AWS Session Manager: less infrastructure, more features (opens in new tab)

(github.com)

199 pointsjon9186y ago48 comments

48 comments

40 comments · 12 top-level

mishappen6y ago· 7 in thread

Be careful with SSM in general. The documentation suggests adding the AmazonEC2RoleforSSM policy to the role of the EC2 instances you want to access via Session Manager. This role grants read/write to all S3 buckets in your account (amongst other things). See this article for better steps and unavoidable risky things: https://cloudonaut.io/aws-ssm-is-a-trojan-horse-fix-it-now/

WatchDog6y ago

There are so many AWS managed policies that provide access far beyond what one might suspect given the policy name and description. Implementing least privilege with IAM can be really difficult in any moderately complex environment.

LilBytes6y ago

And close to impossible in highly complex environments. We're looking to adopt using AWS accounts to achieve a few objectives but one being reducing the blast radius of potential breaches and outages.

jon918OP6y ago

Good call to watch out for this stuff. The examples in the repo we set up use the AmazonSSMManagedInstanceCore managed policy, which does not grant any S3 permissions, just various ssm, ssmmessages, and ec2messages permissions.

jcrites6y ago

> The documentation suggests adding the AmazonEC2RoleforSSM policy to the role of the EC2 instances

Which documentation do you mean? The article mentions the policy AmazonSSMManagedInstanceCore, which is the same as what's mentioned in the SSM setup guide:

https://docs.aws.amazon.com/systems-manager/latest/userguide...

mishappen6y ago

Thanks for clarifying, I didn’t recheck since we rolled out SSM in mid-2019 and then scrambled when we realised we’d granted account wide S3 permissions. The article I linked to also has a recommended minimal IAM policy for Run Command and SSM. I’ll update my comment to mention this.

1 more reply

x3n0ph3n36y ago

AmazonSSMManagedInstanceCore is still too much access, it has unscoped ssm:GetParameter! I hope you weren't trying to protect any secrets in ParameterStore!

1 more reply

NikolaeVarius6y ago

This has not been true for a while. The IAM policy also indicates it is deprecated in the description.

Though I always suggest to read what managed profiles are doing. Many of them are very permissive

jon918OP6y ago· 6 in thread

I'd love to learn how you're using Session Manager or what other features/integrations you'd like to see us explore. Also if the terraform module packaging is useful. There are additional Session Manager features like port forwarding that I plan to write about soon.

skb46y ago

Can you write one about port forwarding? Specifically, I would like to understand how various web interfaces on EMR cluster can be accessed through Sessions Manager. (Ganglia, Spark history server, etc.)

mullingitover6y ago

We'd love to use Session Manager, but we're running into the same issue mentioned here:

"Tunnel created using SSM only allows single connection to destination port" - https://forums.aws.amazon.com/thread.jspa?threadID=314882&ts...

This has been sitting open in the support forums unanswered for over two months :/

jon918OP6y ago

Cool, will do!

klohto6y ago

I have bunch of questions that stop me from deploying SSM into real world production scenarios.

1) Is logging for access from CLI finally supported?

2) Can I setup which shell is used?

3) Are logs readable when I switch to something else than sh?

4) Is U2F supported (awscli question)

Once all of these are fixed, then it can be possible to claim that SSM solves these issues. Otherwise it’s nothing more than for adhoc usage.

sandGorgon6y ago

1. does it work with hardware tokens ?

we have some regulatory requirements that require us to use hardware tokens for 2FA access to servers.

2. what about SSH tunnels ?

jon918OP6y ago

It does work with hardware tokens, IF you get your AWS IAM credentials using a hardware token. If you're using AWS IAM users then here are instructions: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

If you're doing a federated login with Okta or another provider, you need to set up the hardware MFA there.

There is SSH tunneling support as well, will add an update on that soon.

1 more reply

derefr6y ago· 5 in thread

Are they basically trying to emulate GCP’s OS Login (https://cloud.google.com/compute/docs/instances/managing-ins...) feature here? We’ve been using that for a while, and it’s been a big relief.

hexadec6y ago

It seems like a re-implementation of cloud shell for Azure (https://docs.microsoft.com/en-us/azure/cloud-shell/overview). It also uses the browser and native IAM, but you can use the native AD integration and JIT permissions.

But it seems no one like Azure these days, but they have some nifty features.

idunno2466y ago

os login is probably a little closer to ec2 instance connect because you still need ssh inbound access right? whereas aws provides a bastion here

aPoCoMiLogin6y ago

There is a proxy called IAP [1] which is used to create SSH tunnel over HTTPS to instances without public IP.

[1] https://cloud.google.com/compute/docs/instances/connecting-a...

