In 2012 Bill Baker said, "treat your servers like cattle, not pets," which is a mantra that we are generally going to subscribe to when we deploy a new application.
But there are still times where you have to log into EC2 instances. If a critical production issue needs debugging, sometimes getting a shell on an EC2 instance is the best way to get to the bottom of an issue. Obviously, it has to be an exception to the rule, not an everyday use case.
Following AWS best practices, you must put the critical infrastructure in a private subnet, allowing the only SSH from a VPN source IP, which works well, but a problem still remains.
We still share our key pairs to make developers access to EC2 instances and, by doing so, lose control on managing access control on shell sessions.
So, is there a way to retake control over this access problem?
The short answer, YES, there is. In 2018, AWS introduced a new Service called AWS Systems Manager Session Manager, a new interactive shell and CLI that provides secure, access-controlled, and audited Windows and Linux EC2 instance management.
Amazing! So how to set up this service to grant the best level of security and manage access on the Cloud services side?
AWS System Manager allows you to:
- manage EC2 instance access through IAM policies. That's the turning point. You can stop managing Key pairs to access your servers.
- Logging to all sessions is handled via Cloudwatch logs.
- Instances in private subnets can be connected through VPC endpoints to Systems Manager. - No inbound security group rules are required for public instances.
- As a big bonus, SSH can be accomplished over a session manager session!
So, what would you think if I told you that I can safely, securely, and quickly get access to almost any of my EC2 instances in a click with the power of an open-source project and AWS Session Manager?
How to setup Session Manager?
Step 1: Create AWS IAM Role
Navigate to AWS IAM and create a new role. Choose EC2 service like below:
AmazonSSMManagedInstanceCore policy, choose a proper name and make the role.
Step 2: Launch Amazon EC2 Instance
Attach the previously created role as Instance Profile for the EC2 Instance:
Note: If you add the Instance to a private subnet, you need VPC endpoints to Systems Manager in the VPC.
Proceed without SSH key pair:
Step 3: Setup System Manager
In the same region of the previously created EC2 Instance, navigate to the AWS System Manager service, click on the
Quick Setup section, and click on the
Enable button at the bottom of the page.
Then go on the Managed Instances section, and you will be able to see the created Instance. After selecting the Instance, click on the
Actions menu and select
Start Session. You have successfully started a session in your browser to your Instance.
Step 4: Setup Leapp to create a remote session in your Terminal
First of all, let’s go back to the command line.
awscli can interact with the Systems Manager APIs, and with a bit of help from the Session Manager Plugin for AWS CLI.
AWS Session Manager Plugin needs to be installed to execute the following commands.
Leapp is an open-source DevTool that aims to help Developers with the Cloud Access problem. The App allows you to manage your Cloud Account and choose what AWS account, User, and Role to use in your local system.
On each Leapp session, you can even manage SSM sessions if the plugin is installed and the feature has been enabled correctly.
To start an SSM session, you just have to activate the Session where you have the EC2 Instance you need to access and click on the SSM Session Button and choose the right region for the Instance.
Then, the App will automatically list all the instances available to connect in the given region.
By clicking Connect, a terminal will appear with the Session established with the EC2 Instance.
Historically, more often than not, robust security came at the expense of usability. And usability came at the expense of security. With AWS System Manager, this myth is busted.
We are giving back security by managing EC2 access via IAM (we will cover this aspect in another article of this series) and not share key pairs across the team.
Moreover, we can stop remembering the instance id and how to access every Instance, and we have only to start a session from Leapp. What's next? I want to cover all the main features of AWS System Manager in the next episodes like:
- How to manage IAM Policies to give access to the right user via SSM
- How to access via SSH over SSM to an EC2 instance
- How to copy your files with SCP over SSM on an EC2 instance
So, What is the next article you wanna see? Comment below! Thanks for reading and, if you are interested in Cloud Access articles, follow our Medium publication!