SSM requires an instance profile role that should be associated with each EC2 instances. Because the agent always starts the communication, allow any inbound rules is not necessary. SSM agent needs communication with the AWS API, this communication uses standard HTTPS ports. SSM agent should be installed in every Ec2 instances or on-premise machine with Administrative access. (Exception port-forwarding action logs will not be Pushed to cloudwatch logs and s3 bucket)
SSM SESSION MANAGER FULL
Full support for logging and auditing features in AWS (CloudTrail, S3, CloudWatch logs).
Command outputs can be forwarded to CloudWatch logs and generate alerts as response for undesired behavior. Logs include the executed command, outputs, time when the command was executed and more. Sessions are logged based on the IAM user. Deploy and manage ssh-keys for EC2 instances is not necessary. Jump or Bastion host can be removed to improve security and save cost. Open inbound SSH connection port for EC2 instances is no longer needed. Centralization of access to EC2 instances and granular control over who can start sessions on specific instances. Session manager can leverage multi-factor authentication (by enforcing IAM policies). Systems Manager components are reliable and highly available (AWS Console, AWS CLI, SSM endpoints). Optional: Session outputs can be forwarded to CloudWatch logs and/or S3 buckets (Exception port-forwarding action logs will not be Pushed to cloudwatch logs and s3 bucket). Any action performed over session manager is logged on CloudTrail. An agent running on each EC2 instance connects to then System Manager endpoints and executes the command over the instances. If authentication is successful, SSM session manager is accessible by the AWS Management Console or AWS CLI (requires session manager CLI plugin). Admin users are authenticated through IAM roles and policies. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your Amazon EC2 instances. 
Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI.
0 kommentar(er)
