Are security groups enforced when using ssm start-session with port forwarding
0
Can you tell me if security groups are still enforced when we connect to an instance via the ssm start-session CLI command using the port forwarding option
Or are security groups bypassed when connecting to instances using the ssm CLI ?
asked a month ago34 views
1 Answers
1
The security groups are not bypassed, however, the SSM agent on the instance initiates the the connection to the SSM service so the outbound rules of the security group on the instance are the ones in play. Most likely, the outbound is wide open. Minimally, the outbound rule needs to allow outbound 443 to the SSM endpoints. See: Systems Manager prerequisites.
(Recommended) Create a VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC) to use with Systems Manager.
If you don't use a VPC endpoint, configure your managed instances to allow HTTPS (port 443) outbound traffic to the Systems Manager endpoints. For information, see (Optional) Create a VPC endpoint.
Relevant questions
[ECS] Do you need to configure security groups to communicate over localhost?
Accepted Answerasked 6 months agoHTTPS Security Group not allowing access to EC2 instance when tried using HTTPS URL
asked a month agoTargetNotConnected when opening a SSM session on EC2
asked 6 months agoConnect to RDS using SSM
Accepted Answerasked 2 years agoSSM Network firewall audit
asked 6 months agoNew (SSM-)Resource Groups vs Classic Resource Groups, and basic inventory
asked 3 years agoNetworking and Security Groups issue
asked 3 years agoSecurity groups - port 22: Connection refused
asked 2 years agoCan't connect to EC2 with chained security groups
asked 5 months agoAre security groups enforced when using ssm start-session with port forwarding
asked a month ago