For a customer’s security compliance environment in AWS, they wanted a cloud-native solution to eliminate the usage of SSH keys to access servers and the access should be monitored and audited properly.
CloudifyOps implemented two different solutions to meet this requirement for two of our customers. This blog will talk about AWS SSM Session Manager as a native solution. In our next blog (part two), we will share about Teleport as a cloud agnostic solution for securing the SSH access to servers.
Secure access to infrastructure signifies that the infrastructure access follows security compliances, has centralized auditing and monitoring that are logged properly. This brings in better security, and visibility to who is doing what on our servers.
Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, we can manage our EC2 instances, edge devices, and on-premises servers and virtual machines (VMs). We can use either an interactive one-click browser-based shell or the AWS CLI.
Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Replacing SSH with the AWS Session Manager simplifies authentication, authorization, networking, as well as audit logs for administrator sessions on EC2 instances.
(Image ref: https://cloudonaut.io/images/2019/03/session-manager.png)
Below are steps to enable the SSM and use IAM policies to restrict which IAM users can start a session with an EC2 instance.
Prerequisites for sessions manager
systemctl status amazon-ssm-agent
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html
Creating an IAM policy to restrict which IAM user or role can start a session with an EC2 instance.
Create an IAM policy as shown below. This policy grants access users to connect to EC2 instances with a specific tag. Here it is – Tag Key = team and Value = DEV. We have to edit the tag based on our requirements. Tags can be based on environments also like staging, production, etc.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“ssm:GetConnectionStatus”,
“ec2:DescribeInstances”,
“ssm:DescribeSessions”,
“ssm:DescribeInstanceProperties”,
“s3:*”
],
“Resource”: “*”
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: “ssm:StartSession”,
“Resource”: “arn:aws:ec2:*:*:instance/*”,
“Condition”: {
“StringEquals”: {
“ssm:resourceTag/team”: “DEV”
}
}
}
]
}
We need to attach the policy with the respective IAM Users.
Connecting to EC2 instances
AWS Session Manager provides two options to connect to the instances:
Connecting directly from the console.
Connecting via terminal
aws ssm start-session –target instance-id
Enabling CloudWatch logs for SSM.
AWS Systems Manager stores audit logs in a CloudWatch log group that we provide. However, we have to enable audit logs.
There is an option for S3 logging also.
Sample log captured by Session Manager in CloudWatch
Copying files to EC2 instances via AWS SSM.
We cannot directly copy files from the local machine/our laptop to the EC2 instance using AWS SSM. To do this, we need to upload files from local to S3 and copy it from there to the instance.
The above policy that gave access to users also gives them full access to S3. We can also restrict this by giving permission only to specific buckets. Using this policy, users can upload files to S3 and download it from there to the instance.
Use the following command to copy an object from Amazon S3 to the instance.
aws s3 cp s3://my_bucket/my_file.txt /<dirname>/
Use the following command to copy an object from your instance back into Amazon S3.
aws s3 cp my_copied_file.txt s3://my_bucket/my_file.txt
Follow us on our LinkedIn Page. To explore our services, visit our website.
CloudifyOps Pvt Ltd, Ground Floor, Block C, DSR Techno Cube, Survey No.68, Varthur Rd, Thubarahalli, Bengaluru, Karnataka 560037
Indiqube Vantage, 3rd Phase, No.1, OMR Service Road, Santhosh Nagar, Kandhanchavadi, Perungudi, Chennai, Tamil Nadu 600096.
CloudifyOps Inc.,
200, Continental Dr Suite 401,
Newark, Delaware 19713,
United States of America
Copyright 2024 CloudifyOps. All Rights Reserved