By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ssh proxy to connect to EC2 instance using SSM

0

Hi,

I have an EC2 instance and IAM user, my IAM user has a policy attached, that states - that i can connect to EC2 instances only from some specific IP. I have an ssh access to the machine that has the right IP, from which i should be accessing AWS resources. I want to access EC2 instance using AWS SSM, from my local machine via a second machine. the plan: my-local-machine (1)--AWS SSM request--> my-external-machine (2)---> AWS EC2 instance (3)--EC2 shell--> my-local-machine

I googled a bit, and: https://docs.aws.amazon.com/systems-manager/latest/userguide/configure-proxy-ssm-agent.html - seems to be outdated. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-proxy.html#cli-configure-proxy-using - did not help. What i have tried:

ssh -D 2022 <user_name>@<host>
export HTTP_PROXY=http://localhost:2022
export HTTPS_PROXY=http://localhost:2022
aws ssm start-session --target <instance_id> --region us-east-2 --document-name AWS-StartSSHSession

but it does not work, i get such error: Failed to connect to proxy URL: "http://localhost:2022"

If i try this approach (non SOCKS way?) (taken from https://serverfault.com/questions/78351/can-i-create-ssh-to-tunnel-http-through-server-like-it-was-proxy)

nslookup ssm.us-east-2.amazonaws.com
ssh -L 2022:99.78.176.198:433 <user_name>@<host>
export HTTP_PROXY=http://localhost:2022
export HTTPS_PROXY=http://localhost:2022
export AWS_REGION=us-east-2
aws ssm start-session --target <instance_id> --region us-east-2 --document-name AWS-StartSSHSession

still getting same error message: Failed to connect to proxy URL: "http://localhost:2022"

Any help appreciated.

Thanks

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementSession Management
Language
English
Joann Babak
asked 13 days ago80 views
2 Answers
0

I assume your EC2 is in a public subnet.

You do not need to set proxy to use SSM Session Manager. Your AWS CLI need to be configured with the necessary permissions.

To establish SSM sessions with AWS CLI, you must install the Session Manager plugin on your local machine. Once installed, try establishing SSM session using AWS CLI

aws ssm start-session --target <instance_id> --region us-east-2

After which, you can configure your SSH to use Session Manager according to instructions at Allow and control permissions for SSH connections through Session Manager, including IAM permissions. Connect using SSH Starting a session (SSH)

Edit: Seems that you want to start SSM session from a external machine with output in your local machine. Something like this?

Local machine --ssh?--> External machine -- SSM session --> EC2

You will need to login to external machine to establish SSM session and map output back. With SSH, you can probably do it this way

ssh user@external-machine-ip 'aws ssm start-session --target <ec2-instance_id> --region us-east-2'

AWS
EXPERT
Mike_L
answered 12 days ago
  • Joann Babak
    10 days ago

    Thanks for your answer. Your proposal is kinda the same as in the first answer, maybe i have explained the situation that im in not enough. The problem is that i have an IAM policy which forbids access to the EC2 instance, if the request from AWS SSM does not contain the right IP, and even thought, AWS SSM does not require to EC2 instance to be open to the internet, i face this issue, simply because of my company requirements (which, no, they cannot be changed)

  • Mike_L EXPERT
    10 days ago

    Thanks for the clarification. I have updated the post.

0

Hi Joann, What problem are you actually trying to slve here - why do you need to go via this 'second' proxy machine to access the actual EC2 - what is that adding?

If your EC2 is not reachable from the internet (which is generally good practice) you can still use SSM directly to connect to it - essentially you just need:

  1. ssm agent installed
  2. instance role with ssm permissions in place
  3. EC2 needs to be able to each the SSM endpoints - either via IGW/NGW/service endpoints

As long as that is in place you can then get connectivity using SSM either via the console directly or by using the AWS CLI to create a kind of proxy connection that you can ssh to (using something like putty) - is this maybe what you want to be able to do? This doesn;t need a server in the middle though to make it work.

Cheers, Rich

AWS
rePost-User-4014483
answered 13 days ago
profile picture
EXPERT
Osvaldo Marte
reviewed 13 days ago
  • Joann Babak
    12 days ago

    Hi, thanks for your answer. The problem is that, because of the requirements, only IP range that covers only some network, is allowed by IAM policy attached to my IAM user to SSM into the EC2 instance. So, in order to get into the EC2 instance, i need to be inside of the "secure network", i can get "inside" of the compliant network by ssh-ing in one of the machines. So i thought, is it possible to "proxy" AWS SSM requests from my local machine, to external machine, and into the AWS SSM endpoint, to get terminal access to my EC2 instance.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content