SlideShare a Scribd company logo

Shutdown that bastion host!

Download as PPTX, PDF
M
MichaelLudvig

The document discusses various methods for securely logging into EC2 instances, highlighting their pros and cons, including direct SSH, bastion hosts, and VPN to VPC. It emphasizes the advantages of using AWS-native options like SSM sessions and EC2 session management, which enhance security and simplify access control without requiring inbound network access. Additionally, it introduces tools like aws-ssm-tools for better interaction with EC2 and ECS services.

Technology
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
There are better ways to login to your EC2 instances Shutdown that Bastion Host Michael Ludvig Principal consultant @ Servian
Michael Ludvig About me
Direct SSH to EC2 Quick and easy. And insecure. Pros: * Easy to set up Cons: * Easy to set up insecurely * Direct internet access * Difficult access control
Bastion host For those private subnets Pros: * Easy to set up Cons: * SSH access to Bastion * Shared SSH key * Difficult access control
VPN to VPC If you know your routes Pros: * More secure Cons: * Complicated setup * Shared SSH key * Difficult access control
Shared and re-used SSH keys ● Infamous EC2 “Key Pairs” ● Hard to audit access ● Hard to revoke and replace ● No MFA Common problem with all the methods Access Control Solutions are complex to implement ● Active Directory ● Hashicorp Vault ● FreeIPA
IAM authentication ● Access tied to IAM Users ● Controlled by IAM policies ● Auditable in Cloud Trail AWS native authentication Access Control via IAM Works with… ● SSH ● EC2 SSM Terminal Session ● EC2 Serial console ● ECS containers including Fargate
EC2 Session Modern AWS-native way to login
SSM Session Modern AWS-native way to login
SSM Session Modern AWS-native way to login
EC2 Session - requirements Modern AWS-native way to login What do we need … 1. SSM Agent running on the EC2 ○ Default in recent Amazon Linux 2 and Ubuntu 18.04+ instances 2. Network access from EC2 to SSM Service ○ Public IP, NAT gateway, Proxy, or VPC endpoint ○ No need for inbound access 3. EC2 Instance Role with AmazonSSMManagedInstanceCore managed policy
SSM Session - AWS CLI example Modern AWS-native way to login Official AWS CLI way … ~ $ aws ssm start-session --target i-08c1950f615da4aa4 Starting session with SessionId: botocore-session-1665972406-0d66b7a6d75402362 sh-4.2$ exit Exiting session with sessionId: botocore-session-1665972406-0d66b7a6d75402362. … because we all remember the Instance IDs, yeah right.
ec2-session (a.k.a. ssm-session) List instances: ~ $ ec2-session --profile sandpit --list i-08c1950f615da4aa4 ec2-demo1 172.31.16.189 3.26.20.151 i-0bf539dae623eba84 ec2-demo2 172.31.104.217 # No Public IP! Select host by name, run session as ec2-user: ~ $ ec2-session ec2-demo2 --user ec2-user Select host by IP, run a command: ~ $ ec2-session 172.31.16.189 --command "sudo yum install -y tmux" An easier way in
AWS SSM Tools ~ $ pipx install aws-ssm-tools installed package aws-ssm-tools 1.5.0-beta5, Python 3.8.11 These apps are now globally available - ec2-serial - ec2-session - ec2-ssh - ecs-session - ssm-tunnel done! ✨ 🌟 ✨ Contribute on GitHub: https://github.com/mludvig/aws-ssm-tools EC2 access for humans
ec2-ssh Why? ● No need for inbound SSH access ● No need for pre-shared SSH key (aka “EC2 Key Pair”) ● Useful where ec2-session is not enough, e.g. rsync, ssh port forwarding ● Access can be audited in CloudTrail SSH connection over SSM session
