Part 2: A Practical Guide to AWS Session Manager — Controlling Access
Problem Overview
Part 1 explained why Session Manger should be used and how Session Manager can be used in different scenarios along with implementation through CloudFormation. This part goes one step further to explain why do we need to control user access differently in different situations and how to achieve it in five different scenarios using CloudFormation.
How to control access to Session Manager?
As mentioned in Control user session access to instances, using AWS IAM policies, you control which instances specific users or groups can connect to and what Session Manager API operations they can perform on the instances they are given access to.
In this article following scenarios will be covered so it gives a comprehensive overview of how access to EC2 instances can be controlled in different situations:
- Single User Access to Specific EC2 Instance
- Single User Access to Multiple EC2 Instances using instance id
- Single User Access to Multiple EC2 Instances using tags
- Single User Access to Multiple EC2 Instances in a hierarchical structure using tags
- Group access to Multiple EC2 Instances using tags
Scenario 1: Single User Access to Specific EC2 Instance
Let’s say an instance has been created by using this CloudFormation template. Once resource creation of the CloudFormation template is complete, it will output the URL to connect to the EC2 instance in the output tab of the stack as shown below.
For a single user who needs access to EC2 Instance using the above-highlighted URL of Session Manager following in-line policy document can be used. CloudFormation Template is as follows (username, password, AWS account, and Instance Id need to be filled-in).
In case you ignore the output session manager URL provided by the CloudFormation template that created the EC2 instance and log-in to the AWS Management console using credentials of the user that was created by the above-mentioned user creation CloudFormation template, hoping that you can right-click on the EC2 instance and click ‘Connect’ to connect using Session Manager, you may be surprised to see the following message which shows that you don’t have permission to do anything on any EC2 instance.
As shown in the following CloudFormation template, to have permission to view EC2 instances you need to add ec2:DescribeInstances IAM policy to the user for all resources.
At the time of this writing, there is no way to restrict which EC2 instances users can view in AWS Management Console but you can restrict what users can do with instances that they can view. It may be possible in future to restrict view of EC2 instances based on tags.
The User created with above mentioned CloudFormation template can log in to AWS Management Console, right-click on the EC2 instance they have permission to connect, go to the Session Manager tab, and start the session.
Scenario 2: Single User Access to Multiple EC2 Instances
Let’s say we have two EC2 instances in Private Subnet without the internet access that we want a user to be able to connect using Session Manager. CloudFormation template is as follows:
To create a user who can access both instances created in the above-mentioned template following CloudFormation template can be used. For each instance that needs to be accessed by the user, its ARN needs to be added in the resource section of the IAM inline policy assigned to the user.
Scenario 3: Single User Access to Multiple EC2 Instances using tags
You can clearly see the problem with the last scenario. Instance ids are hard-coded in in-line permission assigned to the user. This means that every time instance id is changed you need to update permissions for the user. Also, what if there are a large number of servers to which user needs access. Giving access to each server is going to waste a lot of time and resources.
Scenario-2 goes against the idea that cloud resources should be treated as castles, not pets.
To solve the problem we have with scenario-2, we need to use instance tags to identify which resources a user needs access to. This is very common to have resources tagged with the environment they belong to. e.g. all EC2 instances in the development environment can be tagged with key as ‘Environment’ and value as ‘Development’ or ‘Production’. CloudFormation template creating these EC2 instances would like as follows:
CloudFormation template creating a user with in-line policy to give Session Manager access if EC2 instance is tagged with key as ‘Environment’ and Value as ‘Development’ is as follows:
This is important to note that how the condition is used to check for specific instance tag and value.
Scenario 4: Single User Access to Multiple EC2 Instances in a hierarchical structure using tags
Imagine your EC2 instances belong to different departments within an organization and each instance within the department belongs to a different environment. The hierarchical structure would look something like this:
You want to give access to only the Development resources of the Finance Department to an IAM user. You need to tag EC2 instances with multiple tags e.g. in this case first key is Department with value as Finance and the second key is Environment with value as Development. CloudFormation template would look like this:
The user access is based on the in-line policy which uses multiple tags to specify which instances the user can access as shown in the tables below:
CloudFormation template would look like as follows:
Notice how the condition is used in IAM policy to give a user access to resources that are organized in a hierarchical structure.
Scenario 5: Group access to Multiple EC2 Instances using tags
Normally you would never give access to a specific user. Instead, you would create a group, assign permissions to the group and then add users to it. This is how you manage access at a large scale. When any user assigned to a group doesn’t need access then you remove it from the IAM group.
The only scenario where you would assign permissions directly to a user is when a specific user needs such unique access which no group provides and there is no point creating a separate group for the one single user when you are not expecting any other users to be in that group.
CloudFormation template to create group with permission to connect to EC2 instances tagged with let’s say Department/Finance and Environment/Development along with user created and assigned to the group is as follows:
What is next?
In future I would like to go through Configuring AWS Systems Manager Session Manager run as support for federated users using session tags and implement it while documenting the experience.