aws-ssm-ec2-proxy-command
Open an SSH connection to your ec2 instances via AWS SSM without the need to open any ssh port in you security groups.
ec2-instance-connect implementation if possible
ⓘ PreferREADME.windows.md
ⓘ Windows users please refere toPrerequisits
- Local Setup
- Install AWS CLI
- MacOS
brew install awscli
- MacOS
- Install AWS CLI Session Manager Plugin
- MacOS
brew install session-manager-plugin
- MacOS
- Install AWS CLI
- Ensure Your IAM Permissions
- IAM Policy Example
ssm:StartSession
for DocumentName:AWS-StartSSHSession
and Target Instancessm:SendCommand
for DocumentName:AWS-RunShellScript
and Target Instance
- Target Instance Setup
- Ensure SSM Permissions fo Target Instance Profile
- Ensure SSM Agent is installed (preinstalled on all AWS Linux AMIs already)
- Install SSM Agent on Linux Instances
yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm & service amazon-ssm-agent restart
- SSM Agent on Windows Instances
- Install SSM Agent on Linux Instances
Install SSH Proxy Command
- Move proxy command script aws-ssm-ec2-proxy-command.sh to
~/.ssh/aws-ssm-ec2-proxy-command.sh
- Ensure it is executable (
chmod +x ~/.ssh/aws-ssm-ec2-proxy-command.sh
)
Setup SSH Config [optional]
- Add ssh config entry for aws ec2 instances to your
~/.ssh/config
. Adjust key file path if needed.host i-* mi-* IdentityFile ~/.ssh/id_rsa ProxyCommand ~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub StrictHostKeyChecking no
Open SSH Connection
- Ensure AWS CLI environemnt variables are set properly e.g.
export AWS_PROFILE=default
orAWS_PROFILE=default ssh ... <INSTACEC_USER>@<INSTANCE_ID>
- If default region does not match instance region you need to provide it
- e.g.
<INSTACEC_USER>@<INSTANCE_ID>--<INSTANCE_REGION>
- e.g.
SSH Command with SSH Config Setup
ssh <INSTACEC_USER>@<INSTANCE_ID>
- e.g.
ssh ec2-user@i-1234567890
SSH Command with ProxyCommand CLI Option
ssh <INSTACEC_USER>@<INSTANCE_ID> \
-i "~/.ssh/id_rsa" \
-o ProxyCommand="~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub"
ec2-instance-connect:SendSSHPublicKey
Recommended Usage of The advantage from a security perspective is that you don't need to grant ssm:SendCommand
to users and there by the permission to execute everything as root.
Instead you only grant ec2-instance-connect:SendSSHPublicKey
permission to a specific instance user e.g. ec2-user
.
- Ensure Prerequisits
- Follow Install Guide
- Use this aws-ssm-ec2-proxy-command.sh proxy command script instead
- Use this IAM Policy Example instead
ssm:StartSession
for DocumentName:AWS-StartSSHSession
and Target Instanceec2-instance-connect:SendSSHPublicKey
- AWS Documentation
- You may need to adjust
ec2:osuser
to match your needs. Default isec2-user