AWS Session Manager: Securing Access to Cloud Resources

Limited security exposure, session auditing and logging, and ease of node management — sign me up!

Getting Started with Session Manager

Session Manager or any other tool from the Systems Manager suite isn’t readily able to access any instance. An agent needs to be installed on the endpoints, permissions need to be assigned to roles, instance profiles need to be created, and only then can you go ahead and start sessions on your instances.

Creating an IAM Role

Systems Manager doesn’t have permissions, by default, to perform actions on instances. AWS requires explicit assignment of permissions to the instance which needs to be managed by the Systems Manager. As such, you can either create an entirely new role or add permissions for access to the Systems Manager to an existing role (and later assign it to your EC2 instance via an Instance Profile).

  • arn:aws:kms:us-east-1:{ID}:key/6ad11c3c-ec08–403c-82d5–97c1d8b8a764
Role Creation via IAM
  • kms is used for encryption of session data (which is optional but recommended)
  • s3 is used for logging session data from a session to the specific S3 bucket (more on this soon)

Creating or Assigning an Instance Profile

Instance profiles are practically just roles which are applicable to EC2 instances to assign them permissions to access other services in the AWS cloud. Let’s assign our newly created role to an instance.

Assignment of Instance Profile

Starting Sessions

All done? Let’s spin up a few sessions. You can do so in several ways (documented here). I’ll simply head over to my EC2 console, press Connect, and select Session Manager. Press Connect and that should be it!

Starting Sessions via the Session Manager
A Sample Session from the Session Manager
Session Started via the AWS CLI

Configuring Session Manager

Well, that’s all out-of-the-box work with little to no extra configuration. If you’ve worked with SSM before, exposing it to anyone can also pose a security risk in itself. It’s why you need to configure and restrict access to the service. These could include modifying permissions or settings like:

  • Encrypting sessions
  • Denying permission to certain users
  • GetDocument
  • UpdateDocument
  • DeleteDocument
SSM-SessionManagerRunShell Default SSM Document
IAM Policy to Restrict SSM Usage
Configuring the SSM Service

Restricting Commands

Custom session documents can be used to permit a set of commands as part of an interactive session as well. Using the InteractiveCommands session type document, we can restrict a session to a particular set of commands (ping here).

InteractiveCommands Session Type Document
Launching an Interactive Session with Custom Documents

Auditing and Logging Sessions

Session activity can be audited using CloudTrail. This includes calls like a connection or session start, document delete and all other calls made to/from an instance and the Systems Manager service. Depending on your use-case, there’s a lot of potential on automating anomalies and monitoring of suspicious API calls.

Sessions and Session History

Logging Sessions

Sessions can also be logged or streamed to Amazon S3 or CloudWatch Logs.

  • Session data can only be logged or uploaded at the very end of the session. There’s no continuous stream of messages. This is better suited for archiving. It is possible via both CloudWatch and S3.
  1. Head to Session Manager
  2. Open up Preferences
  3. Select either of the two — CloudWatch logging or S3 logging
  4. Enable S3 logging and configure the bucket name and prefix (optional)
Configuring S3 logging for SSM
S3 Bucket with Session Log file
Contents of the Session Log file

Mind you — session data includes both the input and output. Sensitive data, if input with these configurations, will be logged in the session data!

What’s Next?

Session Manager can save countless hours of security teams trying to limit exposure from sensitive ports for login. Review your environment — is Session Manager the need of the hour? Will it serve any purpose? Can auditing and logging be enabled (if already using it) without risks? Get to work! 🚀

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store