Securely SSH into Instances in Private Subnets with AWS Systems Manager Session Manager

Ayush Agrawal
4 min readAug 3, 2023

In an Amazon Web Services (AWS) environment, it is common to have instances located in private subnets to enhance security. However, managing and accessing these instances can become challenging, especially when traditional methods like SSH require a bastion host or a VPN. AWS Systems Manager Session Manager offers a secure and convenient alternative, allowing users to access instances in private subnets without the need for public IP addresses or direct SSH connections. In this blog, we will explore AWS Systems Manager Session Manager and provide a step-by-step guide on how to securely SSH into instances in private subnets.

What is AWS Systems Manager Session Manager?

AWS Systems Manager Session Manager is a fully managed service that enables users to establish interactive shell sessions with their instances directly from the AWS Management Console or the AWS Command Line Interface (CLI). Unlike traditional SSH, which requires public IP addresses or VPN access, Session Manager uses secure HTTPS connections and IAM policies for authentication, making it an ideal choice for instances in private subnets.

Step-by-Step Guide: How to SSH into Instances in Private Subnets with Session Manager

Step 1: Set Up AWS Systems Manager

  1. Sign in to AWS Management Console: Log in to the AWS Management Console (https://aws.amazon.com/) using your AWS credentials.
  2. Access AWS Systems Manager: Once logged in, navigate to the AWS Systems Manager console by clicking on “Systems Manager” from the list of services.
  3. Set Up IAM Permissions: Ensure that your IAM user or role has the necessary permissions to use AWS Systems Manager Session Manager. Grant the required permissions through IAM policies.

Step 2: Configure AWS Systems Manager Session Manager

  1. Enable Session Manager: In the AWS Systems Manager console, click on “Session Manager” in the left-hand navigation pane. If it’s your first time using Session Manager, you may need to enable it by clicking on “Enable Session Manager” and following the instructions.

Step 3: Launch an Instance in a Private Subnet

  1. Create an EC2 Instance: Launch an Amazon EC2 instance in a private subnet. Ensure that the instance has the AWS Systems Manager Agent installed (most modern Amazon Machine Images (AMIs) come with the agent pre-installed).
  2. Assign IAM Role: Attach an IAM role to the instance that allows it to communicate with AWS Systems Manager.

Step 4: SSH into the Instance using Session Manager

  1. Access Session Manager: In the AWS Systems Manager console, click on “Session Manager” in the left-hand navigation pane.
  2. Start a Session: Click on “Start session” and choose the instance from the list of available instances.
  3. Grant IAM Permissions: If prompted, grant the required IAM permissions to establish the session.
  4. Access the Instance: Once the session is started, you will have an interactive shell session with the instance, allowing you to execute commands and perform administrative tasks as if you were SSHed directly into the instance.

Risk of Using a Bastion Host-based setup:

Using Bastion hosts comes with several risks and challenges, which can impact the security and management of your infrastructure. Some of the key risks of using Bastion hosts include:

  1. Increased Attack Surface: Bastion hosts act as a gateway to access private instances in your network. As an exposed entry point, they become potential targets for attackers seeking to gain unauthorized access. Any vulnerability in the bastion host could lead to a breach, compromising the security of your entire infrastructure.
  2. Single Point of Failure: Since all SSH or RDP traffic passes through the bastion host, any disruption or failure in the bastion host can result in a complete loss of remote access to private instances. This single point of failure can lead to significant downtime and operational issues.
  3. Maintaining and Patching: Bastion hosts require regular maintenance and security updates to mitigate vulnerabilities. Keeping the bastion host secure and up-to-date is essential, as outdated software may expose your infrastructure to potential threats.
  4. SSH Key Management: Managing SSH keys for accessing the bastion host and the private instances can become cumbersome, especially when dealing with multiple users and instances. Improper SSH key management can lead to access control issues and potential security breaches.
  5. Traffic Overhead: All SSH or RDP traffic is routed through the bastion host, leading to additional network traffic and potential performance bottlenecks. This can impact network latency and response times for remote connections.
  6. Complexity in Multi-Region Deployments: In multi-region deployments, setting up bastion hosts in each region can add complexity to the network architecture and increase the attack surface.
  7. Potential Misconfigurations: Misconfigurations in the bastion host’s security groups, network access control lists (NACLs), or firewall rules could expose the bastion host to unauthorized access or compromise its functionality.
  8. Logging and Audit Challenges: Tracking user activities and auditing sessions on bastion hosts might be challenging without proper centralized logging and monitoring solutions.
  9. Management Overhead: Maintaining, monitoring, and securing the bastion host infrastructure adds to the overall management overhead, leading to higher operational costs and resource allocation.

AWS Systems Manager Session Manager offers a secure and efficient way to SSH into instances located in private subnets without the need for bastion hosts or VPNs. By leveraging secure HTTPS connections and IAM policies, Session Manager provides a centralized and convenient method to manage instances in private subnets. In this blog, we explored AWS Systems Manager Session Manager and provided a step-by-step guide on how to securely SSH into instances in private subnets. By following these steps, you can streamline your access management and enhance the security of your AWS environment, allowing you to focus on managing your infrastructure with ease and peace of mind.

Like what you read? Click on the follow button below and get my blogs delivered to your inbox.

Want your topic to be covered? or Want to have a chat? Write to me on Linkedin here.

Encourage me to write more: BuyMeACoffee

--

--

Ayush Agrawal

Solutions Architect, AWS India, Founder of an Edtech startup(Acquired)