DEV Community

David Krohn for AWS Community Builders

Posted on • Originally published at globaldatanet.com on

SSH and SCP with AWS SSM

Using AWS Session Manager with enhanced SSH and SCP capability to connect to your EC2 without using firewalls and bastion hosts

Amazon Web Services recently announced new capabilities in the AWS Systems Manager Session Manager. Users are now capable of tunneling SSH (Secure Shell) and SCP (Secure Copy) connections directly from a local client without the need for the AWS management console.

For years, users have relied on firewalls and bastion hosts in order to securely access cloud assets, but these options have security and management overhead tradeoffs. The Session Manager allows for secure, audited console access to cloud resources without the need for additional ingress points.

AWS SSM

Local Prerequisites

In order to perform SCP and SSH operations from your local host to the remote cloud asset, you will need to perform the following setup steps on your client.

Install the latest AWS CLI

Update to the latest AWS CLI – An updated command line interface is required on your local host in order to use these new Session Manager features. The version of the AWS CLI should be at least 1.16.213.

How to get the version: aws --version

Install the Session Manager Plugin

Install the Session Manager Plugin – This plugin allows the AWS cli to launch Session Manager sessions with your local SSH client. The Version should be should be at least 1.1.26.0.

How to get the version: session-manager-plugin --version

Update local host SSH config

The tricky portion of this setup involves altering your local host SSH configuration in order to proxy commands through the AWS session manager for any aws ec2 instance-id.

  1. Download AWS SSM SSH ProxyCommand
  2. Move this script to ~/.ssh/aws-ssm-ec2-proxy-command.sh
  3. Make it executable chmod +x ~/.ssh/aws-ssm-ec2-proxy-command.sh
  4. Add following entry to your ~/.ssh/config
host i-* mi-*
  ProxyCommand ~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p
Enter fullscreen mode Exit fullscreen mode

EC2 Prerequisites

You will need to perform the following setup steps on your target EC2 instance.

Instance Profile

By default, AWS Systems Manager doesn't have permission to perform actions on your instances. You must grant access by using an AWS Identity and Access Management (IAM) instance profile. An instance profile is a container that passes IAM role information to an Amazon Elastic Compute Cloud (Amazon EC2) instance at launch. You need to add SSM permission to your Instance Profile

SSM Agent

Ensure the latest SSM Agent on Target Instance

yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
service amazon-ssm-agent restart
Enter fullscreen mode Exit fullscreen mode

Firewall Configuration

Ensure the security group allow outbound to System Manager. No inbound ssh port is required.

Usage

Once these steps are complete, you will be ready to initiate SSH and SCP connections to your cloud assets directly from your local machine.

Obtain the instance-id of the cloud asset. This can be done via the AWS management console or with the AWS cli command aws ec2 describe-instances, and will have a format similar to i-0ba3d05e2b6c0fb36

SSH can be performed as normal using the instance-id as the hostname. Most SSH command line switches can be used such as using a key in the following example:

export AWS_PROFILE='default'
ssh ec2-user@i-0ba3d05e2b6c0fb36
Enter fullscreen mode Exit fullscreen mode

These connections are secured by IAM access and generate cloudtrail events for logging and monitoring.

While immutable infrastructure is a desired goal for multiple reasons, many will find themselves with a need to access or alter systems running live. The AWS Systems Manager Session Manager allows this capability without the need for additional firewall ingress or bastion hosts.

Update: Use SSO with AWS CLI v2 to connect to EC2 over SSH using SSM

Prerequistes

Login via SSO - AWS CLI v2 to connect to an EC2 over SSH using SSM

Update local host SSH config

  • Add following entry to your ~/.ssh/config
# SSH over Session Manager
host i-* mi-*
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand ~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub
  StrictHostKeyChecking no
Enter fullscreen mode Exit fullscreen mode

Usage

  1. Login to AWS SSO aws2 sso login --profile default

  2. Export AWS_PROFILE export AWS_PROFILE='default'

  3. SSH into your instance by using the following command.

ssh -i /path/my-key-pair.pem ec2-user@instance-id
Enter fullscreen mode Exit fullscreen mode

Top comments (2)

Collapse
 
glnds profile image
Gert Leenders

Hi David, great article. The method you describe here is definitely the easiest and the one that feels the most familiar. The downside of both using SCP and SSH with Session manger is this note from AWS:

Logging is not available for Session Manager sessions that connect through port forwarding or SSH. This is because SSH encrypts all session data, and Session Manager only serves as a tunnel for SSH connections.

Personally, that’s not functionally I want to loose using Session Manager, the tradeoff is indeed some extra complexity. It’s a personal choice of course. I just wanted to mention it. I’ve written my opinion down in my own blog post on this platform ( although I’m not going to add a shameless plug 😄 )

Collapse
 
artis3n profile image
Ari Kalfus

Ooh, thanks for calling that out