A D Vishnu Prasad

Director of Cloud Engineering @ Team8Solutions, Freelancer

SSH Into EC2 Instances Without Opening Port 22

Introduction

The easy way to access an EC2 instance from your terminal is by running ssh command. But for that you need to open port 22 for your IP and most of the time the developers tend to open it for the public. This results in a big security hole.

So how do we access the EC2 instance without opening port 22 at all? There is a way! You can make use of AWS SSM to access the instance and you don’t have to open port 22 at all. This is a best practice and good for your compliance security reports.

AWS Session Manager

A bastion host, sometimes called a jump box, is a server that provides a single point of access from an external network to the resources located in a private network. A server exposed to an external public network, such as the internet, poses a potential security risk for unauthorized access. It’s important to secure and control access to these servers.

This pattern describes how you can use Session Manager (Reference) and Amazon EC2 Instance Connect to securely connect to an Amazon Elastic Compute Cloud (Amazon EC2) bastion host deployed in your AWS account. Session Manager is a capability of AWS Systems Manager. The benefits of this pattern include:

  • The deployed bastion host doesn’t have any open, inbound ports exposed to the public internet. This reduces the potential attack surface.

  • You don’t need to store and maintain long-term Secure Shell (SSH) keys in your AWS account. Instead, each user generates a new SSH key pair each time they connect to the bastion host. AWS Identity and Access Management (IAM) policies that are attached to the user’s AWS credentials control access to the bastion host.

Setup Guide

Prerequisites

  1. AWS CLI: Ensure you have the AWS Command Line Interface (CLI) installed on your macOS. If not installed, you can download and install it from the AWS CLI official website.
  2. Configure AWS CLI: If you haven’t configured your AWS CLI yet, you need to do it by running the following command and providing your AWS Access Key ID, Secret Access Key, and default region:

  3. The AWS user must have the following role AmazonSSMManagedInstanceCore attached to their user policy

    aws configure

    This step is required to ensure the AWS CLI can authenticate and access your AWS account.

Install the Session Manager plugin on macOS

For other OS follow this link

  1. Download the bundled installer.

    curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip"

  2. Unzip the package.

    unzip sessionmanager-bundle.zip

  3. Run the install command.

    sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin

  4. Remove the bundled installer.

    rm sessionmanager-bundle.zip
rm -rf sessionmanager-bundle

Connect to an EC2 Instance using Session Manager

  aws ssm start-session --target <Instance ID> --region ap-southeast-2

That’s it. Now you should be able to access EC2 Instance without worrying about port 22.

Comments