Improving Systems Management with AWS Systems Manager Session Manager

May 17, 2023
/
Swapna Mannem
/
No items found.

Session Manager is a fully managed AWS system manager service, which allows you to connect your EC2 instances with temporary credentials and we can launch the servers without key pair and no SSH port in the security group.

In order to access EC2 instances we use the session manager, the instances must be running with an SSM agent installed and the operating system should be support SSM agent and also the EC2 instance should have AmazonSSMManagedCore privileges so that we can connect to the server through session manager without key pair and SSH port.

If you are using Amazon Linux 2, your SSM agent is already running and if you use Redhat or Ubuntu you should make sure that your SSM agent is already installed and The session manager basically supports Linux, Windows Server, and Raspbian. We can connect public servers and private servers through Session manager but we cannot connect to the database servers because the database servers subnets do not have a NAT gateway. if you want to use a session manager no need to maintain the key and rotate the keys

Prerequisites for Using Session Manager

  1. Create an AWS account and configure the required IAM roles.
  2. Verify that Systems Manager is supported in the AWS Regions where you want to use the service.
  3. Verify that your instances run a supported operating system.
  4. For EC2 instances, create an IAM instance profile and attach it to your machines.
  5. Verify that you are allowing HTTPS (port 443) outbound traffic to the Systems Manager endpoints.
  6. Create a VPC endpoint in Amazon Virtual Private Cloud to use with Systems Manager. (Recommended)
  7. On VMs, on-premises servers, and EC2 instances created from AMIs that are not supplied by AWS, install a Transport Layer Security (TLS) certificate.
  8. Install or verify the installation of an SSM Agent on each of your managed instances.

Now let’s see these processes in action.

Navigate to IAM console and click on ‘Role’.

Then click on ‘Create role’.

Now, select EC2 to call your AWS services on your behalf and click on the ‘Next permission’ button.

Then select the policy which you want to give to the role to and click on ‘Next: Tags’.

Enter your tags and click on ‘Review’.

Enter a role name and description, then click on create the role.

After this launch an EC2 instance without a key pair or SSH port and attach the created IAM role to an EC2 instance, select an instance then go to Actions → Instance Settings → Attach/Replace IAM Role and attach a Role.

Click on Attach/Replace IAM Role options, you may directly add Amazon EC2 Role for SSM policy role to an instance like the image below.

We will be logging into the server using Session Manager using assigned SSM permissions and the SSM agent installed. Please follow the following process to login to the server.

Navigate to Systems Manager console and go to the Session Manager section on the left pane of the window.

After clicking on Session manager we would be navigated to the session manager as shown below. Please select the start session and you would see a list of instances that are having SSM agent installed and SSM permissions assigned.

Then click on the start session.

Select the instance that you wish to log in to and click on the start session and then you will be logged in as SSM-user.

To check if you are logged into the server, you can use ifconfig. You can also cross-check the private IP address of your server along with the IP address used to log in.

There are some minor restrictions when using AWS Session Manager over SSH. The most important one being that you cannot transfer files with AWS Session Manager. To get around this issue though, you can leverage an S3 bucket and the AWS CLI to swap data. It’s not quite the same as using SCP of course.

Summary

Using AWS Session Manager instead of SSH allows you to simplify authentication, authorization, networking, as well as optimize your audit logs for administrator sessions on EC2 instances for security and compliance regulations.

If you are looking for immutable virtual machines and only need remote access for debugging then say goodbye to SSH and leverage AWS Session Manager as your alternative.

Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and makes recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.

Swapna Mannem

As a Sr DevOps Engineer, we design and develop automation to support continuous delivery and continuous integration processes. All this is done in order to ensure high levels of availability, performance, and Scalability. As a DevOps Engineer, we will also build different strategies to make sure the process follows the DevOps concept. I got a chance to work on internal project Oppsync where I built AWS Infrastructure, CI/CD by following all the best practices.

Talk to an Ibexlabs Cloud Advisor