A Practical Guide to AWS Session Manager — Part 1
Problem Overview
AWS Session Manager can be very useful if you don’t want to waste time and resources to maintain the following while providing interactive shell access to traditional server-based resources:
- Bastion Hosts to create security boundaries between less-secure to more-secure resources.
- User accounts, passwords, SSH keys, and inbound network ports.
What is a Session Manager?
Session Manager is part of AWS Systems Manager that lets you manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI. The ability of Session Manager to provide secure instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys makes it one of the best tools for AWS SysOps Administrators.
How to enable Session Manager?
Session Manager works with managed instances in both the Public and Private subnet while using the internet. Managed instances that are managed with Session Manager can also make use of AWS PrivateLink, which restricts traffic between EC2 managed instances and AWS Systems Manager to the Amazon network. The following table summarizes different use cases and how to implement each use case.
Session Manager — Instance is in Public Subnet:
Following Cloudformation template is a fully self-contained template that shows how to create complete infrastructure including VPC, Public Subnet (with route table entries to Internet Gateway), Internet Gateway, and all the pieces required for the EC2 instance to be connected through Session Manager. The output of the template provides a link that leads to an interactive shell in the browser.
It is important to take notice that you are able to get a complete interactive shell while there is no ingress rule in the Security Group to opens any SSH port with EC2 instance in Public Subnet.
Session Manager — Instance is in Private Subnet with Internet Access:
Following Cloudformation template is a fully self-contained template that shows how to create complete infrastructure including VPC, Public Subnet (with route table entries to Internet Gateway and NAT Gateway), Private Subnet (with route table entries to NAT Gateway), and all the pieces required for the EC2 instance to be connected through Session Manager. As before, the output of the template provides a link that leads to an interactive shell in the browser.
It is important to take notice that you are able to get a complete interactive shell while the EC2 instance is in Private Subnet but has access to the internet through NAT Gateway.
Session Manager in Private Subnet without Internet Access:
Following Cloudformation template is a fully self-contained template that shows how to create complete infrastructure including VPC, Private Subnet, and all the pieces required for the EC2 instance to be connected through Session Manager. As before, the output of the template provides a link that leads to an interactive shell in the browser.
It is important to take notice that you are able to get a complete interactive shell while the EC2 instance is in a Private Subnet without an Internet Gateway. Also notice that three VPC endpoints (ssm, ssmmessages, and ec2messages) are required for Session Manager without an Internet Gateway. Also, this solution will not work without Regions that do not include all three of these VPC endpoints.
To learn more about this use case you can read this AWS blog.
Implementation Challenges
As with everything else in technology the biggest challenge when changing from traditional bastion hosts to Session Manager is top-level management buy-in within an organization. There are many organizations that have successfully done it. To learn more about how they did it you can read Replacing SSH access to reduce management and security overhead with AWS Systems Manager. Another excellent example can be found in the article Why Rewind Said Hello to AWS Session Manager and Goodbye to SSH. Dave North at the end of his article brilliantly sums it up when he says:
Security is not convenient: A security officer told me this over 20 years ago. I’ve generally found this to hold true over the course of my career, however, AWS session manager is one of the rare exceptions. Session manager is simultaneously secure and convenient!
What is next?
In Part-2 of this series, access control of the Session Manager will be covered in detail, covering different scenarios and their implementation using CloudFormation.