AWS Session Manager

Reference

This page describes the tools and steps needed to configure Session Manager to be able to connect to AWS resources (and DB) from local machine.

Client Side

Install the AWS CLI
- Installing or updating the latest version of the AWS CLI – AWS Command Line Interface
Configure the AWS CLI with your IAM user credentials
- Create multiple profiles for different region if necessary
  - How to configure multiple profiles for AWS CLI
Install the Session Manager plugin for AWS CLI
- Install the Session Manager plugin for the AWS CLI – AWS Systems Manager
Download the SSH over SSM script
- GitHub – elpy1/ssh-over-ssm: SSH over AWS SSM. No bastions or public-facing instances. SSH user management through IAM. No requirement to store SSH keys locally or on server.
Change permission of the script and move it to bin folder

sudo chmod +x ssh-ssm.sh
sudo mv ssh-ssm.sh /usr/local/bin

Update SSH config (~/.ssh/config)

### Server
Host server1
  HostName i-abc
  User ubuntu
  ProxyCommand bash -c "/usr/local/bin/ssh-ssm.sh %h %r"

### DB 
Host pgpool
  Hostname i-xyz
  User ubuntu
  ProxyCommand bash -c "/usr/local/bin/ssh-ssm.sh %h %r"
  LocalForward 10001 localhost:5432
  ServerAliveInterval 60

### Need for SSH forwawrding over SSM
Match Host i-*
  IdentityFile ~/.ssh/ssm-ssh-tmp
  StrictHostKeyChecking no
  BatchMode yes

Test the connection

MFA Authentication for CLI

https://levelup.gitconnected.com/aws-cli-automation-for-temporary-mfa-credentials-31853b1a8692

https://github.com/asagage/aws-mfa-script

Server Side Configuration

Ensure that SSM agent is installed in EC2 instance. SSM agent is installed by default in AWS Ubuntu AMI & Amazon Linux AMI
Ensure that the EC2 servers have the GenericServerRoleForEC2 IAM role attached which will allow the servers to connect to Systems Manager services

IAM configuration

Reference

https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html#restrict-access-example-instances

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html#ssh-connections-permissions

In order to allow / restrict access on who can connect to the EC2 instances via Session Manager, IAM policies can be created.

Example policy to allow to connect to a set of servers. The instance list needs to be updated if there are new servers added

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:*:*:instance/i-abc",
                "arn:aws:ec2:*:*:instance/i-def",
                "arn:aws:ec2:*:*:instance/i-xyz",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/i-abc",
                "arn:aws:ec2:*:*:instance/i-def",
                "arn:aws:ec2:*:*:instance/i-xyz",
                "arn:aws:ssm:*:*:document/AWS-RunShellScript"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "ssm:GetCommandInvocation",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:ResumeSession",
                "ssm:TerminateSession"
            ],
            "Resource": "arn:aws:ssm:*:*:session/${aws:username}-*"
        }
    ]
}