[michael@MBP] ~ $ ec2-ssh --profile sandpit --send-key -L 5432:some-rds-instance:5432 ec2-user@ec2-demo1 [michael@MBP] ~ $ ec2-ssh --profile sandpit --send-key -L 5432:some-rds-instance:5432 ec2-user@ec2-demo1 INFO: Resolved instance name 'ec2-demo1' to 'i-08c1950f615da4aa4' INFO: Using SSH key from SSH Agent, should be as good as any. ec2-user@ec2-demo1 ~ $ [michael@MBP] ~ $ ec2-ssh --profile sandpit --send-key -L 5432:some-rds-instance:5432 ec2-user@ec2-demo1 INFO: Resolved instance name 'ec2-demo1' to 'i-08c1950f615da4aa4' INFO: Using SSH key from SSH Agent, should be as good as any. ec2-user@ec2-demo1 ~ $ w 06:41:09 up 12 days, 21:42, 1 user, load average: 0.04, 0.09, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ec2-user pts/0 localhost 06:41 1.00s 0.01s 0.00s w ec2-user@ec2-demo1 ~ $ ec2-ssh Port forwarding example
[michael@MBP] ~ $ rsync -e "ec2-ssh --send-key" ec2-user@ec2-demo1: [michael@MBP] ~ $ rsync -e "ec2-ssh --send-key" ec2-user@ec2-demo1: INFO: Resolved instance name 'ec2-demo1' to 'i-08c1950f615da4aa4' INFO: Using SSH key from SSH Agent, should be as good as any. drwx------ 181 2022/06/25 22:17:57 . -rw------- 11,455 2022/06/25 22:18:06 .bash_history -rw-r--r-- 18 2020/01/16 13:56:01 .bash_logout -rw-r--r-- 193 2020/01/16 13:56:01 .bash_profile -rw-r--r-- 231 2020/01/16 13:56:01 .bashrc [...] ec2-ssh RSync example
Login to ECS and Fargate containers Just because you can doesn’t mean you should!
AWS CLI ECS Exec Find the ECS Cluster name nginx-Cluster-8SqXVHC The Terminator-style CLI (i.e. not for the rest of us) Find the Service name nginx-Service-gL6Cnj Find the Task name 11f37244484b486e9e0eda9b94c Construct the AWS CLI command line: [michael@MBP] ~ $ aws ecs execute-command --cluster nginx-Cluster-8SqXVHC --task 11f37244484b486e9e0eda9b94c --container nginx --command “/bin/bash” --interactive
ecs-session [michael@MBP] ~ $ ecs-session --list Cluster Group Task Cont. IP nginx-Cluster-8SqXVHC service:nginx-Service-gL6Cnj a3875d0e...7d488 nginx 172.31.107.214 nginx-Cluster-8SqXVHC service:nginx-Service-gL6Cnj 11f37244...9b94c nginx 172.31.73.13 nginx-Cluster-8SqXVHC service:nginx-Service-gL6Cnj fb4099e3...aba46 nginx 172.31.94.23 For the non-Terminators among us (i.e. for me and you) [michael@MBP] ~ $ ecs-session 172.31.73.13 nginx-Cluster-8SqXVHC service:nginx-Service-gL6Cnj 11f37244...9b94c nginx 172.31.73.13 Starting session with SessionId: ecs-execute-command-09c4f8dcf93299816 root@ip-172-31-73-13:/#
ECS / Fargate Session - requirements Modern AWS-native way to login What do we need … 1. Service / Task setting in CFN or Terraform: ○ EnableExecuteCommand: true 2. Task Role with AmazonSSMManagedInstanceCore managed policy 3. Network access from the task to SSM Service ○ Public IP, NAT gateway, Proxy, or VPC endpoint ○ No need for inbound access
Virtual serial port Why? ● Works even without instance connectivity (e.g. firewall misconfiguration, boot problems) ● Boot log messages ● Last resort Why not? ● Requires password-enabled user account Welcome back to the 90’s
ec2-serial [michael@MBP] ~ $ ec2-serial --region us-east-1 ec2-demo1 Wait a few seconds and then press Enter for a prompt... EC2 console serial port over SSH [michael@MBP] ~ $ ec2-serial --region us-east-1 ec2-demo1 Wait a few seconds and then press Enter for a prompt... Amazon Linux 2 Kernel 5.10.147-133.644.amzn2.x86_64 on an x86_64 ip-172-31-16-189 login:
ssm-tunnel [michael@MBP] ~ $ ssm-tunnel ec2-demo1 --route 172.31.0.0/16 [sudo] password for mludvig: **** INFO: Local IP: 100.64.156.100 / Remote IP: 100.64.156.101 00:00:34 | In: 472.0 B @ 5.2 B/s | Out: 2.7kB @ 0.0 B/s Your ad-hoc VPC backdoor [michael@MBP] ~ $ ping 172.31.104.217 # ec2-demo2 PING 172.31.104.217 (172.31.104.217) 56(84) bytes of data. 64 bytes from 172.31.104.217: icmp_seq=1 ttl=254 time=90.8 ms 64 bytes from 172.31.104.217: icmp_seq=2 ttl=254 time=89.0 ms 64 bytes from 172.31.104.217: icmp_seq=3 ttl=254 time=91.4 ms ^C --- 172.31.104.217 ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 89.043/90.447/91.413/1.073 ms
Get in touch! https://www.linkedin.com/in/michaelludvig AWS SSM Tools: https://github.com/mludvig/aws-ssm-tools Blog posts about (not only) AWS SSM Tools: https://michael-ludvig.medium.com

