AWS Session Manager

AWS Session Manager

October 1, 2018 0 By Eric Shanks

Amazon has released yet another Simple Systems Manager service to improve the management of EC2 instances. This time, it’s AWS Session Manager. Session Manager is a nifty little service that lets you assign permissions to users to access an instances’s shell. Now, you might be thinking, “Why would I need this? I can already add SSH keys to my instances at boot time to access my instances.” You’d be right of course, but think of how you might use Session Manager. Instead of having to deal with adding SSH keys, and managing access/distribution of the private keys, we can manage access through AWS Identity and Access Management permissions.

Setup Session Manager

As with the other System Manager services, you’ll need the instances to have the correct permissions by assigning a Systems Manager instance profile role.

If you’ve been following along with the rest of this series, you may need to add the following policy to your EC2SystemsManagerRole. Session Manager came out much later than some of the other services we’ve talked about already. So add these additional permissions to your SystemsManagerRole before we add the instance profile to the instance. I’d also mention that my user has Full Administrator permissions but if yours doesn’t, you’ll need to add more permissions to your user to use the Session Manager service on your EC2 instances.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": "*"
        }
    ]
}

Once you’ve setup the appropriate instance profile permissions, you’ll need to spin up an instance. I’ve spun up one of my Linux instances that has the SSM Agent installed and assigned my EC2SystemsManagerRole attached.

You can also see that my security group that I’ve attached to my instance only has port 80 open. SSH is not required with this Session Manager service which is another benefit to your security profile.

Test A Shell Session

Once your instance has been spun up, you can look in the Systems Manager Service. Many of the EC2 Simple Systems Manager services are available from the EC2 console, but this one is not. To access it you’ll need to go to the Systems Manager service directly.

 

On the session manager screen, click the “Start a Session” button. You’ll notice that from my screenshot, the version of my SSM Agent is not current. You need version 2.3.68.0 or later for it to work with Session Manager. Luckily, my Instance profile gives enough permissions so that I can use the Run Command service to update the agent. Session Manager lets you do this directly from its own interface. Click “Update SSM Agent” button if you see this screen.

You’ll be asked if you’re sure that you want to complete this operation. Click the “update SSM Agent” button again.

Now we can go back to our Session Manager and click “Start session”. You’ll see a shell open in a new web browser window. Form there, I ran a pair of commands just to show it working. First, notice that the user that you login with on your EC2 instance is “ssm-user” and not ec2-user or root.

When you’re done with your configurations, click the “Terminate” button on the top right hand corner. NOTE: it means terminate the session and not the instance.

Just to show that the solution also works with Windows, you’ll get a PowerShell session open if using Windows.

Summary

Simple Systems Manager has a bunch of great tools to manage your EC2 instance fleet. Adding Session Manager can dramatically make your instances more easy to manage by removing the need for SSH key management, and increase your security posture by removing the need to provide port 22 access. Try it out in your environment.