In previous posts, we showed you how to deploy a private key pair to allow you to login to an
EC2 instance. Since september 2018, the AWS Session Manager supports logging into any instance, directly from the command line without SSH. In this
blog we will show you how to configure this using CloudFormation.
To login to an EC2 instance using the AWS Session manager, you need to do three things:
* Install the AWS SSM agent
* Grant session manager permissions
* Enable audit logging
install the AWS SSM agent
We are lazy and use an Amazon Linux based instance, which has the agent already installed.For other
AMIs, please consult the documentation.
In CloudFormation, we add the instance:
Parameters:
AmiId:
Type: 'AWS::SSM::Parameter::Value<aws::EC2::Image::Id>'
Default: '/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2'
Resources:
Instance:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: !Ref 'AmiId'
IamInstanceProfile: !Ref 'IamInstanceProfile'
grant session manager permissions
The agent needs the following permissions to enable the session manager:
- Effect: Allow
Action:
- ssmmessages:CreateControlChannel
- ssmmessages:CreateDataChannel
- ssmmessages:OpenControlChannel
- ssmmessages:OpenDataChannel
Resource: '*'
- Effect: Allow
Action:
- s3:GetEncryptionConfiguration
Resource: '*'
To keep things small and simple, we associate the AmazonEC2RoleforSSM
role with the instance profile, which
includes the above permissions:
InstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
Enable audit logging
AWS Session Manager allows you to store the session logs on either S3, CloudWatch or both.
To enable audit logging you need to create an SSM Document named SSM-SessionManagerRunShell
:
SessionManagerPreferences:
Type: Custom::SSMDocument
Properties:
Name: SSM-SessionManagerRunShell
DocumentType: Session
Content: !Sub >
{ "schemaVersion": "1.0",
"content": "Session Manager Preferences",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "${SessionLogBucket}",
"s3KeyPrefix": "",
"s3EncryptionEnabled": false,
"cloudWatchLogGroupName": "${SessionLogGroup}",
"cloudWatchEncryptionEnabled": false
}
}
Note that we had to create a custom CloudFormation provider to create the document, as the standard
CloudFormation resource does not allow you to specify the document name.
starting a session
Once deployed you can login to your instance by typing:
$ aws ssm start-session --target <instance-id>
demo
The complete CloudFormation template can be found on github. To
test, type:
$ git clone https://github.com/binxio/blog-login-to-ec2-instances-without-ssh
$ cd blog-login-to-ec2-instances-without-ssh
$ make
create demo in default VPC vpc-12313137, subnets subnet-privatea,subnet-privateb,subnet-privatec using security group sg-default.
{
"StackId": "arn:aws:cloudformation:eu-central-1:111111111111:stack/ec2-session-manager/207b6890-26dc-11e9-b214-021298c8e4cc"
}
[
"aws ssm start-session --target i-0c25d8bf100a5d1da",
"aws logs get-log-events --log-group-name ec2-session-manager-SessionLogGroup-L9G8VSLL6XCK --log-stream-name $SESSION_ID",
"aws s3 cp s3://ec2-session-manager-sessionlogbucket-q8c1pz8q6u6g/$SESSION_ID.log -"
]
copy the outputed start-session command:
$ aws ssm start-session --target i-12311231123132
Starting session with SessionId: mvanholsteijn-0d9ce5dd2172522f7
sh-4.2$ sudo tail /var/log/amazon/ssm/*.log
You can explicit grant or deny users to start a session, through the action ssm:StartSession.
view session log
To view the session log from s3, type:
SESSION_ID=mvanholsteijn-0d9ce5dd2172522f7
aws s3 cp s3://ec2-session-manager-sessionlogbucket-q8c1pz8q6u6g/$SESSION_ID.log -
It will take a few minutes after closing the session, for the log to appear.
Conclusion
The AWS Session Manager simplifies logging into any of your EC2 instance which has the
SSM agent installed, without SSH. It saves complicating your
infrastructure with user- and ssh key management. Once support for tunneling is available,
we can say goodbye to the concept of a bastion host.
If you still want to login using SSH, we recommend the blog on how to deploy a private key pair.