How to access EC2 instance via SSH without exposing the SSH
Updated: Jan 21
Leveraging an AWS native feature to secure your EC2 instances and keeping your SSH restricted.
$ ssh i-0a1b2c3d4e5f6g7h8i9 $ aws ssm start-session --target i-0a1b2c3d4e5f6g7h8i9
Bastion on AWS Cloud
Among many cool and useful things that AWS has, one of them is the AWS Systems Manager and the possibility of using the AWS SSM as a Bastion and accessing the EC2 via SSH without exposing the port to the internet. Some of the interesting things are:
No need to allow SSH via Security Groups, Network ACL, etc
Access defined via AWS IAM
Access can be based on the EC2 Tag (e.g.: Stage=Prod only SysAdmins / Stage=UAT Sysadmins + Devs)
Auditing and logging (You have a history of how is active, who connected, to which node, etc)
Fully managed by AWS
It’s possible to customize the shell profile
Restrict access per IAM user
Restrict the commands allowed
How it works
This is what happens when a user runs the AWS CLI/SSM to initiate an SSH session into the EC2 instance.
An IAM User initiates the session
The AWS IAM validates if the user has the privileges/policy
Search for the EC2 instance in the AWS SSM Managed Instances
Initiates the SSH session and uses an AWS SSM Document (AWS-StartSSHSession)
There are only three pre-requirements that are mandatory and one that’s optional. The optional is only needed if you want to use the SSH command instead of the AWS SSM.
AWS SSM Agent installed in your EC2 Instance https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html
An Instance Profile / IAM Role that allows your EC2 instance to register into the AWS SSM Managed Instances
An IAM User with privileges to access the AWS SSM (+Access/Secret keys or IAM Role via assuming role) and the EC2 Instance
The EC2 instance needs to have an SSH Key Pair configured (Optional)
Once you meet the pre-requirements, the instance will show up in the AWS SSM Managed Instances and that means you can access the instance. Usually, it’s just after the instance has the status Running (On the EC2 page).
You can check your Managed Instances here: https://console.aws.amazon.com/systems-manager/managed-instances
Note - AMI: Some official AMI already comes with the AWS SSM Agent installed. For example, the Amazon Linux 2 AMI.
Note - IAM Policy: You can use the preexistent policy AmazonSSMManagedInstanceCore, this is a managed policy and has all the permissions needed. All you need is to attach this policy into your IAM Role or create an Instance Profile / IAM Role and attach this policy.
Note - The First Time: If it’s the first time, the instance may take several minutes to show up in the AWS SSM Managed Instances.
How to use
It’s straight forward to connect into the EC2 instance.
You can see the active and history sessions. You can also terminate an active session.
As you can see, you don’t need to have an inbound rule in the Security Groups (You only need the outbound, because of the internet connection).
Tips and Tricks
It’s not Halloween, but it’s always a good time for some Tips and Tricks.
This trick is handy when it comes to managing many instances. Instead of going to AWS, checking the Instance Id, going to the terminal and then accessing the node, you can just use the second example. This may save a lot of time, maybe critical during a crisis.
You can set this in your local machine/client by adding it into the file ~/.ssh/config
Note: To use this trick, “The EC2 instance needs to have an SSH Key Pair configured”.