Digital Age Experts, LLC

Bastion Without the Host, Jump Without the Box

Written by: Gabriel Alix

The addition of Session Manager (SM) to the AWS Systems Manager (SSM) service seemed insignificant at first. My initial reaction was like “meh”, seemed to be a minor update,  nothing interesting. But looking at it further, it is much like Cloud 9; it provides a web-based CLI for instances.  That got me thinking – could you not use this to manage and maintain all your hosts without the need of a bastion? A bastion without a host, if you will. TL;DR the answer is yes, yes it can, and it opens up possibilities to increased security, ease maintenance and provide some minor cost savings.

SSM’s Session Manager allows you to directly access and manage Windows and Linux based EC2 instances (via their terminals/CLI) without the need of SSH keys, an internet-facing EC2 instance acting as your bastion or jump box or needing to expose any of your instances directly to the Internet. Getting setup with SM is straightforward. Session Manager depends on the 2.3.X SSM agent – the latest as of this writing was 2.3.68.0.  As well, your instances will need an instance profile with the correct IAM permission to access SM features. Attaching the AmazonEC2RoleforSSM to your instances existing policy will do the trick.

To configure an existing instance to support Session Manager (once it has the correct IAM permissions), you will need to update SSM agent to > = 2.3.50.0. The easiest way to do this is using SSM itself. Go to AWS System Manager > Run Command > Run a Command > Launch the AWS-UpdateSSMAgent on the instances you want to connect to. Once the update has been completed, go to SSM > Session Manager > Start Session >  Select your instance >  Start Session. A web-based terminal will appear. You now have full root access to the instance. For Linux, you’ll get a Bash shell. For Windows, it will be a PowerShell terminal.  All without a separate EC2 instance(s) running which can provide some minor cost savings. And since the use of SSM (and its associated features) is at no charge – it’s the best of both worlds.

Figure 1 – Bash shell via Session Manager

Session Manager offers integrated options that may make life and security easier. It offers the ability to record all terminal activity, which it can stream to CloudWatch (CW) or store in S3 – data encryption is on option for both. CW Streams from Session Manager gives you options to launch an event that could trigger actions via Lambda. For example, you could configure a CW Event to launch a Lambda that alerts when a critical system file has been changed and revert it or quarantine the EC2 for forensics while blocking the user from the AWS Session Manager Console at the same time. It could alert on unallowed commands being executed or when a particular string is entered into the terminal.

Via SSM, you’ll be able to utilize IAM policies to control which instances a user will be allowed to connect to. A user can be restricted by tags, resource type and a variety of other attributes.

All in all, SSM’s Session Manager reduces your environment’s attack surfaces and improves logging and tracking of CLI activity. You no longer need to worry about rotating SSH keys or what happens if one gets accidentally checked into GitHub. It provides triggering of events and extends those to the rest of the AWS eco-system, giving you a number of options for further enhancing your system’s capabilities. Finally, it introduces a world without bastion hosts.

 

 

 

Leave a Reply

Close Menu