As we all know AWS is provides great solutions to a vast number of common technical problems. One such solutions excited me as a Security focused AWS Architect recently, and I wanted to share this finding aka Session Manager. This feature is available via Systems Manager. It communicates over a system agent called SSM Agent on AWS EC2 instances.
Advantages Over Traditional SSH:
- Tracks connectivity on a per IAM user & per session basis.
- Eliminates the need for shared private keys between staff/teams.
- Removes SSH from attack service as there's no need to route traffic.
- Eliminates the need for Public IP based Bastions/Jump/VPN solutions.
- Encrypts connection traffic using new/existing KMS keys to/from your instances.
- Encrypts Session & Command Logs via KMS by leveraging CloudWatch.
- Allows for log retention and automated deletion via CloudWatch.
- Allows for automatic rotation of the assigned key via KMS.
In order to utilize Session Manager, endpoints require both the AWS CLI and Session Manager plugin. It's important to note that although this does imply a more secure operational environment, it does communicate using IAM programmatic keys. It's only as safe as your weakest user or laziest admin.