WaxProlix6y ago

You're right in a sense, but there's no aws-managed bastion. Session manager communicates with your instance via an outbound-created websocket connection. Inputs and outputs are piped through it.

1 more reply

jon918OP6y ago

Yeah, this is the same deal. Session Manager will log your sessions which is pretty cool.

jcims6y ago· 3 in thread

IAM is easy to mess up.

Would be interesting to lock down the session manager agent (if possible) so that the only way to privileged access is through sudo-like priv esc that uses 2fa.

jon918OP6y ago

You can do this but it depends on your setup as to how. If you have AWS IAM users (not federated), then you can use MFA conditions in your policies as documented here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

For federation you need to rely on the config in whatever your identity provider is, like Okta.

NikolaeVarius6y ago

Its fairly trivial to lock down AWS via a require MFA policy

jcims6y ago

I'm talking about on the host, so if you mess up your IAM policy there is still an authorization layer on the host to get privileged access.

1 more reply

bogomipz6y ago· 2 in thread

The author states:

>"No more bastion hosts required! Session Manager uses AWS APIs to communicate with your instances, so you can remove the administrative burden of maintaining bastion hosts."

Does this presume the EC2 instances have a public IP or is there a way this would also work with EC2 instances on private subnets?

jhinds6y ago

We've been using the Session Manager with instances in private subnets without issue, works like a charm.

bogomipz6y ago

Is there anything special that needs to be configured to get this to work on private subnets?

Currently I have an EKS cluster accessible only on private subnets. It would be wonderful to to be able to access this without OpenVPN in the mix.

1 more reply

yasyfm6y ago· 2 in thread

This is awesome! How can I install the the agent if I'm not using Amazon Linux?

gamache6y ago

Amazon installs it on some other AMIs (notably, Ubuntu 16.04 and 18.04), but for other OSes, install instructions are here: https://docs.aws.amazon.com/systems-manager/latest/userguide...

WaxProlix6y ago

Note that you won't get this feature at the free tier for non-EC2 instances.

gregmac6y ago· 1 in thread

I never see mention of Windows with Session Manager. I have a mixed infrastructure with a number of Windows (IIS) app servers running various things.

We currently connect via SSH to a bastionhost, then tunnel from there to various systems, which allows connecting to SSH (linux instances), RDP (Windows), or basically any other network services like Redis or a database. I ended up writing some scripts to automate all this, so as long as you have the right certificates and IAM permissions, you can connect with a single command -- for Windows instances, it even retrieves the randomized password from the EC2 API. The end result is for any EC2 instances you're instantly popped into a shell/RDP session without having to enter credentials.

I'd love to replace this with something better (eg Session Manager), but I've not seen how to do this for RDP, and haven't had the time to go experimenting on my own to see if it's even possible. If I can't 100% replace the bastionhosts, having two entirely different connection methods doesn't solve anything (and in fact makes it worse, because it's harder to use).

gregoryl6y ago

Have a google, I was using SSM for remote access to Windows instances, specifically headless instances.

jadell6y ago· 1 in thread

Does anyone know how this works with other utils that use SSH protocol, like rsync? What about tunneling other services to or from a local host? I'd love to have fewer hosts to maintain and a smaller network/attack surface, but we use SSH for more than just gaining commandline access to our instances.

WaxProlix6y ago

It does.

https://aws.amazon.com/about-aws/whats-new/2019/07/session-m...

peterwwillis6y ago· 1 in thread

It's great for managing active SSH sessions, but not so much for the other purpose for bastions: fine-grained network access control+routing. It would be cool if they made a more specific version of this just for network traffic without the SSH component.

mdaniel6y ago

FWIW, the project is open source, so you could build a modified agent for your purposes and inject it via cloud-init or your favorite config management tool: https://github.com/aws/amazon-ssm-agent

jon918OP6y ago

I wrote a follow up post to this on SSH tunneling: https://news.ycombinator.com/item?id=22665037

shurco6y ago

Hey, what about the Werbot solution - werbot.com? Now it is very relevant.

feydaykyn6y ago

Does anyone know of it works with Ansible ? Thanks!

j / k navigate · click thread line to collapse

48 comments

40 comments · 12 top-level

mishappen6y ago· 7 in thread

WatchDog6y ago

LilBytes6y ago

jon918OP6y ago

jcrites6y ago

> The documentation suggests adding the AmazonEC2RoleforSSM policy to the role of the EC2 instances

Which documentation do you mean? The article mentions the policy AmazonSSMManagedInstanceCore, which is the same as what's mentioned in the SSM setup guide:

https://docs.aws.amazon.com/systems-manager/latest/userguide...

mishappen6y ago

1 more reply

x3n0ph3n36y ago

AmazonSSMManagedInstanceCore is still too much access, it has unscoped ssm:GetParameter! I hope you weren't trying to protect any secrets in ParameterStore!

