[HN Gopher] AWS Session Manager: less infrastructure, more features ___________________________________________________________________ AWS Session Manager: less infrastructure, more features Author : jon918 Score : 169 points Date : 2020-03-16 14:16 UTC (8 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | peterwwillis wrote: | It's great for managing active SSH sessions, but not so much for | the other purpose for bastions: fine-grained network access | control+routing. It would be cool if they made a more specific | version of this just for network traffic without the SSH | component. | mdaniel wrote: | FWIW, the project is open source, so you could build a modified | agent for your purposes and inject it via cloud-init or your | favorite config management tool: https://github.com/aws/amazon- | ssm-agent | mishappen wrote: | Be careful with SSM in general. The documentation suggests adding | the AmazonEC2RoleforSSM policy to the role of the EC2 instances | you want to access via Session Manager. This role grants | read/write to all S3 buckets in your account (amongst other | things). See this article for better steps and unavoidable risky | things: https://cloudonaut.io/aws-ssm-is-a-trojan-horse-fix-it- | now/ | jcrites wrote: | > The documentation suggests adding the AmazonEC2RoleforSSM | policy to the role of the EC2 instances | | Which documentation do you mean? The article mentions the | policy AmazonSSMManagedInstanceCore, which is the same as | what's mentioned in the SSM setup guide: | | https://docs.aws.amazon.com/systems-manager/latest/userguide... | mishappen wrote: | Thanks for clarifying, I didn't recheck since we rolled out | SSM in mid-2019 and then scrambled when we realised we'd | granted account wide S3 permissions. The article I linked to | also has a recommended minimal IAM policy for Run Command and | SSM. I'll update my comment to mention this. | jon918 wrote: | Good call to watch out for this stuff. The examples in the repo | we set up use the AmazonSSMManagedInstanceCore managed policy, | which does not grant any S3 permissions, just various ssm, | ssmmessages, and ec2messages permissions. | WatchDog wrote: | There are so many AWS managed policies that provide access far | beyond what one might suspect given the policy name and | description. Implementing least privilege with IAM can be | really difficult in any moderately complex environment. | NikolaeVarius wrote: | This has not been true for a while. The IAM policy also | indicates it is deprecated in the description. | | Though I always suggest to read what managed profiles are | doing. Many of them are very permissive | jadell wrote: | Does anyone know how this works with other utils that use SSH | protocol, like rsync? What about tunneling other services to or | from a local host? I'd love to have fewer hosts to maintain and a | smaller network/attack surface, but we use SSH for more than just | gaining commandline access to our instances. | WaxProlix wrote: | It does. | | https://aws.amazon.com/about-aws/whats-new/2019/07/session-m... | derefr wrote: | Are they basically trying to emulate GCP's OS Login | (https://cloud.google.com/compute/docs/instances/managing-ins...) | feature here? We've been using that for a while, and it's been a | big relief. | idunno246 wrote: | os login is probably a little closer to ec2 instance connect | because you still need ssh inbound access right? whereas aws | provides a bastion here | aPoCoMiLogin wrote: | There is a proxy called IAP [1] which is used to create SSH | tunnel over HTTPS to instances without public IP. | | [1] https://cloud.google.com/compute/docs/instances/connectin | g-a... | WaxProlix wrote: | You're right in a sense, but there's no aws-managed bastion. | Session manager communicates with your instance via an | outbound-created websocket connection. Inputs and outputs are | piped through it. | idunno246 wrote: | yea, i was trying to keep things simplified, but it has to | proxy through something behind the vpc endpoint. could also | say its not technically ssh | zokier wrote: | Though you can actually get ssh through ssm: | https://docs.aws.amazon.com/systems- | manager/latest/userguide... | hexadec wrote: | It seems like a re-implementation of cloud shell for Azure | (https://docs.microsoft.com/en-us/azure/cloud-shell/overview). | It also uses the browser and native IAM, but you can use the | native AD integration and JIT permissions. | | But it seems no one like Azure these days, but they have some | nifty features. | jon918 wrote: | Yeah, this is the same deal. Session Manager will log your | sessions which is pretty cool. | yasyfm wrote: | This is awesome! How can I install the the agent if I'm not using | Amazon Linux? | WaxProlix wrote: | Note that you won't get this feature at the free tier for non- | EC2 instances. | gamache wrote: | Amazon installs it on some other AMIs (notably, Ubuntu 16.04 | and 18.04), but for other OSes, install instructions are here: | https://docs.aws.amazon.com/systems-manager/latest/userguide... | jon918 wrote: | I'd love to learn how you're using Session Manager or what other | features/integrations you'd like to see us explore. Also if the | terraform module packaging is useful. There are additional | Session Manager features like port forwarding that I plan to | write about