Best Practices for SSH Access with AWS Session Manager on EC2 – 2024

Best Practices for SSH Access with AWS Session Manager on EC2 – 2024

Simplifying EC2 Host Management with AWS Session Manager

Managing EC2 instances can sometimes be complex, especially when handling multiple servers, securing access, and troubleshooting. With AWS Session Manager, you can simplify host management, improve security, and reduce costs by eliminating traditional SSH or RDP setups. In this blog, we’ll explore how you can use AWS Session Manager to securely manage EC2 instances and enhance host control.

What is AWS Session Manager?

AWS Session Manager is a feature within AWS Systems Manager that allows you to securely access and manage your EC2 instances without needing SSH or bastion hosts. With IAM-based access, you can manage your hosts through a browser-based console or the AWS CLI, making it easier to perform host-related tasks securely.

Why Use AWS Session Manager for Host Management?

  1. Eliminates SSH/RDP Ports: You no longer need to open inbound ports like 22 (SSH) or 3389 (RDP) to access your instances. This reduces the risk of attacks and helps secure your infrastructure.
  2. IAM-based Access Control: Instead of managing SSH keys or passwords, Session Manager uses AWS IAM to control who can access your instances, ensuring fine-grained, centralized access management.
  3. Centralized Auditing and Logging: Session Manager logs all commands executed during a session, allowing you to monitor activity and meet compliance requirements.
  4. No Bastion Host Required: If you have instances in a private subnet, you don’t need a bastion host or VPN to manage them. Session Manager provides direct, secure access from the AWS Console.
  5. Multi-Platform Support: Whether you’re managing Linux or Windows EC2 instances, Session Manager supports both operating systems, providing flexibility in your cloud infrastructure.

How to Set Up AWS Session Manager for EC2 Host Management

Setting up AWS Session Manager is straightforward. Here’s a step-by-step guide:

Step 1: Create Host Management in AWS Systems Manager
Create Host Management in AWS Systems Manager
Step 2: Config the Host Management (optional)

If you want the software up-to-date with AWS, select this option

Config the Host Management
Config the Host Management2
Step 3: Wait and double-check the results
double-check the results
Step 4: Start a EC2 Session

You can start a session using the AWS Console:

  1. Navigate to AWS Systems Manager > Session Manager.
  2. Select the EC2 instance you want to manage.
  3. Click on Start session to open a browser-based terminal, or use the AWS CLI to initiate a session programmatically.

OR you can go directly to your EC2 instance and start new session with Session manager

Start Session manager

Check the role:

Check role

Check the in Session manager:

check session manager

Host Management Tasks with Session Manager

AWS Session Manager simplifies host management in several ways:

  • Run Commands Remotely: You can run commands on EC2 instances without logging in.
  • Automating Host Tasks
  • Monitor and Troubleshoot Hosts: Access instances securely for troubleshooting, view logs, or diagnose issues without opening SSH or RDP ports.

Session Manager vs. Traditional SSH/RDP Access

AspectSession ManagerTraditional SSH/RDP
SecurityEliminates open ports (SSH/RDP), reducing the attack surface. Leverages IAM policies for secure, controlled access.Requires open ports (SSH/RDP), increasing the potential attack surface. Uses key pairs or passwords for access control.
SimplicityNo need to manage SSH keys, passwords, or bastion hosts. All access is centrally managed via the AWS Console or CLI.Requires managing key pairs, passwords, and possibly a bastion host for accessing instances in private subnets.
Cost SavingsNo need for a bastion host to manage instances in private subnets, reducing infrastructure complexity and associated costs.Typically requires a bastion host to securely access private subnet instances, increasing costs and complexity.

Best Practices for Managing Hosts with Session Manager

  • Keep the SSM Agent Updated: Ensure that the SSM agent is up to date on all instances to avoid security vulnerabilities or compatibility issues.
  • Use IAM Policies for Access Control Only grant the necessary permissions required for the tasks at hand.
  • Automate Common Host Tasks: Leverage AWS Systems Manager’s Run Command to automate routine tasks like updates, patches, and software configurations across your EC2 fleet.
  • Enable Logging for Compliance: Set up session logging to CloudWatch or Amazon S3 to track activity for auditing and compliance purposes.

Conclusion

AWS Session Manager is a powerful tool for simplifying host management on EC2 instances. It enhances security by removing the need for open ports, eliminates the hassle of managing SSH keys, and offers auditing capabilities to track all access and activities on your instances.