AWS has been expanding their Systems Manager tool over the last year, adding a number of important features. Session Manager is the latest piece of the puzzle. It’s a seriously handy addition to the tool. In a nutshell, it allows anyone with the specific rights to access an EC2 instance without the private keys. Wait? What? Surely that’s insecure? Or is it? Let’s step back and talk about Systems Manager before we focus on Session Manager.
Should I care about Systems Manager?
That’s a great question. Do you have a server fleet or do you run serverless? Do you treat your server fleet as pets or cattle? Are you running both AWS Cloud based and on-premises environment? If you care about your running server fleet then you need to think about how you manage it. Traditionally, this has involved third party tools or custom scripts or – shock! – a manual process.
AWS introduced Systems Manager as a sub-component of EC2 a few years ago. A year ago, they split it off into a service of its own. As a result, there has been some serious enhancements in that time. Systems Manager now offers a whole bunch of features included:
- Health dashboard;
- Security & compliance posture;
- Remote command execution;
- Desired state;
- Patch management;
- Secrets management;
- Management of on-premises and in Cloud server instances.
It’s a pretty rich feature set. All these actions can be scheduled and managed through maintenance windows.
Of course, if you need to access the server instances, you still need the keys. This means that you need a way to manage the keys and keep them safe.
Enter Session Manager
What if you could control access to your server instances centrally? Would you like to be able to provide granular access to instances and control the timing of that access? Do you have to worry about distribution of keys today? What happens if you loose your keys?
Session Manager solves all these problems with access control integrated into IAM. It provides you the ability to access both Linux and Windows hosts without the private key. IAM permissions are used to control access. This means that access can be programmatically assigned easily and quickly. Afterwards, you can cleanup just as easily. That means no more copying of keys at 3am to a temporary device and then forgetting to delete it afterwards. You also don’t need to expose SSH or RDP ports to your networks. Now you have visibility of potential access through IAM policies. With SSH keys, you only find out about access when they are used i.e. after the event! On top of that, you can audit the access, down to the commands that were run in the session (either bash for Linux or Powershell for Windows).
We have setup Session Manager to log to a write only S3 bucket (in another account). The audit logs are ingested into SumoLogic. Finally, we alert on any anomalous behaviour using the power of SumoLogic.
It doesn’t do everything, of course. If you still need UI access to point and click, then you will need to enable RDP access in the traditional way.
Overall, we think that it’s a fantastic new feature that just kind of appeared with little fanfare! If you want to try it out, Jeff Barr has written this great post on getting started. We think that the addition of Session Manager to Systems Manager has really elevated Systems Manager into an enterprise grade tool. It can really help you to manage your hybrid cloud environment through a single tool.
If you want to know more or would like to see what AWS can do for you, please get in touch.