Questions tagged with Session Management

Hi, I was able to configure AWS session manager to use SSH keys over session manager tunnel as it is described here -> https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html. But now i need to force user to provide SSH keys, because now, even tho i can use SSH keys to authenticate into the EC2 instance, im still able to to it without providing SSH keys, just by using `aws ssm start-session` command. As i suppose i can add some kind of policy for that, something like: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::095555408369:user/test-user" }, "Action": [ "ssm:TerminateSession", "ssm:ResumeSession" ], "Condition": { "StringEquals": { "ssm:StartSession/RequireSSH": "True" ( parameters made up, by me ) } } } ] } ``` But im not sure what should be in the place of `"ssm:StartSession/RequireSSH": "True"`, Any help will be appreciated Joann

Hi, I need to assign ssh key pairs to the EC2 instances for multiple IAM users. So what i want to have: IAM users `[user1,user2,user3]`, out of them `[user1,user2]` should have separate (each IAM user should have its own user in VM) SSH access to the `[VM-1,VM-2]` EC2 instances, and the `[user3]` should have access **only** to the `[VM-3]` instance. Do i need to generate ssh key pairs, create users inside the EC2 instance, assign permissions for those users - manually, and then also manually add those SSH pub keys in the EC2 instances? Or AWS has service that can do it automatically for me? Joann

Hi, I want to forbid IAM user (for example: support-IAM ) to authenticate to the EC2 instance user ( for example : root-EC2 ), but still be able to authenticate as other EC2 instance user ( for example: support-EC2 ) , for that, as i understood i need to forbid this user to set `--tags` with value `root-EC2` (or in my case, everything **except** `support-EC2`) while using command `aws sts assume-role`, but how can i do it? P.S im using `AWS session manager` Joann

Hi, My first question - https://repost.aws/questions/QUS8M4w0jkS8iV6EzPmaRmag/ssh-key-managment-for-multiple-accounts Im trying to use "AWS system manager" - "session manager". As i was advised in my previous question, to be able to login into the EC2 instances located in multiple accounts, i will need to do something similar to https://aws.amazon.com/blogs/mt/vr-beneficios-session-manager/ But the problem is that i need to have for each IAM user their own user in EC2 instance, as i found out, i need to pass tag "SSMSessionRunAs" with the value of the username to witch im login in. But if i will use "group" roles (roles assigned for multiple users), they will be authenticating with the same user in EC2 instance, which will not work for me. Does that mean, that in my case i will need to create a role for each IAM user? or i can change tag of the role depending on the user assuming this role? Thank you very much. Joann

Hi, We need to achieve: 1) Possibility to create/delete ssh key pairs for instances hosted in multiple accounts, in one place (centralization) 2) Possibility to assign permissions for the user we are ssh'ing into inside the instance, for example : IAM - admin user, should have admin ssh key, which will give full read/write permissions in virtual machine in which user is ssh'ing, and the IAM - support user, should have support ssh key, which will give less permissions. Any suggestions, in what we can look into, are welcome. As i googled a bit, the "AWS system manager" - "session manager" looks like it would work for us, but does it work for instances hosted in multiple accounts? Joann

Hi, How do you copy/paste content between local computer and the RDP session opened with Fleet Manager ? Thanks for your help

I want to connect the instance with windows-server 2019 datacenter as OS. But the SSM agent service cannot be started either by Power Shell or windows service manage panel. In Powershell, it prompt like below. ``` Start-Service : Failed to start service 'Amazon SSM Agent (AmazonSSMAgent)'. At line:1 char:1 + Start-Service AmazonSSMAgent + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException + FullyQualifiedErrorId : StartServiceFailed,Microsoft.PowerShell.Commands.StartServiceCommand ``` Meanwhile, I have created ssm-user and added it to Admin group. But it is not helpful towards issue. I believe it is SSM configuration issue. But having no idea on how to troubleshoot. This issue only appears in Tokyo region, while the SSM Quick Start website layout is different from what we see in HongKong region.

I have a Fargate service with exec command enabled. When I ran "/bin/sh" into the container, there's this error from the docker container > seelog internal error: mkdir /usr/local/sessionmanagerplugin/logs/: permission denied /usr/local/ folder doesn't have sessionmanagerplugin folder.

Hello, I have an RDS instance placed in a Private Isolated Subnet, and I'm trying to create a Bastion that would allow me to gain access to this RDS instance. I can connect to the Bastion using SSM, I do not need SSH. The question is, since I assume that the Bastion needs to access the internet to download and update packages internally, would it "work" if I created it in the same subnet as the RDS instance, or else do I have to create a separate Private (only) subnet for it?