Remoting into EC2s with SSM Session Manager

BLOG ARTICLE

the challenge WITH EC2 REMOTE CONTROL WITH SSH AND RDP

One common challenge when working in highly secure environments is remoting into servers from external and internal sources. 

Some security requirements, whether it being from security teams or compliance regulatory bodies, can make it difficult to find the right kind of balance between ease of use and protecting sensitive data.

ENTER SSM SESSION MANAGER

Simple Systems Manager (SSM) in AWS has a feature called Session Manager, which allows you to remote into EC2 instances on Windows and Linux command line through the browser.

Benefits include

  • Removing the need to create bastion (“jump”) boxes to remote into internal servers, saving money on EC2 costs and general server maintenance.
  • Having AWS Console Multi Factor Authentication (MFA) as an extra security measure without the need to configure extra MFA applications into remote EC2 instances
  • Ability to integrate AWS monitoring services such as CloudWatch Events and CloudTrail to seamlessly record and monitor remote user access to identify unusual or unauthorised access
  • Leveraging the strength of IAM security policies to ensure remote users can only remote into the EC2 instances they should. This removes any need for local user accounts on servers.

Installation

To run SSM Session Manager, you will need to have the SSMAgent installed. If you are using an Amazon Linux AMI, this agent is already built in. 

However for any other AMI type:

 

RedHat:

sudo yum install -y
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm 

sudo systemctl start amazon-ssm-agent

 

Ubuntu:

wget
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb

sudo dpkg -i amazon-ssm-agent.deb
sudo systemctl status amazon-ssm-agent

 

Windows PowerShell: 

Invoke-WebRequest
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe
-OutFile $env:USERPROFILE\Desktop\SSMAgent_latest.exe

Start-Process `-FilePath $env:USERPROFILE\Desktop\SSMAgent_latest.exe
` -ArgumentList "/S"M

IAM Policy

To allow the EC2 to be accessed by Session Manager, attach the following policy to the EC2 instance to the Instance Role: AmazonSSMManagedInstanceCore

1. Go into EC2 Resource section in AWS
2. Click on Connect next to the Launch Instance Button

Instances-_-EC2-Management-Console

3.  Click on Session Manager and then Connect

connect to instance

Easy! 

CONSIDERATIONS FOR SESSION MANAGER

While Session Manager is a great benefit to controlling EC2 instances, there are a few considerations you may want to discuss with your team and security before going with this option:

  • Is your AWS account using Single Sign On or IAM user accounts? Is using services such as Remote Desktop Gateway easier and more secure than manually managing IAM user accounts? 
  • How good is your IAM account control management? Does everyone have Administrator or PowerUser access? If so, should they be able to remote into every EC2 instance, or certain specific instances if there are production workloads?
  • Are there any third party security tooling that needs to record user sessions inside EC2 instances for compliance reasons?
  • For Windows EC2s, can you completely work in PowerShell, or do you need to use the GUI once in a while? If so, do you need an emergency remote control method for the times you will need to use the GUI?

Summary

Session Manager is a secure and easy method to remote into EC2 instances inside AWS and offer a lot of benefits over third party remote control tools and bastion servers. However, it is important to set up the proper security controls to get that good balance between ease of use and a secure environment.