AWS Session Manager: Securing Access to Cloud Resources

Limited security exposure, session auditing and logging, and ease of node management — sign me up!

Getting Started with Session Manager

Creating an IAM Role

  • arn:aws:s3:::myssmauditingbucket/prod-account/*
  • arn:aws:kms:us-east-1:{ID}:key/6ad11c3c-ec08–403c-82d5–97c1d8b8a764
Role Creation via IAM
  • ssmmessages refers to the Session Manager Message Gateway Service which is primarily tasked with the creation and management of data/control channels which connect an instance to the Systems Manager service
  • kms is used for encryption of session data (which is optional but recommended)
  • s3 is used for logging session data from a session to the specific S3 bucket (more on this soon)

Creating or Assigning an Instance Profile

Assignment of Instance Profile

Starting Sessions

Starting Sessions via the Session Manager
A Sample Session from the Session Manager
Session Started via the AWS CLI

Configuring Session Manager

  • Session timeouts and maximum duration
  • Encrypting sessions
  • Denying permission to certain users
  • CreateDocument
  • GetDocument
  • UpdateDocument
  • DeleteDocument
SSM-SessionManagerRunShell Default SSM Document
IAM Policy to Restrict SSM Usage
Configuring the SSM Service

Restricting Commands

InteractiveCommands Session Type Document
Launching an Interactive Session with Custom Documents

Auditing and Logging Sessions

Sessions and Session History

Logging Sessions

  • Streaming allows you to continuously receive commands from all active sessions in a JSON format — for forwarding to EventBridge, monitoring, or generating alarms based on custom needs. It is currently only possible via CloudWatch
  • Session data can only be logged or uploaded at the very end of the session. There’s no continuous stream of messages. This is better suited for archiving. It is possible via both CloudWatch and S3.
  1. Open up Systems Manager
  2. Head to Session Manager
  3. Open up Preferences
  4. Select either of the two — CloudWatch logging or S3 logging
  5. Enable S3 logging and configure the bucket name and prefix (optional)
Configuring S3 logging for SSM
S3 Bucket with Session Log file
Contents of the Session Log file

Mind you — session data includes both the input and output. Sensitive data, if input with these configurations, will be logged in the session data!

What’s Next?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics and Cloud! 🚀