Connect to EC2 via AWS Session Manager and without SSH inbound rule
The AWS EC2 and SSH connection always go hand in hand. As a DevOps engineer, you would always want to connect to your EC2 instance via SSH and perform various tasks.
To connect EC2 via SSH, we must add an inbound rule for port 22 and specify range address. Many times, engineers leave port open to “0.0.0.0/0” even though AWS console warns about it. (Who takes warning seriously unless there is an error, right?). The open SSH port could lead to an attack from outside and thus its very important to secure it.
The AWS System Manager service has introduced new feature called “Session Manager” which allow users to connect to their EC2 without enabling SSH port. Yes, no open port for SSH i.e. port 22 and still we can connect to EC2 instance with SSH terminal!
In this post, we will setup Session manager and connect to EC2 via AWS Console.
Assign IAM policy to EC2 instance
The EC2 instance should have a IAM role attached so that Session Manager can access it. We can setup the role as below:
- Login to AWS Console
- Open EC2 Dashboard
- Select target EC2 instance in list
- Right click on EC2 instance and select “Instance Settings -> Attach/Replace IAM Role” as shown in figure.
- Click on “Create new IAM Role” which will open IAM console in separate window
- In IAM console, click on “Create Role”
- In next step, select “AWS Service” for type of trusted entity and “EC2” for Choose use case.
- Click on “Next:Permissions” button in bottom right of page
- In Filter Policies search box, enter “AmazonSSMManagedInstanceCore” and select the policy by ticking CheckBox.
- Follow the wizard and on last page enter the Role name (e.g. SessionManager-Test) and save the changes.
- Now, go back to “Instance settings -> Attach/Replace IAM Role” page and refresh the dropdown
- We should see our new role listed as shown in below Figure
- Select the new role we created — in this example “SessionManager-Test’ and click on “Apply” to save the changes.
- Now go to “System Manager” service from “Services” search bar in AWS Console
- On left side pane, select “Session Manager”, it will show list of open sessions if any
- Click on “Start Session” to start new session
- The page shall display all EC2 instance with valid IAM roles applied. Note that it might take few minutes to apply IAM role we did in last step so keep refreshing this window.
- Once EC2 is listed, select it and click on “Start Session”
- A new SSH session will be started in new window with user “ssm-user”
- You can switch to other user via command
sudo su <username>.
- You can terminate current session by clicking on “Terminate” button
- The “Session History” provides audit details about who started session and at what time which is not possible with SSH inbound rule. Thus giving more security and authorisation details.
In next post, we will see how to connect to EC2 via AWS CLI.