Skip to content

Instantly share code, notes, and snippets.

@alwynpan

alwynpan/aws-replace-ssh-with-session-manager.md

Last active February 17, 2022 09:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alwynpan/79d39293bd852cb294c2e1ad32851d5f to your computer and use it in GitHub Desktop.
Save alwynpan/79d39293bd852cb294c2e1ad32851d5f to your computer and use it in GitHub Desktop.
Download ZIP
[AWS] Replace SSH with Session Manager
Raw
aws-replace-ssh-with-session-manager.md

Replace SSH with Session Manager

Create a KMS key for Session Manager

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
  3. In the navigation pane, choose Customer managed keys.
  4. Choose Create key.
  5. Create a symmetric KMS key by choosing Symmetric in Key type.
  6. Click Next.
  7. Type an alias for the KMS key, e.g. SessionManagerKey.
  8. Click Next.
  9. (Optional) Type a tag key and an optional tag value. To add more than one tag to the KMS key, choose Add tag.
  10. Click Next.
  11. Select the IAM users and roles that can administer the KMS key.
  12. (Optional) To prevent the selected IAM users and roles from deleting this KMS key, in the Key deletion section at the bottom of the page, clear the Allow key administrators to delete this key check box.
  13. Click Next.
  14. Select the IAM users and roles that can use the key in cryptographic operations.
  15. (Optional) You can allow other AWS accounts to use this KMS key for cryptographic operations. To do so, in the Other AWS accounts section at the bottom of the page, choose Add another AWS account and enter the AWS account identification number of an external account. To add multiple external accounts, repeat this step.
  16. Click Next.
  17. Review the key settings that you chose. You can still go back and change all settings.
  18. Choose Finish to create the KMS key.
  19. Choose the key from the Customer-managed keys list and note down the ARN.

Grant KMS key access to CloudWatch Log Group

  1. Choose the key created in Create a KMS key for Session Manager step from the Customer-managed keys.
  2. On the Key policy tab, choose Switch to policy view in the Key policy section.
  3. Choose Edit and paste the following statement in the Statement section: 
    {
     "Effect": "Allow",
     "Principal": {
         "Service": "logs.<region>.amazonaws.com"
     },
     "Action": [
         "kms:Encrypt*",
         "kms:Decrypt*",
         "kms:ReEncrypt*",
         "kms:GenerateDataKey*",
         "kms:Describe*"
     ],
     "Resource": "*",
     "Condition": {
         "ArnEquals": {
             "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:<region>:<account number>:log-group:<log group name>"
         }
     }
 }

    Note: update the region, account number, and log group name in the statement with real vaules.

Create a CloudWatch Log Group for Session Manager Logs

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
  2. In the navigation pane, choose Log groups under Logs.
  3. Choose Create log group.
  4. Enter a name for the log group, e.g. SessionManagerLogs. Set the retention period in Retention setting, and enter the ARN from Create a KMS key for Session Manager step in the KMS key ARN input box.

    Note: The log group name should match the log group name in the Grant KMS key access to CloudWatch Log group step.

  5. Choose Create log group.

Create a IAM Role for Session Manager

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane of the IAM console, choose Roles, and then choose Create role.
  3. For Select trusted entity, choose AWS service.
  4. Choose EC2 as the use case for your service. Use cases are defined by the service to include the trust policy required by the service. Then, click Next.
  5. Click Next on the Permissions policies page.
  6. For Role name, the degree of role name customization is defined by the service. If the service defines the role's name, this option is not editable. In other cases, the service might define a prefix for the role and allow you to enter an optional suffix. Some services allow you to specify the entire name of your role. If possible, enter a role name or role name suffix to help you identify the purpose of this role. Role names must be unique within your AWS account. They are not distinguished by case. For example, you cannot create roles named both PRODROLE and prodrole. Because other AWS resources might reference the role, you cannot edit the name of the role after it has been created.
  7. (Optional) For Description, enter a description for the new role.
  8. (Optional) Add metadata to the role by attaching tags as key–value pairs.
  9. Review the role and then choose Create role.
  10. On the Roles page, select the role created. Click Add permissions then Create inline policy in the Permissions policies section.
  11. Choose JSON tab on the Create policy page, and paste the following:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeAssociation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:DescribeDocument",
                "ssm:GetManifest",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:ListAssociations",
                "ssm:ListInstanceAssociations",
                "ssm:PutInventory",
                "ssm:PutComplianceItems",
                "ssm:PutConfigurePackageResult",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "<KMS Key ARN>"
        }
    ]
}

Note: update the KMS Key ARN in the statement with the real vaule, i.e. the ARN from Create a KMS key for Session Manager step.

  1. Click Review policy and name the new policy (e.g. SessionManagerPermissions). Click Create policy.

Grant KMS key access to IAM Role

  1. Open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms. Choose the key created in Create a KMS key for Session Manager step from the Customer-managed keys.
  2. On the Key policy tab, choose Switch to policy view in the Key policy section.
  3. Choose Edit and paste the following statement in the Statement section: 
    {
   "Effect": "Allow",
   "Principal": {
       "AWS": "arn:aws:iam::<account name>:role/<IAM role name>"
   },
   "Action": [
       "kms:Encrypt*",
       "kms:Decrypt*",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
       "kms:Describe*"
   ],
   "Resource": "*"
}

    Note: update the account number and IAM role name in the statement with real vaules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment