Amazon Web Services (AWS) just recently announced support for running terminal sessions on your Amazon EC2 instances directly inside of your web browser. This feature works with both Bash on Linux and PowerShell sessions on EC2 instances running Windows Server. AWS Systems Manager is the service that introduced this new functionality, by way of a sub-feature called AWS Systems Manager – Session Manager. Here’s a link to the official announcement about Session Manager.
Although there are obvious workflow benefits to using a browser-based terminal session, there are additional security benefits as well. You can limit access to SSH port (TCP 22), Remote Desktop Protocol (RDP / TCP 3389) and the Windows Remote Management (WinRM) port (TCP 5985 / 5986) for PowerShell Remoting, to reduce the chances of malicious attacks at the network layer. Furthermore, instead of controlling access to EC2 instances with SSH keys and Windows user credentials, you can control access using the AWS Identity and Access Management (IAM) service.
Because Session Manager uses EC2 instance IDs in the URL to the AWS Management Console, you can use your browser’s bookmarking feature to save URLs to access specific virtual machines that are important to you. This makes navigating back to those EC2 instances much easier, in future sessions.
In order to utilize the AWS Systems Manager “Session Manager” feature, you must consider the following:
- The AWS Systems Manager agent version 220.127.116.11 or higher must be installed on your EC2 instance running Linux or Windows.
- Your Amazon EC2 instance must be able to route traffic to the public AWS Systems Manager API, or you must use the VPC Endpoint feature.
- You must have, or create, an IAM Role (EC2 Instance Profile) that has the appropriate policies attached to it, to allow your EC2 instances access to the AWS Systems Manager APIs. There is an AWS managed policy named AmazonEC2RoleforSSM for this purpose.
As you consider the above requirements, keep in mind that:
- Ubuntu 16 / 18, Amazon Linux, and Microsoft Windows Server AMIs provided by Amazon already have the AWS Systems Manager agent installed.
- On Linux, you can install or upgrade the amazon-ssm-agent package from apt or yum package managers.
- You can update the AWS Systems Manager agent to the latest version using the AWS-UpdateSSMAgent document via the Run Command or State Manager services in AWS Systems Manager.
Once you’ve met the requirements shown above, to start using the Session Manager feature, simply log into the AWS Management Console, and navigate to the AWS Systems Manager service.
Select the Session Manager feature from the Actions section on the left-hand navigation area.
Click the Start Session button. On the next screen, select your EC2 instance, then click the Start Session button.
A terminal session will open up to your EC2 instance in a new browser tab. If you’re creating a remote terminal on an EC2 instance running Windows Server, you’ll receive a PowerShell prompt. However, an EC2 instance running Linux will present you with a sh prompt.
In closing, I would encourage you to improve the overall security posture of your cloud infrastructure by closing of access to unnecessary network ports using VPC Security Groups and/or Network Access Control Lists (NACL). Use the new Session Manager feature in the AWS Systems Manager service to manage infrastructure interactively, when required. You can also leverage other services within AWS Systems Manager, such as Run Command and State Manager to perform automated healing processes, minimizing your need to manually manage individual virtual machines.