You might already know that we cant access private instances directly unless you have VPN, direct connect or other sorts of network connectivity to your VPC.
We need to have some sort of intermediary instance often called as Bastion Host which will be residing in your public subnet to connect to your private instances
Using SSM Session Manager, we can now connect to our private instances directly without Bastion Hosts.
You don’t need to open any ports, not even ssh port in your security groups to IPs or CIDR blocks. This adds additional layer of security to your EC2 instances.
Pre-requisites
Local Machine
- AWS CLI – Version 1.16.12 or higher
- Session Manager Plugin
EC2 Instance
- SSM Agent: Version 2.3.68.0 or later
- IAM Role with managed policy
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCoreattached to EC2 instance
Session Manager Plugin Binaries
- https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe
- https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip
- https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm
- https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb
Session Manager plugin installation
unzip sessionmanager-bundle.zip
sudo python3 sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin Terraform templates
https://github.com/kheriox-technologies/go-bastionless SSH Config
# File: ~/.ssh/config
Host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'" Start session
# using AWS CLI
aws ssm start-session --target i-1234567
# using SSH
ssh -i keypair ec2-user@i-123456778 