Stop opening port 22 for ssh (or any port). AWS SSM Session Manager can manage ssh connections to instances for you from your CLI, even private networked resources, and permission based on IAM policies.
You can "ssh" to your instances using session manager in your CLI and also open tunnels, which allows you to use features like VSCode remote development (example included).
- aws cli
- session manager plugin for aws cli
- enable session manager in your account (this is a fork, feel free to use the original)
- create an instance with the instance profile created by the above terraform
Basic SSH Connection:
aws ssm start-session --target i-<your instance id>
VSCode via tunnel
- Enable vscode remote plugin
- Copy your public ssh key to an instance (unless you added it to the instance via user data)
- Add your connection to VSCode
- Update your local ssh config
$ vim ~/.ssh/config Host i-<your instance id> ProxyCommand sh -c "aws ssm start-session --profile <your aws profile name> --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
\6. connect with vscode
Bonus! Use the terraform above to deploy vpc endpoints so zero traffic goes over the internet between SSM and your instance!
vpc_endpoints_enabled = true
- Does your user have permissions to access ssm?
- Did I miss something? please lmk in the comments and ill update!