Using AWS SSM Session Manager to Achieve Secure Login to EC2 Without Public IP and Keys
In the traditional cloud server operation and maintenance, to log in to a Linux EC2, the standard configuration is usually: bind a public network IP to the server (or use NAT gateway) and release it on the security group
TCP:22
Port, and then configure the SSH key locally (
.pem
File), and finally connected through the terminal.
However, this set of standard processes that have been running for more than ten years is facing huge challenges under modern enterprise-level security standards:
Risk of streaking on the public network: as long as 22 ports are opened, no matter whether you change the default port or not, thousands of hacker scripts will be scanned and cracked crazily every day.
Key management disaster: once the key file is distributed to multiple development or operation and maintenance, it is very easy to cause major security accidents such as employees leaving their jobs but not destroying the key and accidentally mistransmitting the key to the public GitHub.
High cost: In order not to allocate public network IP to the server, many teams have to spend money to build bastion machines (Jumpbox) or configure complex VPN tunnels, increasing the daily budget.
In AWS system, there is a free advanced play that can be called dimension reduction strike, which can perfectly kill all the pain points above. It is called
AWS Systems Manager Session Manager (Session Manager)
.
Today does not pull complicated security theory. Handles and hands take you through the whole process to realize
The server does not need public network IP, the security group does not need to open any port, and the local does not need any. pem key file
, you can log in to the EC2 terminal.
The first stage: deep dismantling, Session Manager "reverse connection" black technology
Why don't we need public network IP and port 22, and we can connect to the server remotely?
Traditional SSH login is
Forward connection
: As a client, your computer actively crosses the public network and knocks on the 22-port door of EC2 server. This requires that the server must have a public network entrance, the door must be open.
Session Manager use
Reverse connection
Logic:
Inside your EC2 server, you have installed a small official daemon called SSM Agent.
This process does not require external traffic to come in. It will actively establish a secure two-way persistent long connection with AWS official SSM server through HTTPS (port 443) from inside to outside (Outbound).
When you log in to the AWS console or want to connect to the server through the local AWS CLI, your request is first sent to the AWS SSM server, and then the server passes the instructions to the Agent inside EC2 for execution through the intranet pipeline that has already been built.
Core Security Conclusion: Because traffic is all inward and outward, your EC2 security group inbound rules can be completed.
All empty (completely close all inbound ports), even hackers can't find the existence of your server with detectors, and the security is directly full.
Phase II: Practical Exercise I-Giving EC2 the Right to Speak (IAM Role Configuration)
If EC2 wants to actively connect to AWS's SSM server, it must obtain your authorization. In AWS, the only pass that authorizes a resource is called
IAM Role (Identity and Access Management role)
.
Log in to the AWS console, search for and enter the IAM service.
Click Roles-> Create role in the left menu ".
Choose AWS Service for the trusted entity type and EC2 for the service or use case. Click Next.
Add a permission policy (key point): Enter AmazonSSMManagedInstanceCore in the search box (this is the AWS official minimum core permission policy customized specifically for Session Manager) and check it.
Click Next, give the role a name, such as EC2-SSM-Access-Role, and click Create.
Phase III: Practical Exercise II-Launching a "Fully Closed" Private EC2
The foundation is ready, let's pull up a server for real tests.
Go to the EC2 console and click Launch Instance ".
System image (AMI): It is strongly recommended that you choose the latest Amazon Linux 2023 or Amazon Linux 2. Hint to avoid pits: SSM Agent has been installed and started by default on these two systems. You do not need to manually type the command to install it. If you choose native Ubuntu or CentOS, you need to manually install SSM Agent software with apt or yum after startup.
Instance type: Select any free t3.micro.
Key pair: Select "Continue without a key pair" directly from the drop-down menu (to truly experience the fun of logging in without a key).
Network Settings (Cost and Security Actuarial): Automatically assign public IP: Select Disable ". We don't need a public IP. Security Group Inbound Rule: Click the "Allow SSH Port 22" rule with the default rule to delete it. Keep inbound rules empty.
