AWS Session Manager: A Secure Alternative to SSH/RDP
Managing secure access to AWS instances, especially those in private subnets, is essential. Traditionally, organizations use jump servers or bastion hosts to reach these resources. However, this method introduces security risks and administrative challenges. AWS Session Manager provides a more secure, efficient, and cross-platform alternative to SSH and RDP.
In this article, we’ll explain how AWS Session Manager works, highlight its advantages over SSH/RDP, and guide you through the setup process on EC2 instances.
How the Traditional Jump Server Method Works
Organizations typically use jump servers (or bastion hosts) to access private AWS resources. Here’s how the traditional SSH/RDP method works:
- SSH or RDP Access: The user first connects to the jump server using SSH (Port 22) for Linux or RDP (Port 3389) for Windows.
- Key Pair Requirement: The user must have the correct key pair linked to the instance to access the jump server.
- Connecting to Private Resources: After accessing the jump server, the user establishes a second SSH or RDP connection to reach the private EC2 instance or other resources.
While this method can secure access, it requires managing public IPs, configuring security groups, and maintaining access rules. These tasks can increase the administrative load and security risks.
Why Switch to AWS Session Manager?
AWS Session Manager allows you to securely and easily access EC2 instances without the need for jump servers. This approach simplifies access, improves security, and supports a cross-platform experience. Here are the key benefits:
1. Cross-Platform Access
AWS Session Manager removes the need for separate tools for SSH or RDP. Whether you use Linux, Windows, or macOS, you can access EC2 instances securely, without worrying about platform-specific tools.
2. Quick, Secure Access
With AWS Session Manager, you don’t need to open SSH or RDP ports or manage complex security groups. Instead, you can access your EC2 instances quickly via the AWS Management Console or AWS CLI.
3. Centralized Security Management
You can control permissions through IAM (Identity and Access Management). This centralized system allows you to grant or deny access based on user roles and instance policies, giving you better control over your infrastructure.
4. Integrated Logging and Auditing
AWS Session Manager integrates with AWS services like CloudTrail, CloudWatch, and Amazon S3 to track user activity. This integration enables you to monitor session history, set up alerts, and ensure compliance.
5. No Open Ports Required
By using AWS Session Manager, you avoid exposing SSH or RDP ports to the internet. This significantly reduces your attack surface and enhances your security posture.
Setting Up AWS Session Manager on EC2 Instances
Before using AWS Session Manager, ensure your EC2 instances meet the necessary prerequisites.
Prerequisites for Linux Instances
SSM Agent comes preinstalled on Amazon Linux 2, Amazon Linux 2 ECS-Optimized AMIs, and most modern Ubuntu versions (16.04, 18.04, and 20.04). If you use a custom Linux AMI, check whether SSM Agent is installed. If not, follow this guide to install it.
Prerequisites for Windows Instances
For Windows Server 2008-2012 R2 (AMIs published after November 2016) and newer versions (Windows Server 2016 and 2019), SSM Agent is preinstalled. For other versions, refer to the AWS documentation for installation instructions.
Prerequisites for macOS Instances
SSM Agent is preinstalled on EC2 instances running macOS 10.14.x (Mojave), 10.15.x (Catalina), and 11.x (BigSur). If you remove the agent, follow this guide to reinstall it.
After installing the agent, attach the necessary IAM role to your instance.
How to Enable AWS Session Manager
- Create an IAM Role: First, create an IAM role that grants Systems Manager the necessary permissions to access the EC2 instance. Then, attach this role to your EC2 instance via Actions > Security > Modify IAM role in the AWS console.
- Access via AWS Management Console: Navigate to the AWS Systems Manager console, and click on Session Manager under Node Management. If your instance is configured correctly, it will appear in the Target Instances list.
- Start a Session: Once the instance appears, click on it to start the session directly from the browser. No need for additional ports or external access tools.
Optimize Your AWS Infrastructure with ZippyOPS
At ZippyOPS, we specialize in DevOps, DevSecOps, and Cloud solutions to enhance your AWS infrastructure’s security and efficiency. Our team offers consulting, implementation, and managed services to integrate tools like AWS Session Manager into your workflow.
We also help optimize processes in Automated Ops, Microservices, and Security, making your cloud environment more robust and efficient.
Discover our services:
For further details or a consultation, contact us at sales@zippyops.com.
Conclusion
Switching to AWS Session Manager improves both security and operational efficiency. By removing the need for open SSH and RDP ports, simplifying access management, and integrating with IAM for centralized control, you can significantly enhance your EC2 access security.
If you want to optimize your AWS infrastructure and leverage secure access methods like AWS Session Manager, ZippyOPS can help guide your implementation.
