Using a Bastion Host or Session Manager to Limit Access to Port 22
Managing Administrative Access in Session Manager
There are two ways to limit access to port 22: through a bastion host or Session Manager. With the release of Session Manager under the Systems Manager suite, using a bastion host has become slightly outdated. We recommend using Session Manager to ensure no more than 1 host per account is allowed external access to port 22.
- From the AWS Management Console, navigate to Systems Manager and then Session Manager.
- Click Start Session, which brings you to the list of your instances.
- By starting a session on a specific instance, Session Manager is logging you into that instance.
By completing these steps, you don’t have to open a port on any security group. You don’t have to allow that external access to port 22 which makes sure you have that strong perimeter around your environment. All your administrative access is going to be managed through this Session Manager.
Today, we’re going to be talking about external administrative access into private EC2 instances, the idea of having a strong perimeter, and the idea of having least access. With an EC2 instance, you’re running a virtualized instance that you will still be managing through things like SSH and accessing servers through SSH. Protecting those specific protocols such as SSH and making sure that you’re minimizing the attack surface so that only specifically-authorized instances are allowed to be externally-accessed to get to SSH is important.
We’re going to be talking about two concepts. One concept is the idea of a bastion host and the other concept is the use of something called Session Manager which is an AWS-specific tool. Let’s start with the idea of what a bastion host does. A bastion host is considered a hardened host used for gaining administrative access to EC2 instances that are in a private subnet. Basically, you’re going to have that one host that you access to use as a bastion or jump into the other host that are in the private subnet. Now, what this bastion host can do is it’s a hardened host, so it limits the attack surface and is specifically hardened for that access from the external world to get into your environment. Now, what’s going to be important is making sure that you’re limiting that external administrative access to only that bastion host. None of the other instances you would be able to access, directly, from the internet to get into on port 22 using SSH or anything like that. It will only be the bastion host that you would be accessing to be able to get to those other hosts. That’s kind of an important key concept – that you have a specific system that is designed and hardened to allow for that administrative access into your other systems.
Within AWS, they’ve developed a new tool that’s called Session Manager. What Session Manager allows for is the blocking of all external SSH access into your environment. Instead of having a bastion host, you have nothing that’s going to allow external access and you’re going to access your EC2 instances for administrative purposes via the AWS Management Console. What we’re going to do today is we’re going to walk through Session Manager, how it works, and what you can do.
When you log into your AWS Management Console, you can go to “Systems Manager” because Session Manager is a part of the Systems Manager suite. Then, go down to “Session Manager.” Now, Session Manager uses IAM policies and a couple of other pieces to allow for that administrative access from the AWS Management Console. The IAM policies are what control access and, also, you can define what users access the Session Manager – you can do all of that through IAM. Session Manager can do logging, so you can log all the actions that are done to your EC2 instance via the CLI. Let’s just show what it would look like. If you start a session, we are going to log into this. As you can see, Session Manager allows you to login via the AWS Management Console to your EC2 instance. Now, what this means is that you don’t have to open a port on any security group. You don’t have to allow that external access to port 22 which makes sure you have that strong perimeter around your environment. Everything is going to be managed – all your administrative access is going to be managed through this Session Manager which is going to open the command prompt and you can do the specific administrative tasks that you need. So, kind of the conclusion to this is that you want to limit the ability for people to connect to the administrative port. Even if you want to use a bastion host, make sure that the bastion host is the only thing people can connect to externally to get to the other hosts in your environment or use Session Manager or whatever the case may be. You just want to make sure that you’re not having multiple hosts out there that have external access on those administrative ports like port 22 and that you’re using the idea of least privilege and a strong perimeter to be able to get into your environment.