- Newest
- Most votes
- Most comments
Why Use Session Manager Over EC2 Instance Connect?
Both AWS Session Manager and EC2 Instance Connect provide methods for accessing your EC2 instances, but they serve different purposes and have distinct advantages:
Security and Compliance:
Session Manager: Provides end-to-end encryption, detailed session logging, and auditing capabilities, which are beneficial for compliance and security purposes. You can also enforce MFA (Multi-Factor Authentication) and control access through IAM policies. EC2 Instance Connect: While it provides SSH access without the need to manage SSH keys, it doesn’t offer the same level of integrated logging, auditing, and security controls as Session Manager.
No Need for SSH Keys or Bastion Hosts:
Session Manager: Eliminates the need for SSH keys and bastion hosts. This simplifies key management and reduces the attack surface since no open SSH ports are required. EC2 Instance Connect: Requires an open SSH port (typically port 22), which could be a potential security risk.
Network Requirements:
Session Manager: Allows you to connect to instances that don’t have public IP addresses or even internet access. This is particularly useful for instances within private subnets in a VPC. EC2 Instance Connect: Requires the instance to have a public IP or an Elastic IP and the necessary network access to port 22.
Advanced Capabilities:
Session Manager: Offers advanced capabilities like port forwarding, interactive commands, and the ability to run automation documents. EC2 Instance Connect: Primarily focuses on providing SSH access. Securely Connecting to EC2 Instance from Mac Terminal Using Session Manager To securely connect to your EC2 instance using Session Manager from your Mac Terminal, you can follow these steps:
Install AWS CLI and Session Manager Plugin:
Ensure you have the AWS CLI and the Session Manager plugin installed on your Mac.
brew install awscli
aws --version
Install the Session Manager plugin:
curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip"
unzip sessionmanager-bundle.zip
sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin
session-manager-plugin --version
IAM Role and Permissions:
Ensure your EC2 instance has an IAM role attached with the necessary permissions. The policy should include ssm:StartSession, ssm:SendCommand, and other relevant actions. Example IAM policy for the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:SendCommand",
"ssm:DescribeInstanceInformation"
],
"Resource": "*"
}
]
}
AWS CLI Configuration on Mac:
Configure the AWS CLI with your IAM user credentials that have permissions to start a session. It's best practice to use temporary credentials via AWS STS (Security Token Service).
aws configure
Alternatively, you can use IAM roles assigned to your EC2 instances if you are running from another EC2 instance, or use AWS SSO or IAM Identity Center for more secure access.
Connecting via Session Manager:
Use the following command to start a session:
aws ssm start-session --target instance-id
Relevant content
- asked 2 years ago
Thank you so much for your helpful answer. I have a question. Even if I use temporary credentials, I still have to configure the AWS CLI with my IAM user credentials (access key and secret key) that have permissions to assume a role or start a session. This is the same as storing a key pair on my local machine. If someone gained access to my Mac, they can use my access key and secret key to assume a role or start a session. How is it different from using SSH keys?
You raise a valid concern about storing credentials on your local machine. While using temporary credentials reduces the risk of long-term credential exposure, the initial access keys used to obtain these temporary credentials still pose a security risk if compromised. Here are some strategies to further secure your access:
Minimizing Risk with Temporary Credentials Environment Variables:
Avoid storing credentials in configuration files. Instead, use environment variables that are set for the duration of a session and cleared afterwards. export AWS_ACCESS_KEY_ID=your_access_key_id export AWS_SECRET_ACCESS_KEY=your_secret_access_key export AWS_SESSION_TOKEN=your_session_token Clear these variables when done: unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN Use AWS SSO or IAM Identity Center:
AWS Single Sign-On (SSO) or IAM Identity Center allows you to use your organization's identity provider for authentication, avoiding the need for access keys stored on your machine. You log in via a web browser and get temporary credentials. Configure AWS SSO: aws configure sso Then log in: aws sso login
MFA-Enabled Sessions:
Use Multi-Factor Authentication (MFA) to add an extra layer of security. This requires entering a code from a device in addition to your access keys. Assume a role with MFA: aws sts assume-role --role-arn arn:aws:iam::account-id:role/role-name --role-session-name session-name --serial-number arn:aws:iam::account-id:mfa/your-mfa-device --token-code
Thank you so much for your answer. I'll be using IAM Identity Center as it doesn't not require me to store long-term credentials on my Mac.
My another question is currently, I use an IAM user for my admin account. Is it a good practice to use IAM Identity Center user instead of IAM for the admin account? OR what is the best way to grant human access including admin, solution architects, and developers?