Home > Additional Resources > Resource Access and Identity Verification Methods

Secure AWS EC2 Access with Session Manager

Q: What are some alternatives to AWS Session Manager?

Alternatives to AWS Session Manager include: Traditional SSH with Bastion Hosts: This method provides secure access but requires managing bastion hosts and SSH keys. Third-Party Remote Access Tools: Several third-party tools such as Teleport offer remote access solutions, often with their own security features and pricing models.

Posted 26th Jul 2024 by Ben Arent

What is Cryptographic Identity?

What are short-lived certificates?

Credentials vs. Cryptographic Identity

What is zero trust security for applications and workloads?

What is Identity Governance & Administration (IGA)?

What is Identity Threat Detection and Response (ITDR)?

What is Cloud Infrastructure Entitlement Management (CIEM)?

What is Observability?

What are bastion hosts?

What is mutual TLS authentication (mTLS)?

What are non-human identities?

What is TCP/IP protocol suite?

What is a VPN (Virtual Private Network)?

Comparing TCP/IP and OSI Model

How IPv4 and IPv6 works

How to Access and Monitor IoT Devices Securely

Implementing Zero Trust Network Access in Cloud-Native Environments

SSH Bastion Server on AWS: Setup Guide & Security Benefits

Deploying self-hosted Highly Available Teleport on an On-Prem data center.

Mastering SSH Keygen

What is PCI Compliance?

What is HIPAA compliance?

What is SOC2 compliance?

What is FedRAMP compliance?

Access Logging

OS Default Logging with Windows

Guide to Audit Logging for Cloud Native Companies

Auditing and Reviewing Amazon EKS Workloads

StrongDM vs Teleport

Hashicorp Boundary vs Teleport

StrongDM Alternatives to Secure Infrastructure Access

CyberArk Alternatives to Secure Infrastructure Access

Azure AKS RBAC

Authenticating Azure AKS Kubernetes Clusters with GitHub SSO

Authenticating Azure AKS Kubernetes Clusters with Okta SSO

Auditing and Reviewing Amazon EKS Workloads

Just-in-Time Access for Amazon EKS

Auditing and Reviewing Amazon EKS Workloads

Authenticating AWS EKS Kubernetes Clusters with GitHub SSO

Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO

Authenticating Google Kubernetes Engine Clusters with Okta SSO

Authenticating GCP GKE with Google Workspace SSO

RBAC for Google Cloud Kubernetes Engine (GCP GKE)

Authenticating GKE Kubernetes Clusters with GitHub SSO

Authenticating Google Kubernetes Engine Clusters with Okta SSO

How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters

How to Access Proxmox Virtual Environment with Teleport

A Guide to EC2 Instance Connect

Managing Amazon EKS Clusters with kubectl

Accessing the Inaccessible: Your Guide to AWS EC2 Serial Console

Secure EC2 RDP: The Ultimate Guide to Safe Access

Secure AWS EC2 Access with Session Manager

How to SSH into an EC2 Instance: A Step-by-Step Guide

PostgreSQL LDAP Authentication: A Step-by-Step Guide

Secure PostgreSQL with RADIUS Authentication: A Step-by-Step Guide

Simple Random Tokens: A Guide to Secure Authentication

PostgreSQL Password Authentication: A Complete Guide

PostgreSQL SSL Authentication: A Step-by-Step Guide

Introduction

AWS Session Manager is a fully managed service offered as part of AWS Systems Manager. It allows you to control your EC2 instances, on-premises servers, and virtual machines (VMs) securely, without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. This approach enhances your security posture by eliminating common attack vectors associated with traditional remote access methods.

How Does AWS Session Manager Work?

Let's break down the inner workings of AWS Session Manager. It relies on a lightweight agent called the SSM Agent, which needs to be installed on your EC2 instance or on-premises server to establish connectivity.

Here's a step-by-step look at how AWS Session Manager establishes a connection:

Initiate Connection Request: You, the user, initiate a connection request to an EC2 instance or on-premises server via the AWS Systems Manager console, the AWS Command Line Interface (AWS CLI), or the Session Manager plugin.
Authentication and Authorization: AWS Session Manager leverages your existing IAM credentials to authenticate your request. You need appropriate permissions configured in IAM policies to use Session Manager and interact with your instances.
Secure Tunnel Establishment: After successful authentication, Session Manager creates a secure tunnel between your local machine and the target instance via the SSM Agent.
Interactive Shell or Command Execution: With the tunnel in place, you can start an interactive shell session or run commands on your instance with the same level of access you would have with SSH.

Benefits of Using AWS Session Manager

AWS Session Manager provides a compelling alternative to traditional SSH access, offering advantages across security, management, and auditing. Here's a closer look at the key benefits:

Enhanced Security:
- No Open Inbound Ports: Session Manager eliminates the need to open inbound ports like port 22 (SSH) on your security groups, significantly reducing your attack surface.
- No Bastion Hosts: You can bypass the complexity and overhead of setting up and managing bastion hosts.
- SSH Key Management Eliminated: Session Manager removes the need for generating, rotating, and securing SSH keys, simplifying your security practices.
Streamlined Management:
- Centralized Access Control: Manage user access to instances through IAM, enabling granular permissions and role-based access control for enhanced security.
- Cross-Platform Support: Connect to your Windows and Linux instances seamlessly from various operating systems.
- Simplified Connectivity: Connect to your instances without needing to know their public IP addresses, simplifying your workflow.
Comprehensive Auditing and Logging:
- Detailed Session Recording: Session Manager automatically records your sessions, including commands used and shell output, providing a valuable audit trail for compliance.
- Integration with CloudTrail and CloudWatch: Integrate with CloudTrail to log API calls and CloudWatch to monitor Session Manager activity for enhanced security insights.