More Related Content

Similar to Shutdown that bastion host! (20)

PPTX
AWS Services.pptx
LearnTechnology2
 
PPTX
Module 1 introduction to aws demo 4
Ganesh Bhosale
 
ODP
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios
 
PDF
Aws amazon ec2
Sentinel Solutions Ltd
 
PPTX
AWS Cyber Security Best Practices
DoiT International
 
PPTX
Aws meetup systems_manager
Adam Book
 
PPTX
Red Team vs. Blue Team on AWS ~ re:Invent 2018
2nd Sight Lab
 
PPT
How to begin with Amazon EC2?
Cuelogic Technologies Pvt. Ltd.
 
PPTX
Who Broke My Crypto
John Varghese
 
PPTX
Discovering OpenBSD on AWS
Laurent Bernaille
 
PPTX
Amazon cloudtutorial
Chris Buenaventura
 
PDF
Deployment and Management on AWS:
 A Deep Dive on Options and Tools
Danilo Poccia
 
PDF
SSH.pdf
AnisSalhi3
 
PDF
AWS Certified Solutions Architect Slides v.pdf
Carrie Tran
 
PDF
Auto scaling with Ruby, AWS, Jenkins and Redis
Yi Hsuan (Jeddie) Chuang
 
PPT
Presentation nix
fangjiafu
 
PPT
Presentation nix
fangjiafu
 
PDF
IBM Ported Tools for z/OS: OpenSSH User's Guide
IBM India Smarter Computing
 
PPTX
Pitt Immersion Day Module 2 - ec2 overview
EagleDream Technologies
 
PDF
Как мы взломали распределенные системы конфигурационного управления
Positive Hack Days
 
AWS Services.pptx
LearnTechnology2
 
Module 1 introduction to aws demo 4
Ganesh Bhosale
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios
 
Aws amazon ec2
Sentinel Solutions Ltd
 
AWS Cyber Security Best Practices
DoiT International
 
Aws meetup systems_manager
Adam Book
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
2nd Sight Lab
 
How to begin with Amazon EC2?
Cuelogic Technologies Pvt. Ltd.
 
Who Broke My Crypto
John Varghese
 
Discovering OpenBSD on AWS
Laurent Bernaille
 
Amazon cloudtutorial
Chris Buenaventura
 
Deployment and Management on AWS:
 A Deep Dive on Options and Tools
Danilo Poccia
 
SSH.pdf
AnisSalhi3
 
AWS Certified Solutions Architect Slides v.pdf
Carrie Tran
 
Auto scaling with Ruby, AWS, Jenkins and Redis
Yi Hsuan (Jeddie) Chuang
 
Presentation nix
fangjiafu
 
Presentation nix
fangjiafu
 
IBM Ported Tools for z/OS: OpenSSH User's Guide
IBM India Smarter Computing
 
Pitt Immersion Day Module 2 - ec2 overview
EagleDream Technologies
 
Как мы взломали распределенные системы конфигурационного управления
Positive Hack Days
 

Recently uploaded (20)

PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PPTX
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
The Future of Artificial Intelligence (AI)
Mukul
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Ad

Shutdown that bastion host!

