Go Bastionless – Access private EC2 instances using SSM Session Manager

You might already know that we cant access private instances directly unless you have VPN, direct connect or other sorts of network connectivity to your VPC.

We need to have some sort of intermediary instance often called as Bastion Host which will be residing in your public subnet to connect to your private instances

Using SSM Session Manager, we can now connect to our private instances directly without Bastion Hosts.

You don’t need to open any ports, not even ssh port in your security groups to IPs or CIDR blocks. This adds additional layer of security to your EC2 instances.

Pre-requisites

Local Machine

1. AWS CLI – Version 1.16.12 or higher

2. Session Manager Plugin

EC2 Instance

1. SSM Agent: Version 2.3.68.0 or later

2. IAM Role with managed policy arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore  attached to EC2 instance

Session Manager Plugin Binaries

1. https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe

2. https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip

3. https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm

4. https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb

Session Manager plugin installation

unzip sessionmanager-bundle.zip
sudo python3 sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin    

Terraform templates

https://github.com/kheriox-technologies/go-bastionless    

SSH Config

# File: ~/.ssh/config
Host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"    

Start session

# using AWS CLI
aws ssm start-session --target i-1234567

# using SSH
ssh -i keypair ec2-user@i-123456778            

#bastionless #sessionmanager #ssm