AWS SSM for Bastion host

AWS SSM for Bastion host

Many IT companies already using cloud providers (like Amazon AWS, Google GCP or Microsoft Azure) . A lot of IT companies using AWS are rely on ssh keys to connect bastion host. Managing ssh keys is headache. Imagine we have hundred of account and each has its own bastion host. To follow best security practise we need to rotate keys. In multiple scenarios we have to add or remove ssh keys. For example: If new persons joins the team then we have to add his key to provide him access and if someone leaves teams we have to remove his key. Sometime developers want to access dev and stage environment databases from local.

Can we access bastion host from computer/laptop without ssh keys?

Yes we access bastion host or any other server without ssh keys with use of AWS SSM. You can setup AWS SSM using following guide

Prerequisites

1. AWS CLI: Ensure that the AWS CLI is installed and configured on your local machine.

2. IAM Role: Your EC2 instance must have an IAM role attached with the following policies:

- AmazonSSMManagedInstanceCore

- Optional: AmazonEC2RoleforSSM (if you are managing EC2 instances)

3. SSM Agent: The SSM Agent must be installed and running on your EC2 instances. Most Amazon Machine Images (AMIs) have this agent pre-installed. you can find the list of AMI from here

Steps to Set Up SSM for Bastion Host

1. Attach IAM Role to EC2 Instance:

- Create or identify an IAM role with the required policies.

- Attach this IAM role to your bastion host instance.

2. Ensure SSM Agent is Running:

- For Amazon Linux 2 or Ubuntu:

  sudo systemctl status amazon-ssm-agent        

- If it's not running, start it:

    sudo systemctl start amazon-ssm-agent
    sudo systemctl enable amazon-ssm-agent        

3. Configure Security Groups:

- Ensure the security group associated with your instance allows outbound internet access to communicate with the SSM service.

4. Session Manager Plugin for AWS CLI:

- Install the Session Manager plugin if it's not already installed. Follow the installation instructions from https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

5. Connecting to the Bastion Host:

- Use the AWS CLI to start a session with the bastion host:

 aws ssm start-session --target instance-id        

Replace instance-id with your EC2 instance ID.

Example: Using SSM Session Manager

1. Start a Session:

   aws ssm start-session --target i-0abcdef1234560782        

This command will open an interactive shell session on the specified instance.

2. Port Forwarding with Session Manager:

If you need to forward a port from your local machine to the bastion host:

aws ssm start-session \
    --target instance-id \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters '{"host":["mydb.example.us-east-2.rds.amazonaws.com"],"portNumber":["3306"], "localPortNumber":["3306"]}'        

This will forward your local port 3306 to port 3306 on the bastion host, allowing you to access db on your local.

Best Practices

- Disable SSH Access: After configuring SSM, disable SSH access to your bastion host for improved security.

- Logging and Auditing: Enable logging for your SSM sessions to monitor activity. You can configure CloudWatch Logs for this purpose.

- Security Groups: Tighten security groups to only allow necessary outbound traffic since inbound traffic through SSH is no longer needed.


要查看或添加评论,请登录

Kashif Mehmood的更多文章

  • Monitor websites with Prometheus, Granfa and Blackbox

    Monitor websites with Prometheus, Granfa and Blackbox

    I am assuming that you have already setup Prometheus and Grafana Lets start with blackbox exporter installation and…

    2 条评论
  • How to reduce docker Image?

    How to reduce docker Image?

    Docker is an open-source platform that enables developers to build, package, and deploy applications as containerized…

    1 条评论
  • Performance test using k6

    Performance test using k6

    K6 is a popular open-source load testing tool designed for developers and DevOps teams to create and execute…

社区洞察

其他会员也浏览了