Are security groups enforced when using ssm start-session with port forwarding
Can you tell me if security groups are still enforced when we connect to an instance via the ssm start-session CLI command using the port forwarding option
Or are security groups bypassed when connecting to instances using the ssm CLI ?
The security groups are not bypassed, however, the SSM agent on the instance initiates the the connection to the SSM service so the outbound rules of the security group on the instance are the ones in play. Most likely, the outbound is wide open. Minimally, the outbound rule needs to allow outbound 443 to the SSM endpoints. See: Systems Manager prerequisites.
(Recommended) Create a VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC) to use with Systems Manager. If you don't use a VPC endpoint, configure your managed instances to allow HTTPS (port 443) outbound traffic to the Systems Manager endpoints. For information, see (Optional) Create a VPC endpoint.
[ECS] Do you need to configure security groups to communicate over localhost?Accepted Answerasked 6 months ago
HTTPS Security Group not allowing access to EC2 instance when tried using HTTPS URLasked a month ago
TargetNotConnected when opening a SSM session on EC2asked 6 months ago
Connect to RDS using SSMAccepted Answerasked 2 years ago
SSM Network firewall auditasked 6 months ago
New (SSM-)Resource Groups vs Classic Resource Groups, and basic inventoryasked 3 years ago
Networking and Security Groups issueasked 3 years ago
Security groups - port 22: Connection refusedasked 2 years ago
Can't connect to EC2 with chained security groupsasked 5 months ago
Are security groups enforced when using ssm start-session with port forwardingasked a month ago