Security and IAM

Delete your SSH Keys and use AWS SSM

There are always problems with storing or sharing ssh keys, this is an elegant solution.
Pawel Sulik User Image
Pawel Sulik | Aug 27 2019

As your AWS environment grows, inevitably your organization starts facing the challenge of managing ssh keys. With such an important part of security relying on these keys, resorting to sharing or other solutions is both tricky and a bit scary.

AWS offers a solution for this type of problem; it provides us with SSM service (AWS System Manager). This tool has several important features that allow us to perform some operation on Linux or Windows OS:

  • Task automation
  • patching
  • run command
  • inventory
  • session manager

How to start using SSM Remote Session Manager

AWS, through SSM, provides us with the session manager. This feature is available in the SSM agent in versions 2.3 and above. Session Manager allows us to connect into an instance and get a shell session through the usage of HTTPS TLS1.2/ port 443, without having to use SSH keys. It’s important to understand that this is NOT an SSH connection but rather an HTTPS connection.

Requirements to start using the session manager

SSM agent in version 2.3 and above

SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):

  • Windows Server 2003-2012 R2 AMIs published in November 2016 or later
  • Windows Server 2016 and 2019
  • Amazon Linux
  • Amazon Linux 2
  • Ubuntu Server 16.04
  • Ubuntu Server 18.04

If the agent is not installed, it can be manually set up according to documentation.

However, if the agent is already installed and you used the agent for other purposes like patching but is in version 2.2 or lower, we can upgrade from the AWS console level.

The EC2 instance requires an IAM Instance Profile — you can follow with this instruction to create a role.

It is worth remembering to also create appropriate policies that allow you to save logs to S3 or Cloudwatch.

Setup proper permission for IAM profile - We recommend creating your own custom policy - according to the recommendations available at this link because, according to best practice, SSM should not have any redundant permissions.

If everything above checks out, let’s use the Session Manager.

If the configuration was successful, we should have access to our server through the browser!

Thanks to this we can easily manage servers without having to store any ssh keys!

Author