Session Manager: Driving operational excellence at slice!

Goodbye SSH and bastion hosts. Hello SSM!

As much as we’d like to run our servers like cattle (pets vs cattle mantra), there are times that call for interactive shell access to instances. 

This translates to audited secure access to cloud resources either through bastion hosts or through SSH keys, which in turn opens up a Pandora’s box of bastion management and tight SSH security. 

Surely this age-old problem of remote server access was looking for a cloud-native solution for it. Enter session manager, the future of remote server management. 

So how does session manager improve upon traditional remote access technologies? Here are a list of it’s features: 

  • No inbound security rules required to access instances. This means, 0 ports have to be opened to allow remote access. 
  • All user sessions and commands are logged with optional encryption via KMS.
  • Integration with existing IAM policies to allow robust access control.
  • SSH tunneling over session manager. 

The architecture diagram below provides a high level overview of how session manager works.

session manager architecture

Let’s look at how to setup and enable session manager for AWS instances.

Configuring session manager

1. IAM permissions for instance: The easiest way to get started is to attach the AmazonSSMRoleForInstancesQuickSetup role to your instance.

IAM role for session manager

If your instance already has a role attached to it, the AmazonSSMManagedInstanceCore policy can be attached to the existing role.

IAM policy for session manager

2. IAM permissions for users: You need to create policies to allow access to an EC2 instance for specific IAM users and roles. The below policy grants access to EC2 instances with the name tag of API:

{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Effect": "Allow",
       "Action": [
         "ssm:StartSession"
       ],
       "Resource": "arn:aws:ec2:::instance/*",
       "Condition": {
         "StringEquals": {
           "ssm:resourceTag/name": "API"
         }
       }
     },
     {
       "Effect": "Allow",
       "Action": [
         "ssm:TerminateSession"
       ],
       "Resource": [
         "arn:aws:ssm:::session/${aws:username}-*"
       ]
     },
     {
       "Effect": "Allow",
       "Action": [
         "ssm:GetConnectionStatus",
         "ssm:DescribeSessions",
         "ssm:DescribeInstanceProperties",
         "ec2:DescribeInstances"
       ],
       "Resource": "*"
     }
   ]
 }

More info on configuring policy can be found here

3. SSM agent installation: You need to make sure your Amazon Machine Images (AMIs) have SSM Agent installed. SSM Agent is preinstalled, by default on popular AMI’s like Amazon Linux, Ubuntu Server etc. If not, the agent can be manually installed from the command:

sudo yum install -y https://s3.region.amazonaws.com/amazon-ssm-region/latest/linux_amd64/amazon-ssm-agent.rpm

More info on installing and enabling agent can be found here

4. Audit logs: Session Manager can store audit logs in a CloudWatch log group or an S3 bucket. However, the option has to be enabled in Session Manager -> Preferences.

S3 logging for session manager

Using session manager

A session can be started by an authenticated user either from the AWS management console or through CLI. 

  1. Starting a session (console): Either the EC2 console or the Systems Manager console can be used to start a session.
Connect through the EC2 console

2. Starting a session (AWS CLI): Using session manager through the CLI calls for an additional requirement of installing the SSM plugin:

  • Prerequisites: 
    1. AWS CLI version 1.16.12 or higher
    2. Session manager plugin – Install instructions for different systems here
  • Starting a session: 
aws ssm start-session --target "<instance_id>"

3. Using SSH and SCP with session manager: One of the major limitations of session manager when it was launched was its inability to copy files without going through S3. 

Now the AWS-StartSSHSession document supports tunnelling SSH traffic through session manager.

Note: Using this functionality requires the use of a key that is associated with the instance. Logging is unavailable for sessions that connect through SSH as SSH encrypts all transit data.

Steps to use SSH/SCP with session manager: 

  1. Verify that prerequisites mentioned above are met.
  2. Add the below lines to SSH config to allow session manager tunneling. The SSH configuration file is typically located at ~/.ssh/config.
# SSH over Session Manager

host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

SSH into instance with Session Manager: SSH can be performed as normal using the instance-id as the hostname. Example:

% ssh ec2-user@<instance_id>
Last login: Wed Oct 28 10:53:22 2020 from ip-<instance_ip>.ap-south-1.compute.internal
[ec2-user@ip-<instance_ip> ~]$

SCP to copy files with Session Manager: SCP can be performed as normal using the instance-id as the hostname. Example:

% scp test ec2-user@<instance_id>:test
test           100%    0     0.0KB/s   00:00

Wrapping up

Session manager defies the saying,

“Convenience is the enemy of security by being both convenient and secure.” 

The ease of using session manager along with its ability to tunnel SSH traffic allows us to phase out SSH and switch completely to session manager. No more open SSH ports!

Combining session manager with the extended capabilities systems manager provides like patching, automation documents and run command makes for a powerful ops workflow.

If you are invested in AWS cloud, leveraging session manager is a no brainer!

Here at slice, we are constantly working towards creating new tools, every day, to streamline our workflow. So, stay tuned for more!