Skip to content
/ aws-ssh-bastion-ssm Public

This solution demonstrates how to access over SSH an EC2 instance having no SSH key installed on it, no ports open, even no public IP address configured.

License

MIT license
18 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

MaksimAniskov/aws-ssh-bastion-ssm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.ssh
.ssh
 
 
README.images
README.images
 
 
CloudFormation template.yaml
CloudFormation template.yaml
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
connect.sh
connect.sh
 
 

Repository files navigation

This solution demonstrates how to access over SSH an EC2 instance having no SSH key installed on it, no ports open, even no public IP address configured.

How it works

We leverage Amazon EC2 Instance Connect for 'injecting' a temporal SSH key we generate into the instance.

For connecting the instance, we make use of AWS Systems Manager Session Manager configuring SSH client with a specific ProxyCommand.

You can use this demo in two modes. The 'advanced' one creates a private subnet, which requires creating four VPC Endpoints in order to allow the EC2 instance to connect AWS services, namely SSM, EC2 and S3.

Important! Three of the endpoints are of Interface type powered by AWS PrivateLink. Creating Interface endpoints incurs additional costs. Please refer to AWS PrivateLink pricing.

Another mode creates a public subnet and an EC2 instance in it with a public IP address. In this mode it still doesn't open port 22, or any other port.

References

AWS Systems Manager Session Manager for Shell Access to EC2 Instances, updated in August 2019, on AWS News Blog, and Enable SSH Connections Through Session Manager on AWS Systems Manager User Guide.

Introducing Amazon EC2 Instance Connect published on Jun 27, 2019 on What's New, and Connect Using EC2 Instance Connect on Amazon EC2 User Guide.

ProxyCommand on OpenSSH SSH client configuration files man page.

Architecture

EC2 Instance in a Private Subnet

Architecture: private subnet

EC2 Instance in a Public Subnet

Architecture: public subnet

How to deploy

  1. If required, update aws cli to newer version supporting ec2-instance-connect service.

  2. Create an AWS CloudFormation stack providing CloudFormation template.yaml file as the template.

  3. Make a note of the EC2 instance's id on the stack's outputs.

  4. (Optional) Observe in AWS Systems Manager console if the instance appeared among Managed Instances.

  5. Update SSM Agent on the instance if required. It must be of version 2.3.672.0 or later.
    You can use following command to update SSM Agent.
    aws ssm create-association --name AWS-UpdateSSMAgent --instance-id ...

  6. Add content of SSH config snippet provided here to your ~/.ssh/config. You can do that with following command.
    cat ./.ssh/config >>~/.ssh/config

How to use

Connect the instance with following command providing your instance id.
./connect.sh ec2-user@i-xxxxxxxxxxxxx

About

This solution demonstrates how to access over SSH an EC2 instance having no SSH key installed on it, no ports open, even no public IP address configured.

Resources

Readme

License

MIT license
Activity

Stars

18 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages