Session Manager is a capability within AWS’s fully managed System Manager service, which allows you to connect your EC2 instances with temporary credentials as well as launch servers without a key pair. In addition, it doesn’t require an SSH port in the security group. SSH is useful but optimizing AWS Systems Manager Session Manager means you can interact with your EC2 instances much easier.
The benefits of opting for AWS Systems Manager Session Manager rather than SSH include:
- Simplified authentication: As the service leverages Identity and Access Management (IAM) for authentication and authorization. This means you can configure multi-factor identification and reuse your IAM users.
- An in-built audit log: AWS Session Manager provides audit logs by default; so each command is logged and stored in CloudWatch Logs or an S3 bucket as per necessary security and compliance regulations.
- Simplified networking: While SSH requires a network connection setup between an engineer’s machine and the EC2 instance, AWS Session Manager doesn’t, which reduces security risks.
To use AWS Session Manager to access EC2 instances, the instances must be running with an SSM agent installed and an operating system that supports the SSM agent. The EC2 instance should be configured with Amazon SSM Managed Core privileges in order to connect to the server through Session Manager without a key pair and SSH port.
If you are using Amazon Linux 2, your SSM agent is already up and running for you. While if you’re using Redhat or Ubuntu, you should make sure that your SSM agent is already installed. The Session Manager also supports Linux, Windows Server, and Raspbian.
Session Manager automatically allows us to connect to public servers and private servers, but we cannot connect to database servers because DB server subnets do not have a NAT gateway. In addition, with AWS Session Manager, there is no need to maintain keys or key rotations.
Prerequisites for Using Session Manager
- Create an AWS account and configure the required IAM roles.
- Verify that Systems Manager is supported in the AWS Regions where you want to use the service.
- Verify that your instances run a supported operating system.
- For EC2 instances, create an IAM instance profile and attach it to your machines.
- Verify that you are allowing HTTPS (port 443) outbound traffic to the Systems Manager endpoints.
- Create a VPC endpoint in Amazon Virtual Private Cloud to use with Systems Manager. (Recommended)
- On VMs, on-premises servers, and EC2 instances created from AMIs that are not supplied by AWS, install a Transport Layer Security (TLS) certificate.
- Install or verify the installation of an SSM Agent on each of your managed instances.
Now let’s see these processes in action.
Navigate to IAM console and click on ‘Role’.
Then click on ‘Create role’.
Now, select EC2 to call your AWS services on your behalf and click on the ‘Next permission’ button.
Then select the policy which you want to give to the role to and click on ‘Next: Tags’.
Enter your tags and click on ‘Review’.
Enter a role name and description, then click on create the role.
After this launch an EC2 instance without a key pair or SSH port and attach the created IAM role to an EC2 instance, select an instance then go to Actions → Instance Settings → Attach/Replace IAM Role and attach a Role.
Click on Attach/Replace IAM Role options, you may directly add Amazon EC2 Role for SSM policy role to an instance like the image below.
We will be logging into the server using Session Manager with the assigned SSM permissions and the SSM agent installed. Please use the following process to login to the server.
Navigate to the Systems Manager console and go to the Session Manager section on the left-hand pane of the window.
After clicking on the Session Manager navigate to the Sessions page as shown below. Select the ‘Start session’ button and you will see a list of instances that will get an SSM agent installed and SSM permissions assigned to them.
Then click on the ‘Start session’ button on this page too.
Select the instance that you wish to log in to and click on the start session and you will be logged in as an SSM-user.
To check if you are logged into the server, you can use the command ifconfig. You can also cross-check the private IP address of your server along with the IP address you used to log in.
There are some minor restrictions when using AWS Session Manager over SSH. The most important one being that you cannot transfer files with AWS Session Manager. To get around this issue though, you can leverage an S3 bucket and the AWS CLI to swap data. It’s not quite the same as using SCP of course.
Using AWS Session Manager instead of SSH allows you to simplify authentication, authorization, networking, as well as optimize your audit logs for administrator sessions on EC2 instances for security and compliance regulations.
If you are looking for immutable virtual machines and only need remote access for debugging then say goodbye to SSH and leverage AWS Session Manager as your alternative.
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and makes recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.