Getting into your instances
Updated: Apr 18
Did you get excited about this article? Let’s have a look at how it is on a less theoretical level.
Ok, so you have created an i-fafafafafafafa AWS instance in your private subnet but for some reason, you need an SSH like connection to it to maybe use it hopefully not too often.
In the old days, having a bastion host used to be an acceptable choice. On these days, not so much. Basically because of the exposed ports. Even if you don't use port 22 it is still a risk. Even an elementary school kid knows how to scan ports these days! Actually, my son does.
So the blog for today is about the SSM tool Amazon developed for us. You only need to have the agent running in your instance and set the AmazonSSMManagedInstanceCore policy to the role applied to the instance. With that, you will see a nice orange connect button in your web console.
something I like to call the CTRL+w reflex to cut (or remove) the last word you wrote in bash, and if you do that in Firefox you will close your tab every time you press it raising up that facepalm feeling, and the "not again" internal thought. Therefore you need a real console.
Recalling the previous article you would have had the AWS-CLI v2 with an access key, secret id, and region installed in your box. So a simple aws ssm start-session --target i-fafafafafafafa would get you connected.
A nice trick for tryhards would be to set a bash alias like
alias CONN='aws ssm start-session --target ' in your ~/.bash_aliases as a shortcut to typing only CONN i-fafafafafafafa and get into your instance.
Now, what if you need to transfer files between your Linux box and the instance? In that case, you need an extra step: You will need not only your AWS credentials as mentioned before, but the PEM (or RSA) key used when the instance was created, properly installed. Also, you need to configure your SSH to use SSM as a proxy by adding the following text at some point of your ~/.ssh/config file. Probably at the end of it.
host i-*
ProxyCommand bash -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
Once you have that, you will have SSH and SCP enabled to get your instance without exposing any port.
You can type commands like
ssh ec2-user@i-fafafafafafafa to get inside,
scp ec2-user@i-fafafafafafafa:/home/hello_world.py . to bring a file,
scp hello_world.py ec2-user@i-fafafafafafafa:/ to send a file, etc
Nice, isn't it?
Just one more trick
Let's imagine you do not need any file transfer feature, so the AWS SSM start-session method is enough. But you get into your console and you realize that some special keys don't work. Hitting the arrows shows ^[[A, ^[[B, ^[[C and ^[[D; Home key shows ^[[H, End key shows ^[[F, etc when you try to move the cursor. Of course, you'd want your old console with magic tricks enabled! There is a very simple solution for that: type bash (enter).
You are welcome! :)
Oh right! Now is the time to have fun and try it.
Stay around to learn more about DevOps like this one.
