We have been running experiments with AWS Session Manager and seeing some positive results.
Session Manager (SSM) is part of the broader Systems Manager offering in AWS. It is a tool that can be used to grant remote access to virtual machines like EC2 instances and even on-premises virtual instances. It is basically SSH access, at least for Linux systems, that is integrated with AWS’ IAM. This means you can easily grant or remove user permissions via IAM policies, and instantly disable remote access without having to manage individual SSH keys.
We have successfully tested this capability with our EC2 instances using both the web console and through the AWS CLI. When using the CLI, you end up with an SSH session just like you would see if you were using SSH keys. We are able to access both public and private instances with this tool without the aid of a bastion host. I like this quite a bit as it means we won’t need to publicly expose an SSH port in order to get to our EC2 instances.
The final part of our testing is to try out the Ansible SSM module. If we can get that working properly with our automation, we will no longer need to manage SSH keys. This is pretty exciting to me as managing SSH keys is a bit of a pain point right now.
At this point I do not have a plan for the coming week, so we will just have to wait and see what happens.