How to protect your SSH and SCP Connections with AWS Sessions Manager in 4 simple steps

In certain scenarios, establishing secure SSH or SCP connections with EC2 instances within our protocol becomes necessary. AWS Sessions Manager offers a robust solution to accomplish this, allowing us to avoid the exposure of critical ports and enhance overall security.

Step# 1: Install the latest version of the AWS CLI and the AWS Sessions Manager plugin

To begin, install the latest versions of the AWS CLI and the Sessions Manager plugin. The following links provide detailed instructions for installation:

• https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

• https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

Step# 2: Modify ssh config file

Locate your SSH config file, which can be found at "~/.ssh" for Linux and Mac distributions, or "C:\Users<username>.ssh" for Windows.

Add the following line to the config file:

host i-* mi-*

ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

Step# 3: Configure the SSM instance and the EC2 instance profile of your instances

Follow the SSM agent installation instructions provided in the documentation:

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html

In my case, I’m installing it on an Ubuntu machine with the following commands:

sudo snap install amazon-ssm-agent --classic

sudo snap list amazon-ssm-agent

Additionally, attach the AmazonSSMManagedInstanceCore policy to the EC2 instances you wish to access, ensuring the necessary permissions for AWS Systems Manager service core functionality.

Step# 4: Start SSH/SCP session in your local environment

Before initiating SSH/SCP sessions with your EC2 instances, specify your AWS Profile or the region of the EC2 instances if you are using temporal credentials using the following command:

export AWS_REGION=<region-name>

export AWS_PROFILE=<profile-name>

# ssh command

ssh -i id_rsa ubuntu@i-xxxxxxxxx

# scp command

scp -i id-rsa ubuntu@i-xxxxxxxxx:/<dir-or-file-path> <local-file-path>

By following these steps, you can confidently protect your SSH and SCP connections using AWS Sessions Manager. This comprehensive guide empowers you to establish secure access while minimizing potential security risks.

Happy coding and see you next time, in the Cloud!

Juan Bermudez

Cloud Engineer

Teracloud

If you want to know more about Cloud Security, we suggest going check Best Security Practices, Well-Architected Framework

If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs. And subscribe to be aware of any news! 👇