WKLD.06 – Use Systems Manager instead of SSH or RDP

Public subnets, which have a default route pointing to an internet gateway, are inherently a greater security risk than private subnets, those with no route to the internet. You can run EC2 instances in private subnets and use the Session Manager capability of AWS Systems Manager to remotely access the instances through either the AWS Command Line Interface (AWS CLI) or AWS Management Console. You can then use the AWS CLI or console to start a session that connects into the instance through a secure tunnel, preventing the need to manage additional credentials used for Secure Shell (SSH) or Windows remote desktop protocol (RDP).

Use Session Manager instead of running EC2 instances in public subnets, running jump boxes, or running bastion hosts.

To set up Session Manager

Make sure the EC2 instance is using the latest operating system Amazon Machine Images (AMIs), such as Amazon Linux 2 or Ubuntu. The AWS Systems Manager Agent (SSM Agent) is pre-installed on the AMI.
Make sure the instance has connectivity, either through an internet gateway or through VPC endpoints, to these addresses (replacing <region> with the appropriate AWS Region):
1. Ec2messages.<region>.amazonaws.com
2. ssm.<region>.amazonaws.com
3. ssmmessages.<region>.amazonaws.com
Attach the AWS managed policy AmazonSSMManagedInstanceCore to the IAM role that is associated to your instances.

For more information, see Setting up Session Manager (Systems Manager documentation).

To start a session

Start a session (Systems Manager documentation).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

WKLD.05 – Detect and remediate exposed secrets

WKLD.07 – Log data events for select S3 buckets