3.1.5. Systems Manager Session Manager for Secure Access
š” First Principle: Systems Manager Session Manager enables secure, auditable, and browser-based shell access to EC2 instances and on-premises servers, eliminating the need for open SSH ports or bastion hosts.
Scenario: You need to troubleshoot an application issue on a production EC2 instance that is located in a private subnet and has no open SSH ports for direct access. You need a secure and auditable way to access its shell.
For SysOps Administrators, securely accessing and managing remote servers is a fundamental task. Traditional methods like SSH or RDP often require opening inbound ports, managing SSH keys, or setting up bastion hosts, which can introduce security risks and operational complexity.
Systems Manager Session Manager is a capability of AWS Systems Manager that provides secure and auditable shell access to your instances without the need for inbound ports, SSH keys, or bastion hosts.
Key Features of Session Manager:
- No Open Inbound Ports: Access instances directly through the Systems Manager service, eliminating the need to open SSH ports on your Security Groups or Network ACLs.
- Browser-Based Access: Initiate interactive shell sessions directly from the AWS Management Console. CLI access is also supported.
- Auditable: All session activity (commands executed, session duration) is logged in AWS CloudTrail and can be sent to Amazon S3 or Amazon CloudWatch Logs.
- IAM Integration: Control who can start sessions on which instances using IAM policies.
- Port Forwarding: Securely tunnel local ports to remote ports on your instance.
ā ļø Common Pitfall: Not configuring the necessary IAM permissions for users or instance profiles to allow Session Manager access.
Key Trade-Offs: Enhanced security and auditability (Session Manager) versus traditional SSH/RDP (simpler for small scale, but higher security risk).
Reflection Question: How does Systems Manager Session Manager, by enabling secure, auditable, and browser-based shell access without opening SSH ports or using bastion hosts, fundamentally simplify and enhance the security of remote management for EC2 instances?