Session Manager

Eliminate bastion hosts with AWS Systems Manager Session Manager

AWS Systems Manager Session Manager improves a customer’s security posture for instance access with a browser-based and CLI interactive shell experience that requires no open inbound ports or access/jump servers, and enables customer key encryption using AWS KMS. With IAM access control, sessions audited using AWS CloudTrail, and session output logged to Amazon S3 or Amazon CloudWatch Logs, Session Manager makes it easy to control and secure access to instances in operational scenarios while complying with corporate policies and security best practices. Dive deep with the Session Manager team to see how it works for Linux or Windows instances, in the cloud, or on premises.

Scenario

You have been tasked with replacing the legacy bastion infrastructure at your organization with an alternative interactive shell-level access solution. You have been given a few key requirements and must develop a proof of concept that demonstrates the ability of Session Manager to address each:

  • Secure Access: The solution must communicate over a secure encrypted channel for all control and session data. The solution must not require inbound ports to be authorized (e.g. TCP 22 or TCP 3389).
  • Access Control: Users must be able to authenticate using IAM security principals (e.g. users and roles) and must not be required to leverage host-level authentication methods (e.g. public-key, password, etc.).
  • Auditing: All session activity must be tracked and logged to include all command input and output.
  • Cross-Platform Interactivity: The solution should provide synchronous execution of commands across both Windows and Linux platforms

Install Session Manager CLI plugin (Optional)

If you want to use the AWS CLI to start your sessions (instead of using the AWS Systems Manager console), version 1.16.12 or later of the CLI must be installed on your local machine.

You can call aws –version from the CLI to check the version installed on your machine. If you need to install or upgrade the CLI, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

In addition, to use the CLI to manage your instances with Session Manager, you must first install the Session Manager plugin on your local machine. For information, see (Optional) Install the Session Manager Plugin for the AWS CLI.

8.1 Deploy Environment

The first thing we need for our proof of concept is a standardized VPC environment where we can launch EC2 instances. The CloudFormation template below creates a standardized VPC environment, network components, S3 buckets, (2) Windows Server 2019 EC2 instances, (2) Amazon Linux 2 EC2 instances and IAM security principals. Note: This step will deploy resource in the Ohio region.

Click here to deploy POC environment and resources into your account

Note: This CloudFormation template contains IAM resources. You will be required to acknowledge this to authorize the AWS::IAM::InstanceProfile and AWS::IAM::Role capabilities.

Once the stack deployment is complete, browse to the CloudFormation console, locate the session-manager-demo stack and browse to the Outputs tab. Take note of the S3 bucket and VPC details provided.

8.2 Evaluate Default Session Manager Configuration

To begin our evaluation, we need to examine the default configuration and behavior of Session Manager and determine what is needed to meet the requirements given to us for this project.

Evaluate cross-platform behavior, security context and default privilege levels

  1. Browse to the Systems Manager Managed Instances console.
  2. Select the session-manager-linux-prod instance, click Actions, click Start Session.
  3. Now that we have established an interactive shell to the instance, let’s determine our user context on the instance and evaluate our privilege level.
    • Execute whoami to determine what user context we’re running under
    • Execute sudo su and cat /etc/sudoers.d/ssm-agent-users to evaluate the privilege level assigned to the user ssm-user.
  4. We have been told the AWS Systems Manager agent establishes the Session Manager channel by initiating outbound communications to the service.
    • Execute netstat -nputw | grep -i ssm to validate this behavior and verify communications are actually being sent over a secure channel.
  5. Click Terminate to terminate the session.
  6. Select the session-manager-windows-prod instance, click Actions, click Start Session.
  7. Since this is a Windows instance, notice we’ve established an interactive PowerShell session.
    • Execute whoami to determine what user context we’re running under
    • Execute net user ssm-user to determine the local group memberships assigned to the local user ssm-user.
  8. Click Terminate to terminate the session.

8.3 Evaluate the default auditing and logging configuration for Session Manager

  1. Browse to the Session Manager console.
  2. Select the Session history tab and review the session history details available.

Note: Currently there is no information presented under the Output location field.

8.4 Evaluate the port requirements and default permissions of managed IAM policies

  1. Browse to the EC2 Instances console.
  2. Review the inbound and outbound rules in the session-manager-demo security group associated with the instances. Note: No inbound ports have been authorized and all outbound traffic is authorized.
  3. Review the permissions granted by the managed IAM policy. Click on AmazonSSMManagedInstanceCore. This managed policy is attached to the session-manager-demo-default IAM role currently associated with our managed instances.

8.5 Configure Session Logging

As we observed during our initial evaluation, our activity within a session is not yet being logged. In this step, we are going to configure Session Manager to store session log data in a specified Amazon S3 bucket for auditing purposes. The default option is for logs to be sent to an encrypted S3 bucket. Encryption is performed using the key specified for the bucket.

Create a Custom Policy for Amazon S3 Bucket Access

Creating a custom policy for Amazon S3 access is required only if you are using a VPC endpoint or using an S3 bucket of your own in your Systems Manager operations.

  1. Open the IAM console.
  2. In the navigation pane, choose Policies, and then choose Create policy.
  3. Choose the JSON tab, and replace the default text with the following:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl", 
                "s3:GetEncryptionConfiguration" 
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-name/*",
                "arn:aws:s3:::my-bucket-name" 
            ]
        }
    ]
    }
    

    Note: Replace my-bucket-name with the appropriate bucket name.

  4. Choose Review policy.

  5. For Name, enter a name to identify this policy, such as SSMInstanceProfileS3Policy or another name that you prefer.

  6. Choose Create policy.

Attaching Policy to Instance Profile Role

  1. After the policy has been created, open the IAM console.
  2. Then, click on Attach policies.
  3. In the Filter, enter SSMInstanceProfileS3Policy as the policy to select.
  4. Select the policy and click on Attach policy.

Enable Session Logging for Session Manager

Once the policy has been created and associated with our Instance Profile, we will configure session logging to the S3 bucket we created using CloudFormation.

  1. Browse to the preferences tab on the Session Manager console.
  2. Click Edit, under the Write session output to an Amazon S3 bucket heading, select S3 bucket.
  3. Leave Encrypt log data selected. In the S3 bucket name field, select the bucket created for you in Step 1. This bucket will follow the naming convention session-manager-demo-[ACCOUNT_NUMBER]-us-west-2. In the S3 key prefix field, enter Session-Manager/. Click Save.
  4. Browse to the Session Manager console, select a Linux instance and click Start session.
  5. Execute some basic commands to demonstrate session logging is working as expected:
    • ps -ef | grep -i ssm
    • sudo ls -l /etc
    • whoami
    • exit terminate the session.
  6. Browse to the Session History tab and locate our last session. Wait for session Status to change from Terminating to Terminated. In the Output location column, click Amazon S3 to view the session log.
  7. Observe the data captured in the session log includes all input and output of the commands we entered.

Note: The S3 bucket created for you is configured to use S3 Default Encryption with AWS S3-managed keys (SSE-S3). All session log data will be encrypted by default but you can also choose to use your own KMS Customer Master Key (SSE-KMS).

Optional Labs

Additional labs have been published to the following location. These labs include:

End of Lab Exercises

Thank you for using this lab.