  • 1. There are better ways to login to your EC2 instances Shutdown that Bastion Host Michael Ludvig Principal consultant @ Servian
  • 3. Direct SSH to EC2 Quick and easy. And insecure. Pros: * Easy to set up Cons: * Easy to set up insecurely * Direct internet access * Difficult access control
  • 4. Bastion host For those private subnets Pros: * Easy to set up Cons: * SSH access to Bastion * Shared SSH key * Difficult access control
  • 5. VPN to VPC If you know your routes Pros: * More secure Cons: * Complicated setup * Shared SSH key * Difficult access control
  • 6. Shared and re-used SSH keys ● Infamous EC2 “Key Pairs” ● Hard to audit access ● Hard to revoke and replace ● No MFA Common problem with all the methods Access Control Solutions are complex to implement ● Active Directory ● Hashicorp Vault ● FreeIPA
  • 7. IAM authentication ● Access tied to IAM Users ● Controlled by IAM policies ● Auditable in Cloud Trail AWS native authentication Access Control via IAM Works with… ● SSH ● EC2 SSM Terminal Session ● EC2 Serial console ● ECS containers including Fargate
  • 11. EC2 Session - requirements Modern AWS-native way to login What do we need … 1. SSM Agent running on the EC2 ○ Default in recent Amazon Linux 2 and Ubuntu 18.04+ instances 2. Network access from EC2 to SSM Service ○ Public IP, NAT gateway, Proxy, or VPC endpoint ○ No need for inbound access 3. EC2 Instance Role with AmazonSSMManagedInstanceCore managed policy
  • 12. SSM Session - AWS CLI example Modern AWS-native way to login Official AWS CLI way … ~ $ aws ssm start-session --target i-08c1950f615da4aa4 Starting session with SessionId: botocore-session-1665972406-0d66b7a6d75402362 sh-4.2$ exit Exiting session with sessionId: botocore-session-1665972406-0d66b7a6d75402362. … because we all remember the Instance IDs, yeah right.
  • 13. ec2-session (a.k.a. ssm-session) List instances: ~ $ ec2-session --profile sandpit --list i-08c1950f615da4aa4 ec2-demo1 172.31.16.189 3.26.20.151 i-0bf539dae623eba84 ec2-demo2 172.31.104.217 # No Public IP! Select host by name, run session as ec2-user: ~ $ ec2-session ec2-demo2 --user ec2-user Select host by IP, run a command: ~ $ ec2-session 172.31.16.189 --command "sudo yum install -y tmux" An easier way in
  • 14. AWS SSM Tools ~ $ pipx install aws-ssm-tools installed package aws-ssm-tools 1.5.0-beta5, Python 3.8.11 These apps are now globally available - ec2-serial - ec2-session - ec2-ssh - ecs-session - ssm-tunnel done! ✨ 🌟 ✨ Contribute on GitHub: https://github.com/mludvig/aws-ssm-tools EC2 access for humans
  • 15. ec2-ssh Why? ● No need for inbound SSH access ● No need for pre-shared SSH key (aka “EC2 Key Pair”) ● Useful where ec2-session is not enough, e.g. rsync, ssh port forwarding ● Access can be audited in CloudTrail SSH connection over SSM session
  • 16. [michael@MBP] ~ $ ec2-ssh --profile sandpit --send-key -L 5432:some-rds-instance:5432 ec2-user@ec2-demo1 [michael@MBP] ~ $ ec2-ssh --profile sandpit --send-key -L 5432:some-rds-instance:5432 ec2-user@ec2-demo1 INFO: Resolved instance name 'ec2-demo1' to 'i-08c1950f615da4aa4' INFO: Using SSH key from SSH Agent, should be as good as any. ec2-user@ec2-demo1 ~ $ [michael@MBP] ~ $ ec2-ssh --profile sandpit --send-key -L 5432:some-rds-instance:5432 ec2-user@ec2-demo1 INFO: Resolved instance name 'ec2-demo1' to 'i-08c1950f615da4aa4' INFO: Using SSH key from SSH Agent, should be as good as any. ec2-user@ec2-demo1 ~ $ w 06:41:09 up 12 days, 21:42, 1 user, load average: 0.04, 0.09, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ec2-user pts/0 localhost 06:41 1.00s 0.01s 0.00s w ec2-user@ec2-demo1 ~ $ ec2-ssh Port forwarding example
