI).
- Create a root user (via user data, or baking it into an AMI).
- Tag the Roles or IAM users of admins, who should have root access, with the username of the root account you created.
- Enable the AWS SSM
RunAsfeature and set the default user to the newly created non-root user.
Create the non-root/root users on your EC2 instances
You can do this in a number of ways. In user data or via packer. See the below bash script to create these users.
useradd -m ssm-basic
passwd -d ssm-basic
usermod -a -G adm ssm-basic
useradd -m ssm-admin
usermod -a -G sudo ssm-admin
echo "ssm-admin ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoersssm-basic is the non-root user. I chose to add it to the adm user group, which is a Linux user group that should already be present on your system. Members of this group can read logs in /var/log .
ssm-admin is the root user. We add it to the sudo group, the sudoers file, and also allow the user to run sudo commands without a password.
If you have a strange use case, that means you cannot use user data, or packer, you could instead use a lambda that connects to your EC2 instances and runs a remote bash script to create the users. I’ll discuss this in my next post.
Tag IAM Roles/Users
Next, you need to tag the IAM roles and/or IAM users who should be able to use the root account. Note, groups are not supported.
The required tag is SSMSessionRunAs = ssm-admin, where ssm-admin is the name of the root account you created earlier.
Enable the AWS SSM RunAs Feature
The final step is to actually enable the RunAs feature which allows all of this to work.
Open the Systems Manager in the AWS console, navigate to Session Manager , then the preferences tab, and click edit. Change the Operating System User Name to the name of the non-root Linux user you created earlier.
Conclusion
Now, any user that does not have the SSMSessionRunAs = ssm-admin tag, will be logged in as the non-root Linux user.
If this post helped you, you can Buy Me A Coffee: https://www.buymeacoffee.com/GSRE
