
AWS Session Manager: less infrastructure, more features - jon918
https://github.com/symopsio/terraform-okta-ssm-modules/blob/master/docs/AWSSessionManagerLessInfrastructureMoreFeatures.md
======
derefr
Are they basically trying to emulate GCP’s OS Login
([https://cloud.google.com/compute/docs/instances/managing-
ins...](https://cloud.google.com/compute/docs/instances/managing-instance-
access)) feature here? We’ve been using that for a while, and it’s been a big
relief.

~~~
idunno246
os login is probably a little closer to ec2 instance connect because you still
need ssh inbound access right? whereas aws provides a bastion here

~~~
WaxProlix
You're right in a sense, but there's no aws-managed bastion. Session manager
communicates with your instance via an outbound-created websocket connection.
Inputs and outputs are piped through it.

~~~
idunno246
yea, i was trying to keep things simplified, but it has to proxy through
something behind the vpc endpoint. could also say its not technically ssh

~~~
zokier
Though you can actually get ssh through ssm:
[https://docs.aws.amazon.com/systems-
manager/latest/userguide...](https://docs.aws.amazon.com/systems-
manager/latest/userguide/session-manager-getting-started-enable-ssh-
connections.html)

------
jon918
I'd love to learn how you're using Session Manager or what other
features/integrations you'd like to see us explore. Also if the terraform
module packaging is useful. There are additional Session Manager features like
port forwarding that I plan to write about soon.

~~~
skb4
Can you write one about port forwarding? Specifically, I would like to
understand how various web interfaces on EMR cluster can be accessed through
Sessions Manager. (Ganglia, Spark history server, etc.)

~~~
mullingitover
We'd love to use Session Manager, but we're running into the same issue
mentioned here:

"Tunnel created using SSM only allows single connection to destination port"
\-
[https://forums.aws.amazon.com/thread.jspa?threadID=314882&ts...](https://forums.aws.amazon.com/thread.jspa?threadID=314882&tstart=0)

This has been sitting open in the support forums unanswered for over two
months :/

------
gregmac
I never see mention of Windows with Session Manager. I have a mixed
infrastructure with a number of Windows (IIS) app servers running various
things.

We currently connect via SSH to a bastionhost, then tunnel from there to
various systems, which allows connecting to SSH (linux instances), RDP
(Windows), or basically any other network services like Redis or a database. I
ended up writing some scripts to automate all this, so as long as you have the
right certificates and IAM permissions, you can connect with a single command
-- for Windows instances, it even retrieves the randomized password from the
EC2 API. The end result is for any EC2 instances you're instantly popped into
a shell/RDP session without having to enter credentials.

I'd love to replace this with something better (eg Session Manager), but I've
not seen how to do this for RDP, and haven't had the time to go experimenting
on my own to see if it's even possible. If I can't 100% replace the
bastionhosts, having two entirely different connection methods doesn't solve
anything (and in fact makes it worse, because it's harder to use).

~~~
gregoryl
Have a google, I was using SSM for remote access to Windows instances,
specifically headless instances.

------
mishappen
Be careful with SSM in general. The documentation suggests adding the
AmazonEC2RoleforSSM policy to the role of the EC2 instances you want to access
via Session Manager. This role grants read/write to all S3 buckets in your
account (amongst other things). See this article for better steps and
unavoidable risky things: [https://cloudonaut.io/aws-ssm-is-a-trojan-horse-
fix-it-now/](https://cloudonaut.io/aws-ssm-is-a-trojan-horse-fix-it-now/)

~~~
jcrites
> The documentation suggests adding the AmazonEC2RoleforSSM policy to the role
> of the EC2 instances

Which documentation do you mean? The article mentions the policy
AmazonSSMManagedInstanceCore, which is the same as what's mentioned in the SSM
setup guide:

[https://docs.aws.amazon.com/systems-
manager/latest/userguide...](https://docs.aws.amazon.com/systems-
manager/latest/userguide/setup-instance-profile.html)

~~~
mishappen
Thanks for clarifying, I didn’t recheck since we rolled out SSM in mid-2019
and then scrambled when we realised we’d granted account wide S3 permissions.
The article I linked to also has a recommended minimal IAM policy for Run
Command and SSM. I’ll update my comment to mention this.

