Secure your access to bastion host using SSM, Windows CLI access, RDP, port forwarding and lots more....

Amazon Elastic Compute Cloud (EC2) instances are widely used for hosting web servers, application servers, and other workloads in the cloud. To manage these instances, Amazon offers several options, including Secure Shell (SSH), Remote Desktop Protocol (RDP), and other remote access tools. However, these methods require open inbound ports and public IP addresses, which can pose security risks. AWS Systems Manager Session Manager offers a secure and convenient alternative to these traditional methods for accessing EC2 instances.

In this blog post, we will discuss how to connect to EC2 instances via Session Manager, the benefits of Session Manager, why it is secure, and other features.

Benefits of Session Manager

AWS Systems Manager Session Manager offers several benefits over traditional remote access methods:

1. Security: Session Manager uses SSL encryption to protect communications between the client and server. You do not need to expose inbound ports or assign public IP addresses to your EC2 instances, which reduces the attack surface of your infrastructure.
2. Access control: Session Manager integrates with AWS Identity and Access Management (IAM), allowing you to control who has access to your EC2 instances. You can set granular permissions for users and groups, and audit access using AWS CloudTrail.
3. Convenience: Session Manager provides a browser-based interface for accessing your EC2 instances, eliminating the need for separate remote access tools. You can connect to your instances from anywhere with an internet connection, without requiring a VPN connection.
4. Cost: Session Manager is a free service, and you only pay for the underlying EC2 instances and other resources used.

Why is Session Manager secure?

AWS Systems Manager Session Manager is a secure alternative to traditional remote access methods, such as SSH or RDP, for several reasons:

1. Encrypted communication: Session Manager uses SSL encryption to protect communication between the client and server, ensuring that all data transmitted over the network is secure.
2. No open inbound ports: With Session Manager, you do not need to expose inbound ports or assign public IP addresses to your EC2 instances, reducing the attack surface of your infrastructure.
3. Access control: Session Manager integrates with AWS Identity and Access Management (IAM), allowing you to control who has access to your EC2 instances. You can set granular permissions for users and groups, and audit access using AWS CloudTrail.

Other features of Session Manager

AWS Systems Manager Session Manager offers several additional features to simplify the management of your EC2 instances:

1. Support for multiple operating systems: Session Manager supports Windows and Linux instances, allowing you to manage a wide range of workloads.
2. Integrated troubleshooting: Session Manager provides integrated tools for troubleshooting common issues, such as network connectivity or performance.
3. Session recording: Session Manager can record all sessions, allowing you to review activity and troubleshoot issues.

Connecting to EC2 instances via Session Manager

In this blog, we are going to focus on:

• Connecting from your windows desktop/laptop to Linux EC2 instance using SSM plugin and CLI
• RDP onto Windows server using port forwarding from your windows laptop.

The best part about this solution is, you do not need to have any SG inbound rules, yes you heard it right :), which makes it more secure.

CLI access to Linux EC2 instance from Windows PowerShell

• First, we need to have SSM plugin installed in our workstation. SSM plugin can be downloaded from: link
• Check if the SSM plugin is installed by using the following command:

session-manager-plugin        

• Authenticate to your AWS account using SSO temp credentials, or AWS Profile.
• Please run the following command to initiate the session

aws ssm start-session --target <instance_id> --region <region>        

• Once, you logged in, you will see a console similar to:

As, you can see I can login to a Linux based instance, from my windows workstation.

RDP access to Windows based EC2 instance using port forwarding

• Authenticate to your AWS account using SSO temp credentials, or AWS Profile.
• Please run the following command

aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --parameters "portNumber=3389","localPortNumber=<local_port_number>" --region ap-southeast-2        

• On successfully executing the command you will see following notification

• This means that the session is ready to be created.
• Retrieve the password of "Administrator" from the EC2 console.
• Go to the EC2 console, select the EC2 instance and select "Connect"
• Go to the second tab of RDP client and select "Get Password"

• Next window will ask you for your private key, paste the key and click on "Decrypt password"

• Note down the password as we will need it to RDP onto the EC2 instance
• Run mstsc.exe on windows workstation, this will open up RDP prompt
• Click on "Show Options" on RDP prompt
• For computer name enter "localhost:<local_port_nunmber>", local_port_number has to be the same you used when you ran the command. For eg: in my case I am using 56789

• It will prompt you to enter the password. Now, paste that password which you retrieved earlier.
• And if everything goes according to the plan, we should be logged in by now

AWS Systems Manager Session Manager provides a secure and convenient way to manage your EC2 instances. With its browser-based and CLI interface, SSL encryption, and integration with IAM, you can control who has access to your instances and reduce any potential threats.