For a customer’s security compliance environment in AWS, they wanted a cloud-native solution to eliminate the usage of SSH keys to access servers and the access should be monitored and audited properly.

CloudifyOps implemented two different solutions to meet this requirement for two of our customers. This blog will talk about AWS SSM Session Manager as a native solution. In our next blog (part two), we will share about Teleport as a cloud agnostic solution for securing the SSH access to servers.

Secure access to infrastructure signifies that the infrastructure access follows security compliances, has centralized auditing and monitoring that are logged properly. This brings in better security, and visibility to who is doing what on our servers.

AWS SSM Session Manager

Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, we can manage our EC2 instances, edge devices, and on-premises servers and virtual machines (VMs). We can use either an interactive one-click browser-based shell or the AWS CLI.

Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Replacing SSH with the AWS Session Manager simplifies authentication, authorization, networking, as well as audit logs for administrator sessions on EC2 instances.

How does the SSM work?

(Image ref: https://cloudonaut.io/images/2019/03/session-manager.png)

1. The user authenticates against IAM
2. IAM authorizes a session for an EC2 instance
3. The user uses the AWS Management Console or the terminal to start a session
4. Agent running on the EC2 connects to the Systems Manager’s backend and executes commands on the machine.
5. The Session Manager sends audit logs to CloudWatch Logs or S3.

Below are steps to enable the SSM and use IAM policies to restrict which IAM users can start a session with an EC2 instance.

Prerequisites for sessions manager

• For Amazon Linux 2 machines, AWS SSM agent is installed and enabled  by default. To check the status of the agent, run

systemctl status amazon-ssm-agent

• For other Linux distributions, we need to install the Amazon SSM agent.

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html

• Create an IAM role with IAM policy AmazonEC2RoleforSSM, which needs to be attached to all instances to be accessed/ need SSH connection.

Creating an IAM policy to restrict which IAM user or role can start a session with an EC2 instance.

Create an IAM policy as shown below. This policy grants access users to connect to EC2 instances with a specific tag. Here it is – Tag Key = team and Value = DEV. We have to edit the tag based on our requirements. Tags can be based on environments also like staging, production, etc.

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Sid”: “VisualEditor0”,

“Effect”: “Allow”,

“Action”: [

“ssm:GetConnectionStatus”,

“ec2:DescribeInstances”,

“ssm:DescribeSessions”,

“ssm:DescribeInstanceProperties”,

“s3:*”

],

“Resource”: “*”

},

{

“Sid”: “VisualEditor1”,

“Effect”: “Allow”,

“Action”: “ssm:StartSession”,

“Resource”: “arn:aws:ec2:*:*:instance/*”,

“Condition”: {

“StringEquals”: {

“ssm:resourceTag/team”: “DEV”

}

}

}

]

}

We need to attach the policy with the respective IAM Users.

Connecting to EC2 instances

AWS Session Manager provides two options to connect to the instances:

Connecting directly from the console.

• Once we select the instance, there will be a connect icon, click the icon and
• From there we can start the session under the Session Manager tab. It will launch the session in the UI itself.

Connecting via terminal

• Install AWS CLI and AWS SSM plugin in our laptop/local machine.
• Once everything is set, do an aws configure.
• Run the below command to connect to the instance.

aws ssm start-session –target instance-id

Enabling CloudWatch logs for SSM.

AWS Systems Manager stores audit logs in a CloudWatch log group that we provide. However, we have to enable audit logs.

• Go to the AWS SSM dashboard and click on the Session Manager tab.
• Here we can see active sessions, session history and preferences.
• Under session preferences, click edit to enable audit logs and select the desired CloudWatch log groups.

There is an option for S3 logging also.

Sample log captured by Session Manager in CloudWatch

Copying files to EC2 instances via AWS SSM.

We cannot directly copy files from the local machine/our laptop to the EC2 instance using AWS SSM. To do this, we need to upload files from local to S3 and copy it from there to the instance.

The above policy that gave  access to users also gives them full access to S3. We can also restrict this by giving permission only to specific buckets. Using this policy, users can upload files to S3 and download it from there to the instance.

Use the following command to copy an object from Amazon S3 to the instance.

aws s3 cp s3://my_bucket/my_file.txt /<dirname>/

Use the following command to copy an object from your instance back into Amazon S3.

aws s3 cp my_copied_file.txt s3://my_bucket/my_file.txt

Follow us on our LinkedIn Page. To explore our services, visit our website.