AWS SSM Session Manager Overview
- Introduction to SSM Session Manager:
- SSM Session Manager is a tool for initiating a secure shell environment on EC2 instances and on-premises servers.
- Accessible through the AWS Management Console, AWS CLI, or the Session Manager SDK.
- Eliminates the need for direct SSH access, bastion hosts, or SSH keys.
- How SSM Session Manager Works:
- Requires EC2 instances to run the SSM Agent with the appropriate permissions to register with the SSM service.
- Users connect to the Session Manager service with the correct IAM permissions.
- Session Manager can then execute commands on the EC2 instance, similar to the Run Command feature.
- Features and Benefits:
- Supports Linux, macOS, and Windows.
- All connections and executed commands are logged for security and compliance.
- Logs can be sent to Amazon S3 or CloudWatch Logs.
- CloudTrail can intercept
StartSession events for automation, compliance, and alerting.
- IAM Permissions and Access Control:
- IAM permissions are required to control which users or groups can access Session Manager and which instances they can access.
- Access can be restricted using tags to specific EC2 instances.
- Example IAM policy allows connecting to instances tagged with
environment: dev.
- Access to SSM and write permissions to S3 and CloudWatch are necessary for logging.
- Optionally, command restrictions can be applied for enhanced security.
- Security Advantages Over SSH:
- No need to open security group inbound rules.
- Users with the correct IAM permissions can use Session Manager without exposing instance ports.
- All session data can be logged to Amazon S3 or CloudWatch Logs for auditability.
- Conclusion:
- Session Manager is a secure and controlled method for accessing and managing EC2 instances.
- The next lecture will include hands-on activities to reinforce the concepts learned.
Example IAM Policy for SSM Session Manager Access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/environment": "dev"
}
}
}
]
}
This policy allows a user to start a session with any EC2 instance tagged as a development environment and to write logs to a specified S3 bucket and CloudWatch Logs.