As more workloads are being migrated to the cloud, security should always be a top priority. Some organizations fail to consider security and therefore paid the price of having their workloads compromised. For example, an EC2 instance that has its SSH inbound port open to the world, therefore, providing unrestricted access to attackers globally.

Luckily, AWS has a service that allows you to connect to your EC2 instances without opening any inbound port, eliminating this particular security risk, and that is AWS Systems Manager Session Manager.

Session Manager is a fully managed AWS Systems Manager capability. You can use an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.

Session Manager also allows you to comply with corporate policies that require controlled access to managed nodes, strict security practices, and fully auditable logs with node access details while providing end users with simple one-click cross-platform access to your managed nodes.

Let’s do a hands-on to understand Session Manager better.

For this hands-on, we will create:

1. an IAM Role that has the necessary managed policy to allow Session Manager to the EC2 instance.



2. an EC2 instance without an inbound rule.

Step 1. Creating the IAM Role

• In the AWS Management Console, go to IAM > Roles > Create Role.
  In the Trusted entity type, choose AWS service
  Under Use case, choose EC2
  Hit Next to proceed to the next step.

  

• In the Permission policies, search for AmazonSSMManagedInstanceCore as this managed policy contains the necessary permission in order for Session Manager to work.
  Click the checkbox
  Hit Next

  

• Enter a Role name
  For this example, let’s name it ec2-session-manager-role

  

  Scroll down at the bottom then hit Create role

  

  This will create the necessary IAM Role that we will attach to the EC2 instance that will use Session Manager.

  

Step 2. Creating the EC2 instance that will use Session Manager

• Go to the EC2 dashboard
  Click Launch instance

  

• Under Launch an instance
  Fill Name and tags
  For this instance, let’s name it TD-labs-session-manager

  

• In the Application and OS Images (Amazon Machine image)
  To make this simple, we will choose Amazon Linux
  This ensures that an SSM Agent is already installed, which is required by the Session Manager

  

• Under Instance type
  Let’s choose t2.micro to stay within the free tier
  Under Key pair name, let’s choose Proceed without a key pair for simplicity

  

• In Network settings
  Click Edit

  

  Choose a subnet that has internet access
  Enable Auto-assign public IP
  Create security group and type a Security group name
  For this example, SG-without-inbound-rule
  Add a Description
  Under Inbound security groups rules, make sure that there are no rules included as Session Manager doesn’t require the inbound rules to connect to the instance

  

• In Advanced details
  Under IAM instance profile,
  Choose the IAM Role created in Step 1 named ec2-session-manager-role for this example.

  

• Under Summary
  Click Launch instance to start provisioning the EC2 instance

  

• Wait for the instance state to become from Pending to Running
  Make sure the Status check is 2/2 checks passed

  

  

• Under instance Details
  Take note of the Private IP DNS name

  

• Now let’s try to connect via Session Manager
  Right-click on the instance
  Choose Connect

  

• Under Connect to instance
  Navigate to the Session Manager tab
  Click Connect

  

• We have successfully connected to the EC2 instance even without inbound rules via Session Manager
  We can verify that this is the same instance by typing hostname
  This will display the same Private IP DNS name that we took note of earlier
  

By leveraging Session Manager, organizations will have the following benefits:

• Centralized access control to managed nodes using IAM policies

• No open inbound ports and no need to manage bastion hosts or SSH keys

• One-click access to managed nodes from the console and CLI

• Connect to both Amazon EC2 instances and managed nodes in hybrid environments and the cloud

• Port forwarding

• Cross-platform support for Windows, Linux, and macOS

• Logging and auditing session activity.