1 more reply

NikolaeVarius6y ago

This has not been true for a while. The IAM policy also indicates it is deprecated in the description.

Though I always suggest to read what managed profiles are doing. Many of them are very permissive

jon918OP6y ago· 6 in thread

skb46y ago

mullingitover6y ago

We'd love to use Session Manager, but we're running into the same issue mentioned here:

"Tunnel created using SSM only allows single connection to destination port" - https://forums.aws.amazon.com/thread.jspa?threadID=314882&ts...

This has been sitting open in the support forums unanswered for over two months :/

jon918OP6y ago

Cool, will do!

klohto6y ago

I have bunch of questions that stop me from deploying SSM into real world production scenarios.

1) Is logging for access from CLI finally supported?

2) Can I setup which shell is used?

3) Are logs readable when I switch to something else than sh?

4) Is U2F supported (awscli question)

Once all of these are fixed, then it can be possible to claim that SSM solves these issues. Otherwise it’s nothing more than for adhoc usage.

sandGorgon6y ago

1. does it work with hardware tokens ?

we have some regulatory requirements that require us to use hardware tokens for 2FA access to servers.

2. what about SSH tunnels ?

jon918OP6y ago

If you're doing a federated login with Okta or another provider, you need to set up the hardware MFA there.

There is SSH tunneling support as well, will add an update on that soon.

1 more reply

derefr6y ago· 5 in thread

hexadec6y ago

But it seems no one like Azure these days, but they have some nifty features.

idunno2466y ago

os login is probably a little closer to ec2 instance connect because you still need ssh inbound access right? whereas aws provides a bastion here

aPoCoMiLogin6y ago

There is a proxy called IAP [1] which is used to create SSH tunnel over HTTPS to instances without public IP.

[1] https://cloud.google.com/compute/docs/instances/connecting-a...

WaxProlix6y ago

You're right in a sense, but there's no aws-managed bastion. Session manager communicates with your instance via an outbound-created websocket connection. Inputs and outputs are piped through it.

1 more reply

jon918OP6y ago

Yeah, this is the same deal. Session Manager will log your sessions which is pretty cool.

jcims6y ago· 3 in thread

IAM is easy to mess up.

Would be interesting to lock down the session manager agent (if possible) so that the only way to privileged access is through sudo-like priv esc that uses 2fa.

jon918OP6y ago

For federation you need to rely on the config in whatever your identity provider is, like Okta.

NikolaeVarius6y ago

Its fairly trivial to lock down AWS via a require MFA policy

jcims6y ago

I'm talking about on the host, so if you mess up your IAM policy there is still an authorization layer on the host to get privileged access.

1 more reply

bogomipz6y ago· 2 in thread

The author states:

>"No more bastion hosts required! Session Manager uses AWS APIs to communicate with your instances, so you can remove the administrative burden of maintaining bastion hosts."

Does this presume the EC2 instances have a public IP or is there a way this would also work with EC2 instances on private subnets?

jhinds6y ago

We've been using the Session Manager with instances in private subnets without issue, works like a charm.

bogomipz6y ago

Is there anything special that needs to be configured to get this to work on private subnets?

Currently I have an EKS cluster accessible only on private subnets. It would be wonderful to to be able to access this without OpenVPN in the mix.

1 more reply

yasyfm6y ago· 2 in thread

This is awesome! How can I install the the agent if I'm not using Amazon Linux?

gamache6y ago

Amazon installs it on some other AMIs (notably, Ubuntu 16.04 and 18.04), but for other OSes, install instructions are here: https://docs.aws.amazon.com/systems-manager/latest/userguide...

WaxProlix6y ago

Note that you won't get this feature at the free tier for non-EC2 instances.

gregmac6y ago· 1 in thread

I never see mention of Windows with Session Manager. I have a mixed infrastructure with a number of Windows (IIS) app servers running various things.

gregoryl6y ago

Have a google, I was using SSM for remote access to Windows instances, specifically headless instances.

jadell6y ago· 1 in thread

WaxProlix6y ago

It does.

https://aws.amazon.com/about-aws/whats-new/2019/07/session-m...

peterwwillis6y ago· 1 in thread

mdaniel6y ago

FWIW, the project is open source, so you could build a modified agent for your purposes and inject it via cloud-init or your favorite config management tool: https://github.com/aws/amazon-ssm-agent

jon918OP6y ago

I wrote a follow up post to this on SSH tunneling: https://news.ycombinator.com/item?id=22665037

shurco6y ago

Hey, what about the Werbot solution - werbot.com? Now it is very relevant.

feydaykyn6y ago

Does anyone know of it works with Ansible ? Thanks!

j / k navigate · click thread line to collapse