Securely login to your Bastion host Instance with AWS SSM – “Run command”

Securely login to your Bastion host Instance with AWS SSM – “Run command”

June 6, 2020 / Eternal Team

Managing EC2 without logging in:- Bastion free & SSH Key free access to EC2 Instances

AWS Systems Manager Run Command you remotely and securely manage the configuration of your managed instances. A managed instance is an EC2 instance or on-premises machine. You can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs.

Run Command is offered at no additional cost.

Session Manager is part of AWS Systems Manager service. It gives you a browser-based CLI window to access your Windows and Linux EC2 instances without opening an inbound SSH/RDP port. No need to create a bastion host. No need to manage SSH keys. Access can be granted or revoked using AWS IAM.

AWS Systems Manager uses SSM agents running on the EC2 instance to manage the login and other tasks.
Now let’s see how to implement on AWS console.

  1. Create AWS Role role-SSM ( or assign an arbitrary name). Assign AmazonEC2RoleforSSM AWS Policy permission to it.
    Securely login to your Bastion host Instance with AWS SSM
  2. Launch CentOS instance and attach the Role role-SSM to it.
  3. SSH to the instance and execute the following commands after you switch to root. This will install an SSM agent in the instance and start service.
        # mkdir /tmp/ssm
    # cd /tmp/ssm
    # yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
    # systemctl enable amazon-ssm-agent
    # systemctl start amazon-ssm-agent
  4. Verify SSM agent status by executing the following command.
        # systemctl status amazon-ssm-agent
        
  5. Login to AWS web console to access the EC2 Dashboard.
  6. Under the “Systems Manager Services” section click “Run Command”. In the right pane Click “Run a command” push button.
    Securely login to your Bastion host Instance with AWS SSM
  7. In “Command document” select “AWS-RunShellScript”
  8. “Select Targets by” and select the instance. If your configuration is correct till now, you should be able to see the instance names.
    Securely login to your Bastion host Instance with AWS SSM
  9. In the “Commands” column type the text below.
        # yum update -y
        
  10. Leave all other options default and click “Run”.
  11. Once the command is completed you can see the orange color “In Progress” changes to green color “Success”. You can log in to your system and verify that the packages are updated. If kernel packages are involved you have to reboot the instance.

Conclusion

In this blog, we understood how to login to a bastion host with AWS SSM – run command, and with help of this you can log in to the server without SSH/RDP in a secure manner in any environment whether it Linux or windows.

AWS-Consulting-Partner

Talk to AWS Certified Consultant

Want to start a project?

It’s simple.

Contact us