Advanced Details (Inject Soul): Go down and find the IAM Instance Profile (IAM instance profile) ". In the drop-down menu, select the EC2-SSM-Access-Role we created in the second stage.
Click Launch Instance.
The fourth stage: the moment to witness the miracle-three high-energy login methods
After the server starts 2~3 minutes, ensure that the underlying SSM Agen
T has been successfully connected to the cloud. Let's see how to get into the system.
Method 1: One-click direct access to the console (favorite of lazy people)
In the EC2 instance list, select the server with no public network and no port that you just built.
Click "Connect (Connect)" at the top ".
Switch to the "Session Manager (Session Manager)" tab (you will find that the originally gray "Connect" button has been lit due to the correct configuration).
Click Connect ". The browser will pop up a pure black native terminal in an instant. You already have ssm-user permissions. Execute sudo su-directly to the root perfect control panel.
Mode 2: Direct connection of local terminals (professional operation and maintenance flow)
Many senior operators do not like to write code in browsers and are used to local terminals (such as Mac Terminal, iTerm2 or Windows PowerShell). No problem, Session Manager equally supportive.
Make sure that the AWS CLI tools are installed on your local computer and that your personal IAM access keys are configured through the aws configure.
The local computer needs to install an additional free small plug-in called Session Manager Plugin (go to AWS official website to download the installation package of the corresponding operating system and install it without brains in one step).
Open your local terminal and directly type this line of command (replace the instance ID with your own):Bashaws ssm start-session -- target i-0123456789abcdef0 has no key prompt and does not need to enter a password. One second later, your local terminal directly crosses the universe and connects to the cloud server without public network IP.
Stage 5: Enterprise Advanced Audit-Who Did What in My Server?
If you think that Session Manager is just to save trouble, you are looking down on AWS's big factory specifications. The core reason why it is really favored by companies with high compliance requirements such as finance and securities is that it comes with its own.
Perfect no dead angle audit pipeline
.
In the traditional SSH login, it is difficult to trace what files have been deleted and what configurations have been changed unless you take great trouble to allocate log dumps inside the system.
In the settings of the AWS Systems Manager, you can configure to enable the delivery of session logs directly:
Delivery to S3 bucket: Every line of command typed by the user in the terminal and every character printed on the screen (including backspace and error reporting) will be recorded as an encrypted text file in real time and uploaded to S3 for permanent storage.
Posted to CloudWatch Logs: implements real-time log alerts.
Even if a certain operation and maintenance with the highest authority is executed in the server
r
m -rf
He couldn't delete the hard evidence that had flown into the S3 audit bucket. Who did the operation and when, a check will know, to meet the most stringent compliance audit requirements.
The sixth stage: the history of avoiding the pit and tears in daily operation and maintenance
The connection prompt "the instance is not registered or online": after the new server is pulled up, if the console connection button is found to be gray, 99% of it is because your private subnet (Private Subnet) is completely disconnected. Although SSM Agent sends requests from inside to outside, if your private subnet is configured with neither NAT gateway nor VPC Endpoints (endpoint),Agent cannot even send HTTPS traffic to AWS official domain name, and it will be completely lost. Make sure that the private network can at least connect to the public network domain name of AWS service, or create three VPC endpoints: ssm, ssmmessages, and ec2messages in the VPC.
Permissions stuck too hard for the team to collaborate: Session Manager no longer recognizes. pem files, it recognizes individual AWS IAM user permissions. If you want the new developer Xiao Zhang to log in to this machine, you need to add a policy to his personal account in IAM that allows ssm:StartSession to be executed on this EC2 instance. Using IAM to completely replace the distribution of physical keys is the way to go for modern cloud-native.
Summary
Using AWS SSM Session Manager to log into EC2, essentially using
Modern Identity Authentication (IAM) replaces ancient network authentication (22 ports with physical keys)
. Making good use of this free black technology can not only help you cut down unnecessary bastion machines and public network IP budgets, but also make your cloud infrastructure "instantly invisible" on the public network ". Security and convenience are both elegant and authentic standard postures for cloud operation and maintenance.