~~~
mishappen
It looks like the docs were update in June 2019
([https://github.com/awsdocs/aws-systems-manager-user-
guide/co...](https://github.com/awsdocs/aws-systems-manager-user-
guide/commit/cad52f970cb1e00e8127fcc417dac196d5d402d5#diff-38461af5d055b906d0f68f62eb38e62a))

------
jon918
I wrote a follow up post to this on SSH tunneling:
[https://news.ycombinator.com/item?id=22665037](https://news.ycombinator.com/item?id=22665037)

------
jadell
Does anyone know how this works with other utils that use SSH protocol, like
rsync? What about tunneling other services to or from a local host? I'd love
to have fewer hosts to maintain and a smaller network/attack surface, but we
use SSH for more than just gaining commandline access to our instances.

~~~
WaxProlix
It does.

[https://aws.amazon.com/about-aws/whats-
new/2019/07/session-m...](https://aws.amazon.com/about-aws/whats-
new/2019/07/session-manager-launches-tunneling-support-for-ssh-and-scp/)

------
bogomipz
The author states:

>"No more bastion hosts required! Session Manager uses AWS APIs to communicate
with your instances, so you can remove the administrative burden of
maintaining bastion hosts."

Does this presume the EC2 instances have a public IP or is there a way this
would also work with EC2 instances on private subnets?

~~~
jhinds
We've been using the Session Manager with instances in private subnets without
issue, works like a charm.

~~~
bogomipz
Is there anything special that needs to be configured to get this to work on
private subnets?

Currently I have an EKS cluster accessible only on private subnets. It would
be wonderful to to be able to access this without OpenVPN in the mix.

~~~
exidy
The instances establish an _outbound_ connection to the API SSM API, so as
long as they can hit that, Session Manager will work.

Connectivity from a private subnet to the AWS API could be (a) NAT gateway (b)
HTTP proxy (c) PrivateLink VPC endpoint.

------
peterwwillis
It's great for managing active SSH sessions, but not so much for the other
purpose for bastions: fine-grained network access control+routing. It would be
cool if they made a more specific version of this just for network traffic
without the SSH component.

~~~
mdaniel
FWIW, the project is open source, so you could build a modified agent for your
purposes and inject it via cloud-init or your favorite config management tool:
[https://github.com/aws/amazon-ssm-agent](https://github.com/aws/amazon-ssm-
agent)

------
shurco
Hey, what about the Werbot solution - werbot.com? Now it is very relevant.

------
jcims
IAM is easy to mess up.

Would be interesting to lock down the session manager agent (if possible) so
that the only way to privileged access is through sudo-like priv esc that uses
2fa.

~~~
NikolaeVarius
Its fairly trivial to lock down AWS via a require MFA policy

~~~
jcims
I'm talking about on the host, so if you mess up your IAM policy there is
still an authorization layer on the host to get privileged access.

~~~
jbergknoff
As far as I know, SSH over SSM doesn't do anything regarding user management.
It just establishes an SSH connection. Management of users on the host,
authorized SSH keys, etc. is totally out of scope for SSM.

So if you already have access control setup on your host, then SSM doesn't do
anything to undermine it. If you don't have it, you'll still need to add it.

------
feydaykyn
Does anyone know of it works with Ansible ? Thanks!

------
yasyfm
This is awesome! How can I install the the agent if I'm not using Amazon
Linux?

~~~
gamache
Amazon installs it on some other AMIs (notably, Ubuntu 16.04 and 18.04), but
for other OSes, install instructions are here:
[https://docs.aws.amazon.com/systems-
manager/latest/userguide...](https://docs.aws.amazon.com/systems-
manager/latest/userguide/sysman-manual-agent-install.html)

