Accessing private instances or resources in the AWS Cloud Infrastructure
- Fundamentals of Networking
- VPN concepts
- AWS Services like VPC, EC2, CloudWatch
It’s always been a complex and tedious task to access private instances(EC2) inside the VPC(Virtual private cloud), In the traditional approach people either use to keep EC2 public(which is vulnerable and not a recommended approach to designing high-level infrastructure design) or keep EC2 as private instance and access via several methods which are listed below
- Via bastion host with ssh tunnelling
- Via establishing a VPN connection
Problem with the traditional approach
Accessing private instances via bastion host with ssh tunnelling
Accessing private instances relying on the private subnet is demonstrated in the above example diagram
The flow is something like this -
- Sharing the private key to do SSH in the bastion host
- User access the Bastion host as this is publically exposed over the network and can be accessed via SSH
- As shown in the above diagram bastion host will be in the same VPC(or say in the same network) to make a local network call to its private resources available in it
- Now user can make the ssh call with its private IP from the bastion server
- Easy to implement
- It is easy to use
- Increase security as compared to exposing the server (EC2) public and accessing directly via ssh from a local machine
- SSH does not support keeping track of user-level activity
- It’s insecure as if the private key is compromised this could disastrous
Accessing private instances via VPN
Accessing private instances with VPN is demonstrated in the above example diagram
In this, the flow is something like this -
- Create & Share the VPN configuration file
- Users configure the VPN setup on their local machine
- Activate the VPN session
- Do ssh on a private instance with the help of its private IP/DNS
- Highly secure
- Contain logs for an active VPN session
- Can be easily revoked the VPN access
- No detailed logs are being captured in this Example. list of activity/commands performed inside EC2
- Complex in Implementing
- Comparatively slow
- No option to provide granular access
Solution with AWS Session Manager
Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs). You can use an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to managed nodes, strict security practices, and fully auditable logs with node access details while providing end users with simple one-click cross-platform access to your managed nodes.
Advantages of using Session Manager
- Centralized access control to managed nodes using IAM policies
- No open inbound ports and no need to manage bastion hosts or SSH keys
- One-click access to managed nodes from the console and CLI
- Logging and auditing session activity
- Any AWS customer who wants to improve their security and audit posture, reduce operational overhead by centralising access control on managed nodes, and reduce inbound node access.
- Information Security experts who want to monitor and track managed node access and activity, close down inbound ports on managed nodes or allow connections to managed nodes that don't have a public IP address.
- Administrators who want to grant and revoke access from a single location, and who want to provide one solution to users for Linux, macOS, and Windows Server-managed nodes.
- Users who want to connect to a managed node with just one click from the browser or AWS CLI without having to provide SSH keys.
Setup Session Manager Logs
To stream session data using Amazon CloudWatch Logs (console), below are the steps which can be helpful
- Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
- In the navigation pane, choose Session Manager.
- Choose the Preferences tab, and then choose Edit.
- Select the check box next to Enable under CloudWatch logging.
- Choose the Stream session logs option.
- Select the check box next to Allow only encrypted CloudWatch log groups. With this option turned on, log data is encrypted using the server-side encryption key specified for the log group. If you don't want to encrypt the log data sent to CloudWatch Logs, clear the check box. You must also deselect the check box if encryption isn't allowed on the log group.
- For CloudWatch logs, to specify the existing CloudWatch Logs log group in your AWS account to upload session logs to, select one of the following:
a. Enter the name of a log group in the text box that has already been created in your account to store session log data.
b. Browse log groups: Select a log group that has already been created in your account to store session log data.
- Choose Save.
Accessing EC2 Node in private VPC
- Go to the AWS CLI
- Fire the command to access the private EC2 node with its instance id
aws ssm start-session --target instance-id
- Once the user accesses the node each activity will be logged into the cloud watch which we have configured above
How does the session manager work?
Below are the designed architecture to show how it works from end-end(from firing command from AWS CLI to the execution at instance node)
Here are the steps on how it goes
- Once the user fires up the command to start the session from AWS CLI
- AWS management console triggers an API call to the system manager which checks the IAM permission if yes
- Then It starts the session and internally accesses the private instance in-premises
- And send a request back to the AWS CLI
Note: Between the request and response from AWS CLI to the session manager each and every data is being logged (In our case it's in cloudWatch)
This way AWS System Session Manager gives us the advantage of securely accessing my private node inside the VPC and keeping track of all logs and records with all these features.
This shows how easy it is to manage user-level permissions with this, which is not possible to do the same with ssh.