Are security groups enforced when using ssm start-session with port forwarding

0

Can you tell me if security groups are still enforced when we connect to an instance via the ssm start-session CLI command using the port forwarding option

Or are security groups bypassed when connecting to instances using the ssm CLI ?

1개 답변
1

The security groups are not bypassed, however, the SSM agent on the instance initiates the the connection to the SSM service so the outbound rules of the security group on the instance are the ones in play. Most likely, the outbound is wide open. Minimally, the outbound rule needs to allow outbound 443 to the SSM endpoints. See: Systems Manager prerequisites.

(Recommended) Create a VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC) to use with Systems Manager.
If you don't use a VPC endpoint, configure your managed instances to allow HTTPS (port 443) outbound traffic to the Systems Manager endpoints. For information, see (Optional) Create a VPC endpoint.
profile pictureAWS
전문가
kentrad
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