AWS Session Manager: Cost-effecient, auditable access to your servers

Illustration of a person from behind holding a paintbrush, looking up at a large grey castle tower, suggesting the beginning of an artistic endeavor. Illustration of a person from behind holding a paintbrush, looking up at a large grey castle tower, suggesting the beginning of an artistic endeavor.

Let's talk about bastion hosts.

Normally, you would have a bastion host to connect to your servers to do some manual operations tasks. It's not something you are supposed to do too often, because most of the system configuration and maintenance must happen automatically.

Still, we do not live in a perfect world, and every now and then you have to log in to the server and fix things. The problem with the bastion host is that you have to maintain it, harden it and make sure access to it is under control.

If your bastion host is unavailable, then you can not access your machines easily. And if it's compromised, then you are in real trouble. Besides that, you normally want to have more than one bastion host, with different network and user access.

But bastion host management is only half of the problem. You also need to control who can access which machines over those bastions and you also need to log which commands are executed on the machines during SSH sessions for simple audit and debugging purposes. You either need to integrate it with central identity management or automate the management of authorized SSH keys by some other means.

While having a bastion host is a totally valid approach, we should always be open for new approaches and technologies, especially when we move our workloads to the cloud. Let's take AWS Session Manager for example.

AWS audit: Huge list of AWS services can be intimidating. We'll help you figure it out and choose the right solution for your business. About AWS audits

What is AWS Session Manager?

AWS Systems Manager is a service for managing your cloud and on-premise workloads. It's not just a single tool, but rather a collection of various utilities, that you can use independently of each other. You can automate patching, use simple and secure key-value storage for parameters, run various scripts with popular configuration management tools and so on.

But in this guide, I will talk about AWS Session Manager, a cost-effective, convenient, secure and audit-able way to access your EC2 and on-premise servers.

This tool was created to solve all of the bastion host challenges mentioned above.

With Session Manager, you don't need to manage any bastion hosts. As a matter of fact, you don't even need to use bastion hosts anymore, all the connections happen over the secure channel between Amazon SSM Agent and AWS data centre.

As you can imagine, Session Manager integrates really nicely with AWS IAM, CloudWatch and many other services. The really amazing part of the Session Manager is that you can use it completely free for your EC2 machines. You can shut down all the bastion hosts and instantly save some money that you spent on running them.

But using Session Manager for EC2 is rather boring. The more interesting use case is to open sessions to your on-premise servers or servers that you run inside other Cloud Providers. This allows you to foster your hybrid cloud strategy by centralizing the management of all of your workloads in a central, managed space.

For the live demo of how to connect bare metal server outside of the AWS to the AWS Session Manager and collect all the session logs to CloudWatch Logs, check out my video. I set a timestamp to skip the theory part that you've just read, so you can go straight to action:

Don't forget to subscribe to our channel and if you need help with leveraging public cloud or defining your hybrid cloud strategy, reach out to us by writing an email to team@mkdev.me or check out our business offerings.