  • 17. [michael@MBP] ~ $ rsync -e "ec2-ssh --send-key" ec2-user@ec2-demo1: [michael@MBP] ~ $ rsync -e "ec2-ssh --send-key" ec2-user@ec2-demo1: INFO: Resolved instance name 'ec2-demo1' to 'i-08c1950f615da4aa4' INFO: Using SSH key from SSH Agent, should be as good as any. drwx------ 181 2022/06/25 22:17:57 . -rw------- 11,455 2022/06/25 22:18:06 .bash_history -rw-r--r-- 18 2020/01/16 13:56:01 .bash_logout -rw-r--r-- 193 2020/01/16 13:56:01 .bash_profile -rw-r--r-- 231 2020/01/16 13:56:01 .bashrc [...] ec2-ssh RSync example
  • 18. Login to ECS and Fargate containers Just because you can doesn’t mean you should!
  • 19. AWS CLI ECS Exec Find the ECS Cluster name nginx-Cluster-8SqXVHC The Terminator-style CLI (i.e. not for the rest of us) Find the Service name nginx-Service-gL6Cnj Find the Task name 11f37244484b486e9e0eda9b94c Construct the AWS CLI command line: [michael@MBP] ~ $ aws ecs execute-command --cluster nginx-Cluster-8SqXVHC --task 11f37244484b486e9e0eda9b94c --container nginx --command “/bin/bash” --interactive
  • 20. ecs-session [michael@MBP] ~ $ ecs-session --list Cluster Group Task Cont. IP nginx-Cluster-8SqXVHC service:nginx-Service-gL6Cnj a3875d0e...7d488 nginx 172.31.107.214 nginx-Cluster-8SqXVHC service:nginx-Service-gL6Cnj 11f37244...9b94c nginx 172.31.73.13 nginx-Cluster-8SqXVHC service:nginx-Service-gL6Cnj fb4099e3...aba46 nginx 172.31.94.23 For the non-Terminators among us (i.e. for me and you) [michael@MBP] ~ $ ecs-session 172.31.73.13 nginx-Cluster-8SqXVHC service:nginx-Service-gL6Cnj 11f37244...9b94c nginx 172.31.73.13 Starting session with SessionId: ecs-execute-command-09c4f8dcf93299816 root@ip-172-31-73-13:/#
  • 21. ECS / Fargate Session - requirements Modern AWS-native way to login What do we need … 1. Service / Task setting in CFN or Terraform: ○ EnableExecuteCommand: true 2. Task Role with AmazonSSMManagedInstanceCore managed policy 3. Network access from the task to SSM Service ○ Public IP, NAT gateway, Proxy, or VPC endpoint ○ No need for inbound access
  • 22. Virtual serial port Why? ● Works even without instance connectivity (e.g. firewall misconfiguration, boot problems) ● Boot log messages ● Last resort Why not? ● Requires password-enabled user account Welcome back to the 90’s
  • 23. ec2-serial [michael@MBP] ~ $ ec2-serial --region us-east-1 ec2-demo1 Wait a few seconds and then press Enter for a prompt... EC2 console serial port over SSH [michael@MBP] ~ $ ec2-serial --region us-east-1 ec2-demo1 Wait a few seconds and then press Enter for a prompt... Amazon Linux 2 Kernel 5.10.147-133.644.amzn2.x86_64 on an x86_64 ip-172-31-16-189 login:
  • 24. ssm-tunnel [michael@MBP] ~ $ ssm-tunnel ec2-demo1 --route 172.31.0.0/16 [sudo] password for mludvig: **** INFO: Local IP: 100.64.156.100 / Remote IP: 100.64.156.101 00:00:34 | In: 472.0 B @ 5.2 B/s | Out: 2.7kB @ 0.0 B/s Your ad-hoc VPC backdoor [michael@MBP] ~ $ ping 172.31.104.217 # ec2-demo2 PING 172.31.104.217 (172.31.104.217) 56(84) bytes of data. 64 bytes from 172.31.104.217: icmp_seq=1 ttl=254 time=90.8 ms 64 bytes from 172.31.104.217: icmp_seq=2 ttl=254 time=89.0 ms 64 bytes from 172.31.104.217: icmp_seq=3 ttl=254 time=91.4 ms ^C --- 172.31.104.217 ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 89.043/90.447/91.413/1.073 ms
  • 25. Get in touch! https://www.linkedin.com/in/michaelludvig AWS SSM Tools: https://github.com/mludvig/aws-ssm-tools Blog posts about (not only) AWS SSM Tools: https://michael-ludvig.medium.com

Editor's Notes

  • #4: The easiest to set up Must have a Public IP = direct internet access = larger attack vector Restrict access with Security groups
  • #9: Agent running + IAM Policy +
  • #10: Agent running + IAM Policy +
  • #23: Must be enabled in the account Create user in the instance
  • #24: There is a way with AWS-CLI + SSH but don’t make me start on how usable is that.