AWS EC2 Access: Unlocking Seamless Control with Session Manager
Empower Your Workflow with Keyless Convenience and Enhanced Security
In the ever-evolving landscape of cloud computing, AWS EC2 remains a powerhouse for scalable and flexible computing resources. As cloud engineers, optimizing our workflows is crucial for efficiency, security, and ease of use. This post introduces a game-changing approach to instance access — AWS Session Manager. Say goodbye to managing keys and hello to a more secure and streamlined way of connecting to your EC2 instances.
The Drawbacks of Traditional Key-Based Access
Traditional SSH key-based access has been a staple in cloud computing. However, it comes with its set of challenges. Managing keys across a team can be cumbersome, posing security risks if handled improperly.
In the same way, SSH keys often require users to manage and store private keys locally on their machines. This dependency can be problematic, especially when users switch devices frequently or need to access instances from multiple locations. The risk of losing or compromising keys becomes a concern, leading users to seek alternative access methods.
Additionally, the lifecycle management of SSH keys, including key rotation and access revocation, demands a meticulous approach. Users may express concerns about inadvertently leaving revoked keys accessible or facing delays in implementing key rotation, potentially exposing their EC2 instances to security vulnerabilities. This aspect adds an extra layer of complexity that some users find daunting.
AWS Session Manager as Alternative to Access to EC2 Instances
AWS Session Manager provides a secure and auditable way to access your EC2 instances without managing SSH keys. It leverages AWS Identity and Access Management (IAM) policies for fine-grained control, offering a more secure alternative to key-based access. This service offers the following features:
- Centralized Access Control: Manage access permissions through IAM roles, ensuring a centralized and secure access control system.
- Encrypted Sessions: All sessions are encrypted by default, adding an extra layer of security to your communications.
- Auditability: Keep track of user actions through AWS CloudTrail, providing a comprehensive audit trail for compliance purposes.
- No Open Ports Required: Unlike traditional SSH, Session Manager doesn’t require open inbound ports on your instances, reducing your attack surface.
How Does Work AWS Session Manager
AWS Session Manager ensures secure and simplified access to EC2 instances through the seamless deployment of the SSM Agent on a specific AMI, establishing a secure outbound WebSocket connection. It employs IAM role-based authentication for fine-grained access control and facilitates user-friendly session initiation via various interfaces, all while logging comprehensive session activities for enhanced auditability through AWS CloudTrail.
Note: The agent is installed by default in a selected group of EC2 instance types (AMI). If the AMI you are using doesn’t have the agent installed, please follow the official documentation to install the agent manually.
Implementation Overview
The diagram below represents a typical AWS environment with a VPC (Virtual Private Cloud) and two subnets: a private and a public subnet. The VPC is a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define:
The diagram also includes an EC2 instance (Amazon Linux), an IAM role with the policy “AmazonSSMManagedInstanceCore”, and a security group.
The diagram represents the following steps:
- The IAM user starts a session using AW CLI, executing the method start-session of System Manager Session Manager.
aws ssm start-session --target <your-instance-id>2. The user initiates a session manager connection to the EC2 instance.
3. The session manager establishes a secure connection to the EC2 instance using the SSM Agent.
4. The user can now interact with the EC2 instance securely.
Implementation Set Up
In the first step, we need to create our basic network approach. To achieve it, we need an AWS account. Login into it, and navigate to the VPC module. Next, select the item Your VPCs option on the left panel and execute the action Create VPC:
Now, in the Create VPC section, select the VPC and more options. This option is used to create a basic Virtual Private Network and to create the core components that the VPC needs to work. From our side, we only have to define a few things:
We can use the tag auto-generation option to set a prefix to generate Name tags for all VPC resources. We can use any value; in our case, we are going to use “test-ssm”. For the IPv4 CIDR block input, set 10.50.0.0/16:
In the NAT Gateways section, select the option In 1 AZ. Leave the other options with the default values:
The following images show the recommended configuration for the NAT Gateways section, remember to select the second option to create a single NAT Gateway in one AZ:
The process of creating the network will take a few minutes. If all is good, we’ll see a similar screen that looks like the following:
Now, before launching our EC2 instance, we’ll create the IAM role with the Session Manager permission policy attached to it. This policy allows EC2 instances to communicate with the Session Manager to establish a secure connection through the Session Manager agent. To achieve this, navigate to the IAM module, select the option Roles on the left panel, and select the Create role action:
On the next page, for the Trusted entity type, select AWS Service. In the Use case service, search for EC2. Once EC2 is selected, a list of available options will appear. Select EC2 Role for AWS System Manager, click on Next action, and assign the name. In my case, I will use the “EC2-SSM-ROLE” name for the role. We can also add an optional description:
Now, we are ready to create our EC2 instance and grant secure access using Session Manager. We’ll navigate to the EC2 module on the AWS console to achieve this. On the left panel, select Instances, and from there, click on Launch Instances:
When creating the instance, first give it a name. Use the default Amazon Linux 2023 AMI with the default 64-bit (x86) architecture :
Next, in the Key pair (Login) section, keys aren’t needed because the main goal of this demo is not to use keys to establish the connection. Select the option Proceed without a key pair:
On the network settings, select the VPC created in the steps before. For the subnet, select a private subnet. In the option Auto-Assign public IP, set it up as disabled. On the Security group section, remove all inbound rules, and assign a name and short description:
To finalize our EC2 instance setup, in the Advanced Details section, select the instance profile IAM role that we created before. Finally, execute the option Launch instance:
Wait a few minutes while the instance finishes provisioning. When the instance is in the Running status, select it and then select the option Connect:
On the next page, select the tab, Session Manager. If all is good, the option Connect will be enabled:
AWS will launch a terminal on the browser that allows us to connect via SSH to our EC2 instance. This way, we can administrate our server without the necessity to have an SSH key:
In the same way, we can use the terminal on our machine to start a session and establish a secure connection to the instance using the AWS CLI. To achieve this, it is necessary to install a plugin for AWS Session Manager following its documentation.
To connect from the local terminal, execute the following AWS CLI command: aws ssm start-session — target <your-instance-id>
Conclusions
AWS Session Manager is more than just a solution to security concerns; it’s a transformative tool that simplifies workflows, emphasizing not only security but also user efficiency. As we bid farewell to the challenges of the past, embracing Session Manager marks a leap into a future where EC2 access is not just secure but intuitively managed.
In this ever-evolving cloud computing landscape, AWS Session Manager stands as a beacon of innovation, reflecting AWS’s commitment to providing solutions that empower users and redefine the standards of security and efficiency. Embrace the revolution in EC2 access — your cloud workflows deserve it.
References
- AWS Instance connect.
- AWS blogs for Session Manager implementations.