AWS Session Manager is a powerful tool for secure and streamlined remote access to your EC2 instances and other supported resources. Its tight integration with IAM, robust security features, and comprehensive auditing capabilities make it an excellent choice for organizations of all sizes. By leveraging AWS Session Manager, you can improve your security posture while streamlining your operational workflows.

Score: Security Assessment of AWS Session Manager

From a security team's perspective, I'd give AWS Session Manager a solid 4.5 out of 5 for security.

Here's why:

Elimination of SSH Key Management: Past incidents have shown vulnerabilities in SSH key management practices. Session Manager removes this risk entirely, using IAM for authentication and authorization instead. This alone is a huge win for security.
Reduced Attack Surface: Closing inbound ports on your EC2 instances significantly reduces the attack surface. Session Manager's approach makes your infrastructure less visible to potential attackers.
Centralized Control and Auditing: IAM integration provides granular control over who can access what, and session recording capabilities offer a detailed audit trail for compliance and incident response.

Why not a perfect 5?

While extremely secure, no system is completely foolproof. Potential vulnerabilities could arise if IAM policies are misconfigured, granting excessive permissions. Additionally, organizations relying heavily on custom tooling built around SSH might face integration challenges.

How To: Setting Up and Using AWS Session Manager

Let's walk through the steps to get you up and running with AWS Session Manager:

Prerequisites

An AWS account.
An EC2 instance (or other supported resource).
The SSM Agent installed and running on your instance. (Note: The SSM Agent comes pre-installed on many Amazon Machine Images (AMIs), including Amazon Linux and Windows Server AMIs).
An IAM user or role with the necessary permissions to use Session Manager.

Step 1: Verify or Install the SSM Agent

For new EC2 instances: Choose an AMI that has the SSM Agent pre-installed.
For existing instances: Follow the instructions in the AWS documentation to install the SSM Agent for your instance's operating system (Linux, Windows, or macOS).

Step 2: Configure IAM Permissions (If not using an AWS-managed policy)

Create an IAM policy that allows Session Manager access. Here's a basic example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:StartSession",
        "ssm:DescribeInstanceInformation"
      ],
      "Resource": "*" 
    }
  ]
}

Attach this policy to your IAM user or role.

Step 3: Start a Session

Using the AWS Systems Manager Console:
- Navigate to the AWS Systems Manager console.
- In the left-hand navigation pane, choose "Session Manager."
- Click "Start session."
- Select the instance you want to connect to and click "Start session."
Using the AWS CLI:
- Open your terminal or command prompt.
- Run the following command, replacing instance-id with your instance's ID:

aws ssm start-session --target instance-id

Using the Session Manager Plugin:
- Download and install the Session Manager plugin for your OS from GitHub.
- Configure the plugin with your AWS credentials.
- Follow the on-screen instructions to start a session.

Conclusion

In today's cloud-centric world, AWS Session Manager emerges as an essential tool for anyone managing AWS resources. It delivers secure, streamlined access to your EC2 instances, eliminating the need for traditional SSH, bastion hosts, and complex key management.

By incorporating Session Manager into your workflow, you bolster your security posture, streamline management, and gain valuable insights through comprehensive auditing capabilities. Embrace the power of AWS Session Manager and experience a more secure and efficient approach to managing your cloud infrastructure.

Frequently Asked Questions (FAQ)

What is AWS Session Manager?

AWS Session Manager is a fully managed service from Amazon Web Services (AWS) that provides secure and interactive access to your EC2 instances, on-premises servers, and virtual machines without the need to open inbound ports or manage SSH keys. It's part of the broader AWS Systems Manager service.

How does AWS Session Manager work?

Session Manager utilizes the SSM Agent, a lightweight agent installed on your target instance. When you initiate a connection, it creates a secure tunnel between your local machine and the instance through the SSM Agent, relying on your IAM credentials for authentication and authorization. This approach eliminates the need for public IP addresses, open inbound ports, or SSH key pairs.

How do I use AWS Session Manager?

Using Session Manager is straightforward. You can start a session through the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the Session Manager plugin. Once connected, you have an interactive shell or can run commands on your instance with the appropriate permissions.

What are the benefits of using AWS Session Manager over SSH?

Session Manager provides several advantages over traditional SSH:

Enhanced Security: No open inbound ports, no bastion host management, and no need to handle SSH keys.
Centralized Access Control: Leverages IAM for granular permissions and role-based access.
Comprehensive Auditing: Provides session recording and integrates with CloudTrail and CloudWatch.
Simplified Management: No need to know public IP addresses or manage SSH keys.
Cross-Platform Support: Connect to Linux, Windows, and macOS instances.

What are some alternatives to AWS Session Manager?

Alternatives to AWS Session Manager include:

Traditional SSH with Bastion Hosts: This method provides secure access but requires managing bastion hosts and SSH keys.
Third-Party Remote Access Tools: Several third-party tools such as Teleport offer remote access solutions, often with their own security features and pricing models.

How much does AWS Session Manager cost?

AWS Session Manager is a feature of AWS Systems Manager and is offered at no additional cost. You only pay for the underlying AWS resources used, such as data transfer charges for session logs.

Why is my instance not showing up in AWS Session Manager?

Several reasons could explain why your instance isn't appearing:

SSM Agent Not Installed or Running: Ensure the SSM Agent is installed and running on your instance.
IAM Permissions: Verify that your IAM user or role has the necessary permissions to use Session Manager and access the specific instance.
Network Connectivity: Check if your instance has network connectivity to the AWS Systems Manager service.

What port does AWS Session Manager use?

Session Manager doesn't rely on a specific port for communication. It uses the SSM Agent to establish an outbound connection over HTTPS (port 443) to AWS, eliminating the need to open inbound ports on your security groups.