soon. | klohto wrote: | I have bunch of questions that stop me from deploying SSM into | real world production scenarios. | | 1) Is logging for access from CLI finally supported? | | 2) Can I setup which shell is used? | | 3) Are logs readable when I switch to something else than sh? | | 4) Is U2F supported (awscli question) | | Once all of these are fixed, then it can be possible to claim | that SSM solves these issues. Otherwise it's nothing more than | for adhoc usage. | sandGorgon wrote: | 1. does it work with hardware tokens ? | | we have some regulatory requirements that require us to use | hardware tokens for 2FA access to servers. | | 2. what about SSH tunnels ? | jon918 wrote: | It does work with hardware tokens, IF you get your AWS IAM | credentials using a hardware token. If you're using AWS IAM | users then here are instructions: https://docs.aws.amazon.com | /IAM/latest/UserGuide/id_credenti... | | If you're doing a federated login with Okta or another | provider, you need to set up the hardware MFA there. | | There is SSH tunneling support as well, will add an update on | that soon. | nubs wrote: | Our organization recently looked into AWS Session Manager | for tunneling but couldn't find documentation on how to | make it work for our usecase. We were trying to tunnel into | our VPC in order to be able to connect to an Amazon | DocumentDB cluster. We don't have any EC2 instances which | seems to be the only thing Session Manager has support for. | Despite the callouts that Session Manager replaces bastion | servers, that didn't seem to be the case for us. Did we | miss something in our research? | russellendicott wrote: | Last I checked the "tunneling" only works to redirect | traffic to a different port on the same SSM managed | instance. The tunnel cannot be established with another | box in the same VPC. So I don't think you can call it | tunneling until they add that feature. Here's the GitHub | issue where they discuss the limitation and a workaround: | https://github.com/aws/amazon-ssm-agent/issues/208 | skb4 wrote: | Can you write one about port forwarding? Specifically, I would | like to understand how various web interfaces on EMR cluster | can be accessed through Sessions Manager. (Ganglia, Spark | history server, etc.) | jon918 wrote: | Cool, will do! | mullingitover wrote: | We'd love to use Session Manager, but we're running into the | same issue mentioned here: | | "Tunnel created using SSM only allows single connection to | destination port" - https://forums.aws.amazon.com/thread.jspa | ?threadID=314882&ts... | | This has been sitting open in the support forums unanswered | for over two months :/ | jcims wrote: | IAM is easy to mess up. | | Would be interesting to lock down the session manager agent (if | possible) so that the only way to privileged access is through | sudo-like priv esc that uses 2fa. | NikolaeVarius wrote: | Its fairly trivial to lock down AWS via a require MFA policy | jcims wrote: | I'm talking about on the host, so if you mess up your IAM | policy there is still an authorization layer on the host to | get privileged access. | jbergknoff wrote: | As far as I know, SSH over SSM doesn't do anything | regarding user management. It just establishes an SSH | connection. Management of users on the host, authorized SSH | keys, etc. is totally out of scope for SSM. | | So if you already have access control setup on your host, | then SSM doesn't do anything to undermine it. If you don't | have it, you'll still need to add it. | jon918 wrote: | You can do this but it depends on your setup as to how. If you | have AWS IAM users (not federated), then you can use MFA | conditions in your policies as documented here: | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti... | | For federation you need to rely on the config in whatever your | identity provider is, like Okta. | feydaykyn wrote: | Does anyone know of it works with Ansible ? Thanks! | gregmac wrote: | I never see mention of Windows with Session Manager. I have a | mixed infrastructure with a number of Windows (IIS) app servers | running various things. | | We currently connect via SSH to a bastionhost, then tunnel from | there to various systems, which allows connecting to SSH (linux | instances), RDP (Windows), or basically any other network | services like Redis or a database. I ended up writing some | scripts to automate all this, so as long as you have the right | certificates and IAM permissions, you can connect with a single | command -- for Windows instances, it even retrieves the | randomized password from the EC2 API. The end result is for any | EC2 instances you're instantly popped into a shell/RDP session | without having to enter credentials. | | I'd love to replace this with something better (eg Session | Manager), but I've not seen how to do this for RDP, and haven't | had the time to go experimenting on my own to see if it's even | possible. If I can't 100% replace the bastionhosts, having two | entirely different connection methods doesn't solve anything (and | in fact makes it worse, because it's harder to use). | gregoryl wrote: | Have a google, I was using SSM for remote access to Windows | instances, specifically headless instances. ___________________________________________________________________ (page generated 2020-03-16 23:00 UTC)