内容简介:Hey I'mAWS Systems ManagerYou can use Session Manager to access instances via the AWS Console, or if you install the
AWS Session Manager: less infrastructure, more features
Hey I'm Jon , CTO at Sym, and I've been building support for AWS Session Manager into our access management products. We're finding that many people still don't know about the features of Session Manager and how it can help them simplify their infrastructure, so I thought I'd share a bit of what we've learned.
Less infrastructure
AWS Systems Manager Session Manager enables SSH access that is managed solely with IAM permissions. This approach has major benefits for infrastructure owners:
- No more bastion hosts required! Session Manager uses AWS APIs to communicate with your instances, so you can remove the administrative burden of maintaining bastion hosts.
- Fewer SSH ingress rules! Since your team is getting SSH access through Session Manager, you can remove ingress from your firewall and reduce your attack surface.
Log in via the console or command line
You can use Session Manager to access instances via the AWS Console, or if you install the AWS CLI Plugin , then you can also start sessions from your local workstation.
Console access
Command-line access
More features
Beyond simplifying your infrastructure, Session Manager comes with a bunch of additional helpful features. I'll highlight two of those here.
Managing access with tags
You can take advantage of conditional IAM policies to partition access to your instances in interesting ways. This statement, for example, only grants session access to instances that are tagged as part of the Analytics department:
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"ssm:resourceTag/Deparment": "Analytics"
}
}
}
Logging your session activity
You can enable logging of what people are actually doing on instances when they SSH in. Logs can got to S3 or, if you've got CloudWatch logs set up on your instances, to CloudWatch logs.
In either case, each user's session gets logged with a Session ID that includes the user's name, such as foo@example.com-0391fd059b5290de2 . From the Session ID you can get other metadata about the session, such as the EC2 instance, Start Time, and End Time:
You can dig in to the details of a session and see what commands someone ran like so:
Required setup
The AWS Systems Manager Agent needs to be installed on your instances. The agent comes by default on Amazon Linux or can be installed on most other OSes.
You also need to ensure your instances have permission to talk to Session Manager. You can use the AWS-provided AmazonSSMManagedInstanceCore Managed Policy for this, or craft your own policy.
Kicking the tires
If you want a quick way to try Session Manager out, the terraform-okta-ssm-modules repo has examples to get you started.
Further reading
Disney Streaming released SSM Helpers , which includes a command-line wrapper for SSH access with lots of extra features.
Hope you learned something! I'd love to learn how you're using Session Manager or what other features/integrations you'd like to see us explore. There are additional Session Manager features like port forwarding that I plan to write about soon. Please send me a Twitter DM ( @firstmorecoffee ) or email ( jon@symops.io ) with your feedback.
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
