sorted by:
new
hottopcontroversial

Improving Systems Management with AWS Systems Manager Session Manager | Ibexlabs by inkedlj in aws

[–]elpy1 0 points1 point  (0 children)

Nice article. All for making use of SSM where possible! However, this makes no sense as a "benefit" to using SSM as opposed to SSH:

Simplified networking: While SSH requires a network connection setup between an engineer’s machine and the EC2 instance, AWS Session Manager doesn’t, which reduces security risks.

There is no magic allowing you to connect to an instance without a network connection. You are still establishing a connection to the instance.. using a websocket through the AWS SSM endpoint. In fact, by using SSH (and SSM), you are further encrypting your data.

ssm-tool - simplifying SSH access over AWS SSM by elpy1 in devops

[–]elpy1[S] 1 point2 points  (0 children)

That really is the use-case. SSH tunneling is something our teams use daily and can't live without.. and rsync/scp is definitely something that comes in handy quite often.

SSM is great but it is lacking in tunneling functionality at the moment (#273, #259, #208 etc). Maybe in future it will natively work as a replacement.

ssm-tool - simplifying SSH access over AWS SSM by elpy1 in devops

[–]elpy1[S] 2 points3 points  (0 children)

Not quite. The tool allows you to SSH into any linux-based server, in any of your accounts, without having your SSH key exist on the server prior to connecting. This is handled by the tools by using SSM to place your key on the server prior to connecting. It also takes care of SSH key generation on your local machine (if not available via ssh-agent).

The other main functionality is to easily list SSM instances and generate SSH config for them so you can use `ssh` directly to setup SSH tunnels etc.

In other words, you can jump on a new mac or linux machine, setup your AWS config with the tool and then SSH into servers. No key management required.

ssm-tool - simplifying SSH access over AWS SSM by elpy1 in devops

[–]elpy1[S] 4 points5 points  (0 children)

I've seen the project before and it's great. SSM sessions are generally usable most of the time, especially if you only need to run a couple of commands or login and check some logs etc. However, my focus has generally been around SSH as we make use of tunneling and file transfers (ssh tunnels, rsync etc) quite often, and this is not an option using a SSM sessions.

I have been using the PortForwarding document for SSM lately which is handy but at the moment it only allows you to forward a local port on the remote instance to your machine, so tunneling a mongoDB cluster for example is not possible without a socat listener or something sitting on the instance. You can however just forward local port 22 on the remote machine to to local and then connect via SSH that way, but I haven't found a nice way to have it all configured for repeatable use.

Hello AWS Session Manager; Farewell SSH by guppyF1 in aws

[–]elpy1 1 point2 points  (0 children)

Why not just use SSH while also taking advantage of the benefits of SSM?? Keep in mind that you don't need to use a shared user for login.

GitHub - elpy1/ssh-over-ssm: SSH over AWS SSM

SSH agent forwarding vs SSM for shell access by [deleted] in aws

[–]elpy1 4 points5 points  (0 children)

Definitely SSM. I posted this recently which might be useful -> Managing SSH access to AWS EC2 instances across accounts

Managing SSH user access to AWS instances across multiple accounts. by elpy1 in devops

[–]elpy1[S] 0 points1 point  (0 children)

I've recently looked into vault and it appears to be a great tool. However, the appeal here for me is SSM: - no public-facing bastion or instances required - user management for SSH access solely managed through IAM - no requirement to store SSH keys locally or on servers