How to protect your SSH and SCP Connections with AWS Sessions Manager in 4 simple steps
Updated: Jul 10
In certain scenarios, establishing secure SSH or SCP connections with EC2 instances within our protocol becomes necessary. AWS Sessions Manager offers a robust solution to accomplish this, allowing us to avoid the exposure of critical ports and enhance overall security.
Step# 1: Install the latest version of the AWS CLI and the AWS Sessions Manager plugin
To begin, install the latest versions of the AWS CLI and the Sessions Manager plugin. The following links provide detailed instructions for installation:
Step# 2: Modify ssh config file
Locate your SSH config file, which can be found at "~/.ssh" for Linux and Mac distributions, or "C:\Users<username>.ssh" for Windows.
Add the following line to the config file:
host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
Step# 3: Configure the SSM instance and the EC2 instance profile of your instances
Follow the SSM agent installation instructions provided in the documentation:
In my case, I’m installing it on an Ubuntu machine with the following commands:
sudo snap install amazon-ssm-agent --classic
sudo snap list amazon-ssm-agent
Additionally, attach the AmazonSSMManagedInstanceCore policy to the EC2 instances you wish to access, ensuring the necessary permissions for AWS Systems Manager service core functionality.
Step# 4: Start SSH/SCP session in your local environment
Before initiating SSH/SCP sessions with your EC2 instances, specify your AWS Profile or the region of the EC2 instances if you are using temporal credentials using the following command:
export AWS_REGION=<region-name>
export AWS_PROFILE=<profile-name>
# ssh command
ssh -i id_rsa ubuntu@i-xxxxxxxxx
# scp command
scp -i id-rsa ubuntu@i-xxxxxxxxx:/<dir-or-file-path> <local-file-path>
By following these steps, you can confidently protect your SSH and SCP connections using AWS Sessions Manager. This comprehensive guide empowers you to establish secure access while minimizing potential security risks.
Happy coding and see you next time, in the Cloud!
Juan Bermudez
Cloud Engineer
Teracloud
If you want to know more about Cloud Security, we suggest checking Best Security Practices, Well-Architected Framework