AWS SSM in Action, the next generation of SSH

Over the last year AWS have introduced a lot a of new capabilities to extend the functionality of the EC2 Systems Manager. These features include:

  • Parameters store
  • Automation
  • Patching
  • Run Command
  • State Manager / Inventory

At re:Invent 2017, many features were introduced such as SSM PrivateLink and PCI compliance. I decided to investigate SSM SendCommand to understand its capabilities in the real world.

Why use AWS SSM SendCommand?

In the first article on this on the AWS blog they proposed a very interesting use case "Replacing a Bastion Host with Amazon EC2 Systems Manager"

Benefits of using AWS SSM?

By using AWS SSM you immediately have the following benefits:

  • Audit by default with CloudTrail, all commands are recorded
  • Ability to run commands on instances without opening any TCP ports
  • Users and authorisation is managed via IAM
  • Commands can target multiple instances
  • Natural integration with AWS SSM Parameter Store
  • Scheduled command with Lambda (e.g. Backup of a folder on S3)
  • PrivateLink solution, perfect for instances without direct internet access
  • You don’t need to know which IP has your EC2 but you can use EC2 tags filter

Some other benefit are automatically inherited by the IAM including:

  • If your IAM is federated through ADFS, all users and permission are controlled by your AD
  • If your IAM uses STS you can enforce MFA in every SendCommand for an additional layer of security
  • Advanced IAM policy lets you limit which EC2 you can SendCommand based on tags
  • Advanced IAM policy lets you limit which command you can create inside EC2, creating multiple SSM Documents

Using AD federation or STS all credentials automatically rotates based on your configuration, it means user passwords don’t need to be remembered every time.

Architectural benefits:

  • No longer require a Bastion Host
  • Every command output can be saved in a S3
  • Easily integrate with an additional security tool like AWS Inspector (the agent can be installed in one click)
  • Using AWS Cloudwatch Rule you can invoke specific commands based on every AWS event
  • AWS SSM agent can be installed on prem as well as in any other cloud providers in order to unify your access control strategy
  • AWS SSM is PCI compliant and lets you quickly achieve the PCI standard with low effort (historically this task required a lot of work to maintain the high level of security and the agility of the cloud)
This sounds fantastic, but it can’t be perfect...

You’d be correct in thinking this. There is a downside to this solution when it comes to installing the SSM agent inside your OS. This agent requires root permission, which means all commands sent with the SendCommand action are executed like the root - in some cases this can be a risk.

Another limitation is to do with which kind of command you can execute. Unfortunately you cannot run any interactive command like vim, nano, tail -f or script with user input required.

The solution

Cloudreach designed a dedicated CLI Helper in order to simulate the usage of a normal CLI as much as possible and easily manage your fleet of EC2 instances

SSHLess lab in action[/caption]

Output example

Similar projects

Many other software try to solve this problem (e.g. Netflix/Bless, python-kmsauth, curse) but few of them can be considered "production ready" and fully integrated inside the AWS ecosystem like AWS SSM. Furthermore you can benefit of all other SSM services like patching and automation

External resources

Github repository []

  • aws
  • devops