WKLD.06 – Use Systems Manager instead of SSH or RDP - AWS Prescriptive Guidance

WKLD.06 – Use Systems Manager instead of SSH or RDP

Public subnets, which have a default route pointing to an internet gateway, are inherently a greater security risk than private subnets, those with no route to the internet. You can run EC2 instances in private subnets and use the Session Manager capability of AWS Systems Manager to remotely access the instances through either the AWS Command Line Interface (AWS CLI) or AWS Management Console. You can then use the AWS CLI or console to start a session that connects into the instance through a secure tunnel, preventing the need to manage additional credentials used for Secure Shell (SSH) or Windows remote desktop protocol (RDP).

Use Session Manager instead of running EC2 instances in public subnets, running jump boxes, or running bastion hosts.

To set up Session Manager
  1. Make sure the EC2 instance is using the latest operating system Amazon Machine Images (AMIs), such as Amazon Linux or Ubuntu. The AWS Systems Manager Agent (SSM Agent) is pre-installed on the AMI.

  2. Make sure the instance has connectivity, either through an internet gateway or through VPC endpoints, to these addresses (replacing <Region> with the appropriate AWS Region):

    1. ec2messages.<Region>.amazonaws.com

    2. ssm.<Region>.amazonaws.com

    3. ssmmessages.<Region>.amazonaws.com

  3. Attach the AWS managed policy AmazonSSMManagedInstanceCore to the IAM role that is associated to your instances.

For more information, see Setting up Session Manager (Systems Manager documentation).

To start a session