undefined | Better HN

0 pointstyingq4y ago0 comments

>I also wouldn't call this a loophole, you have to explicitly have permissions to use SSM.

Perhaps not the best wording on my part. I was aware of SSM, but not aware of the SSH tunneling features. I'm wondering if that's common. Is the SSH tunneling controlled separately, or on by default if SSM is on?

0 comments

awsthro009454y ago

It is "on" by default, but the user still has to have the 'ssm:StartSession' permission (and probably others) to open the SSM session, and for some(?) operations you also still need to have the appropriate credentials (ssh keypair or a password) to login via SSH.

SSM Session Manager is one of the (if not the) preferred way to manage SSH access to instances in AWS. It's kinda hairy to set up, but it removes the need for bastion hosts/jump boxes for most use cases. From my experience I would say it is quite common.

j / k navigate · click thread line to collapse

0 pointstyingq4y ago0 comments

>I also wouldn't call this a loophole, you have to explicitly have permissions to use SSM.

0 comments

awsthro009454y ago

j / k navigate · click thread line to collapse