×
Fork me on GitHub

How to login to EC2 instances without SSH

In previous posts, we showed you how to deploy a private key pair to allow you to login to an EC2 instance. Since september 2018, the AWS Session Manager supports logging into any instance, directly from the command line without SSH. In this blog we will show you how to configure this using CloudFormation. To login to an EC2 instance using the AWS Session manager, you need to do three things:

  • Install the AWS SSM agent
  • Grant session manager permissions
  • Enable audit logging

install the AWS SSM agent

We are lazy and use an Amazon Linux based instance, which has the agent already installed.For other AMIs, please consult the documentation. In CloudFormation, we add the instance:

Parameters:
  AmiId:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: '/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2'

Resources:
  Instance:
    Type: 'AWS::EC2::Instance'
    Properties:
      ImageId: !Ref 'AmiId'
      IamInstanceProfile: !Ref 'IamInstanceProfile'

grant session manager permissions

The agent needs the following permissions to enable the session manager:

- Effect: Allow
  Action:
    - ssmmessages:CreateControlChannel
    - ssmmessages:CreateDataChannel
    - ssmmessages:OpenControlChannel
    - ssmmessages:OpenDataChannel
  Resource: '*'
- Effect: Allow
  Action:
    - s3:GetEncryptionConfiguration
  Resource: '*'

To keep things small and simple, we associate the AmazonEC2RoleforSSM role with the instance profile, which includes the above permissions:

InstanceRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
	- Effect: Allow
	  Principal:
	    Service:
	      - ec2.amazonaws.com
	  Action:
	    - sts:AssumeRole
    Path: /
    ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM

Enable audit logging

AWS Session Manager allows you to store the session logs on either S3, CloudWatch or both. To enable audit logging you need to create an SSM Document named SSM-SessionManagerRunShell:

  SessionManagerPreferences:
    Type: Custom::SSMDocument
    Properties:
      Name: SSM-SessionManagerRunShell
      DocumentType: Session
      Content: !Sub >
        { "schemaVersion": "1.0",
          "description": "Session Manager Preferences",
          "sessionType": "Standard_Stream",
          "inputs": {
            "s3BucketName": "${SessionLogBucket}",
            "s3KeyPrefix": "",
            "s3EncryptionEnabled": false,
            "cloudWatchLogGroupName": "${SessionLogGroup}",
            "cloudWatchEncryptionEnabled": false
          }
        }

Note that we had to create a custom CloudFormation provider to create the document, as the standard CloudFormation resource does not allow you to specify the document name.

starting a session

Once deployed you can login to your instance by typing:

$ aws ssm start-session --target <instance-id>

demo

The complete CloudFormation template can be found on github. To test, type:

$ git clone https://github.com/binxio/blog-login-to-ec2-instances-without-ssh
$ cd blog-login-to-ec2-instances-without-ssh
$ make
create demo in default VPC vpc-12313137, subnets subnet-privatea,subnet-privateb,subnet-privatec using security group sg-default.
{
    "StackId": "arn:aws:cloudformation:eu-central-1:111111111111:stack/ec2-session-manager/207b6890-26dc-11e9-b214-021298c8e4cc"
}

[
    "aws ssm start-session --target i-0c25d8bf100a5d1da", 
    "aws logs get-log-events --log-group-name ec2-session-manager-SessionLogGroup-L9G8VSLL6XCK --log-stream-name $SESSION_ID", 
    "aws s3 cp s3://ec2-session-manager-sessionlogbucket-q8c1pz8q6u6g/$SESSION_ID.log -"
]

copy the outputed start-session command:

$ aws ssm start-session --target i-12311231123132

Starting session with SessionId: mvanholsteijn-0d9ce5dd2172522f7

sh-4.2$  sudo tail /var/log/amazon/ssm/*.log

You can explicit grant or deny users to start a session, through the action ssm:StartSession.

view session log

To view the session log from s3, type:

SESSION_ID=mvanholsteijn-0d9ce5dd2172522f7
aws s3 cp s3://ec2-session-manager-sessionlogbucket-q8c1pz8q6u6g/$SESSION_ID.log -

It will take a few minutes after closing the session, for the log to appear.

Conclusion

The AWS Session Manager simplifies logging into any of your EC2 instance which has the SSM agent installed, without SSH. It saves complicating your infrastructure with user- and ssh key management. Once support for tunneling is available, we can say goodbye to the concept of a bastion host.

If you still want to login using SSH, we recommend the blog on how to deploy a private key pair.

Picture of Mark van Holsteijn
Mark van Holsteijn
CTO