How to login securely to your AWS EC2 Instance?
Securing the AWS EC2 instance is the first thing you have to think while creating it. This post specifically talks about how to secure SSH/RDP port on your AWS EC2 Instances and how not to open port 22/3389 to the Internet (0.0.0.0/0).
There are several ways to secure your EC2 instances in AWS. Will discuss some of the popular ones.
When EC2 instance is running in Public subnet, disable password authentication and enable SSH keys based authentication. Secure your SSH port to allow traffic from specific subnet (Ex., 3.2.132.0/24) or your own IP address (Eg., 3.2.132.23/32) by setting security group rules.
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
Problem with this method is that whenever your IP address or subnet changes you have to update your security group rules. Managing SSH keys is another task, which can get quite tricky when there are more than few EC2 instances. How to store the SSH keys safely? How to grant or revoke accesses to specific users?
Another way is to use bastion host, run it in Public subnet and expose it to Internet using security group rules. Create your EC2 instances in a private subnet where there is no access from Internet and no one from outside can access it. Use security group rules to allow SSH traffic into your instance only from the bastion. This way your EC2 instance traffic is secured and only from bastion host you can access your EC2 instance.
However, the same problem exists as before. How will you secure your SSH/RDP port on the bastion host. You will still have to manage the SSH keys to your bastion host and open inbound ports on the instance.
AWS Systems Manager Session Manager
Session Manager is part of AWS Systems Manager service. It gives you a browser-based CLI window to access your Windows and Linux EC2 instances without opening inbound SSH/RDP port. No need to create a bastion host. No need to manage SSH keys. Access can be granted or revoked using AWS IAM.
AWS Systems Manager uses SSM agent running on the EC2 instance to manage the login and other tasks.
SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):
- Windows Server 2008-2012 R2 AMIs published in November 2016 or later
- Windows Server 2016 and 2019
- Amazon Linux
- Amazon Linux 2
- Ubuntu Server 16.04
- Ubuntu Server 18.04
- Amazon ECS-Optimized
You need to create relevant IAM permissions, install or enable SSM agent on the EC2 instances. Once you do it you can either acces your instance from AWS Console or AWS CLI.
For detailed instructions, refer to the documentation.
AWS Systems Manager Sessions Manager lets you manage your entire fleet of EC2 instances, audit the access, grant or revoke access for each instance.
Notes
Beware of pressing CTRL-W if you are used to it on the bash shell. It will close your browser window. Change the keyboard shortcuts to update the shortcut.
Above blog post has been moved to my own blog at https://vijay.eu/posts/how-to-login-securely-to-amazon-ec2/
Will be adding more posts there.