AWS SSM for Bastion host
Kashif Mehmood
Terraform Certified | Kubernetes Certified Administrator | Kubernetes Application Developer| AWS Solution Architect | Cloud Infrastructure (AWS ,GCP) and on-premises
Many IT companies already using cloud providers (like Amazon AWS, Google GCP or Microsoft Azure) . A lot of IT companies using AWS are rely on ssh keys to connect bastion host. Managing ssh keys is headache. Imagine we have hundred of account and each has its own bastion host. To follow best security practise we need to rotate keys. In multiple scenarios we have to add or remove ssh keys. For example: If new persons joins the team then we have to add his key to provide him access and if someone leaves teams we have to remove his key. Sometime developers want to access dev and stage environment databases from local.
Can we access bastion host from computer/laptop without ssh keys?
Yes we access bastion host or any other server without ssh keys with use of AWS SSM. You can setup AWS SSM using following guide
Prerequisites
1. AWS CLI: Ensure that the AWS CLI is installed and configured on your local machine.
2. IAM Role: Your EC2 instance must have an IAM role attached with the following policies:
- AmazonSSMManagedInstanceCore
- Optional: AmazonEC2RoleforSSM (if you are managing EC2 instances)
3. SSM Agent: The SSM Agent must be installed and running on your EC2 instances. Most Amazon Machine Images (AMIs) have this agent pre-installed. you can find the list of AMI from here
Steps to Set Up SSM for Bastion Host
1. Attach IAM Role to EC2 Instance:
- Create or identify an IAM role with the required policies.
- Attach this IAM role to your bastion host instance.
2. Ensure SSM Agent is Running:
- For Amazon Linux 2 or Ubuntu:
sudo systemctl status amazon-ssm-agent
- If it's not running, start it:
sudo systemctl start amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
3. Configure Security Groups:
- Ensure the security group associated with your instance allows outbound internet access to communicate with the SSM service.
领英推荐
4. Session Manager Plugin for AWS CLI:
- Install the Session Manager plugin if it's not already installed. Follow the installation instructions from https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
5. Connecting to the Bastion Host:
- Use the AWS CLI to start a session with the bastion host:
aws ssm start-session --target instance-id
Replace instance-id with your EC2 instance ID.
Example: Using SSM Session Manager
1. Start a Session:
aws ssm start-session --target i-0abcdef1234560782
This command will open an interactive shell session on the specified instance.
2. Port Forwarding with Session Manager:
If you need to forward a port from your local machine to the bastion host:
aws ssm start-session \
--target instance-id \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"host":["mydb.example.us-east-2.rds.amazonaws.com"],"portNumber":["3306"], "localPortNumber":["3306"]}'
This will forward your local port 3306 to port 3306 on the bastion host, allowing you to access db on your local.
Best Practices
- Disable SSH Access: After configuring SSM, disable SSH access to your bastion host for improved security.
- Logging and Auditing: Enable logging for your SSM sessions to monitor activity. You can configure CloudWatch Logs for this purpose.
- Security Groups: Tighten security groups to only allow necessary outbound traffic since inbound traffic through SSH is no longer needed.