Say no more to SSH keys, SSM is THE tool
The remote access login is the barrier that intruders must break in order to steal information. Several options have tried to help us in the prevention of intrusions. However, there is a reality: our physical device, while providing availability, is vulnerable to possible attacks due to its permanent connection to the net. Even the preservation and administration of private keys bring inconveniences related to physical devices or human errors.
AWS brings the evolution, with Session Manager you have :
Identity and Access Management (IAM) for authentication and authorization.
A safe remote login through the group's policies, granting access only to the right users, validated by MFA.
The ability to run commands on instances without opening any TCP port,
No needs to know which IP has your EC2, you can use EC2 tags,
PrivateLink solution, perfect for instances without direct internet access.
Simpler networking infrastructure and, at the same time, less security risk
An inventory and a store of the parameters you need to periodically check.
The ability to restrict which commands users can run.
The tracking of every command executed in the instances and its store at CloudWatch or S3 Logs
A record of the actions taken over your resources: almost ready material to document your processes before auditories.
To access Session Manager, you must take in care the following pre-requisites:
SSM Agent, version 220.127.116.11 or later, must be installed on the instances you want to connect to, Ubuntu and Amazon Linux 2 AMIs already have it installed.
Create an IAM Instance Profile with Session Manager Permissions: Create an instance profile for Systems Manager by attaching AmazonEC2RoleforSSM policy to a new role or to a role you have already created.
In the AWS Console, you must:
Go to Services and select Systems Manager in the Management & Governance section
In the left side pane, select Session Manager
Then, select the Start session and a list of the instances that fulfill the pre-requisites will be displayed.
Select the desired instance you want to connect to and click Start session
A new tab will open with the virtual shell
And voila! you are ready to work remotely in a safe environment. Now you can create groups of resources, ordering them logically, by application, environment or by layer. You can define policies with the actions or commands you want to run, like patching or updating, saving the time of manual configurations. And finally, you have the certainty that the policy you wanted to implement has been followed with a record of the actions taken and who take it. In case something goes wrong or you have to face an auditory, all the information requested is just there.