Tutorial / Cram Notes
Secure remote access to computing resources is a crucial aspect of maintaining the security and integrity of data and systems, particularly with the increasing prevalence of remote work and cloud computing. Among the various methods available for secure remote access, Secure Shell (SSH) and Remote Desktop Protocol (RDP) are commonly used. However, when it comes to managing resources on AWS, a preferential method is using RDP or SSH over Systems Manager Session Manager, which provides a secure and auditable access method without the need for open inbound ports or managing SSH keys or credentials.
SSH (Secure Shell)
SSH is a protocol allowing for secure remote login and other secure network services over an insecure network. It encrypts the connection between the client and the server, ensuring confidentiality and integrity of the data exchanged. To utilize SSH:
- Generate SSH key pairs (a public key and a private key).
- Install the public key on the remote server in the authorized_keys file of the user’s home directory.
- Use an SSH client to establish a connection using the corresponding private key.
Example SSH command to connect to a host:
ssh -i /path/to/private-key.pem user@remote-host-ip
RDP (Remote Desktop Protocol)
RDP is a proprietary protocol developed by Microsoft that allows remote access to a desktop environment over a network connection. RDP is typically used to connect to Windows servers or workstations:
- Enable RDP access on the target Windows system.
- Configure network-level authentication and other security settings.
- Connect using an RDP client by providing the Windows server’s IP address, username, and password.
Example RDP command on Windows (mstsc.exe):
mstsc /v:server-ip-address
AWS Systems Manager Session Manager
Systems Manager Session Manager is a fully managed AWS service that provides a secure way to manage EC2 instances, on-premises systems, and virtual machines (VMs), including those in other cloud providers, without exposing them to the public internet. Here’s how it works:
- Systems Manager Agent (SSM Agent) must be installed and configured on the target instances.
- IAM policies and roles need to be set up to grant necessary permissions.
- Access is obtained through the AWS Management Console or the AWS CLI using Session Manager.
Example AWS CLI command to start a session:
aws ssm start-session –target instance-id
RDP / SSH over Systems Manager Session Manager
Combining RDP or SSH with Systems Manager Session Manager enhances security and management capabilities:
- No need for inbound port opening on EC2 instances: Session Manager communicates with instances using the Systems Manager Agent over a secure channel established using AWS’s infrastructure.
- IAM policies and roles can be used to control who can access which instances, providing granular security access control.
- All commands and outputs are logged to Amazon CloudWatch and Amazon S3, creating an audit trail which is crucial for compliance.
When using RDP or SSH over Session Manager, the connection flow changes. Instead of connecting directly to the instance, you connect through the Session Manager, which then proxies the connection to the instance.
Example setup for SSH over Session Manager:
- Configure the AWS CLI and SSM Agent.
- Update the IAM instance profile to include the AmazonSSMManagedInstanceCore policy.
- Open the local SSH configuration file (typically ~/.ssh/config) and add:
Host i-* mi-*
ProxyCommand sh -c “aws ssm start-session –target %h –document-name AWS-StartSSHSession –parameters ‘portNumber=%p'”
Security Considerations
When comparing SSH, RDP, and Session Manager for secure remote access in the context of AWS, the usage of Session Manager is generally preferred due to the increased security and control:
- SSH / RDP: Require proper management of credentials and potentially expose services to the internet if not configured with a VPN or VPC.
- Session Manager: Credentials are managed by IAM, no inbound ports need to be opened, and access is logged, making it more secure by default.
Conclusion
For those preparing for the AWS Certified Security – Specialty (SCS-C02) exam, understanding the differences between these secure remote access methods and their configuration steps in AWS is essential. Systems Manager Session Manager is often emphasized for its robust security features and ease of integration with AWS ecosystem and IAM. It’s important to practice setting up and managing SSH and RDP sessions both directly and over Session Manager to ensure a well-rounded understanding of AWS security best practices and mechanisms.
Practice Test with Explanation
True or False: SSH provides encrypted communication over potentially insecure networks, making it suitable for secure remote access.
- (A) True
- (B) False
Answer: A
Explanation: SSH (Secure Shell) is designed to provide secure encrypted communication over unsecured networks like the internet, making it a widely used method for secure remote access.
Which AWS service allows for secure, auditable, and managed remote commands on EC2 instances without needing to open inbound ports?
- (A) AWS Direct Connect
- (B) AWS Systems Manager Session Manager
- (C) AWS VPN
- (D) Amazon Route 53
Answer: B
Explanation: AWS Systems Manager Session Manager allows for secure, auditable, and managed remote sessions to EC2 instances without opening inbound ports or managing SSH keys.
True or False: RDP over Systems Manager Session Manager allows you to manage Windows-based instances without exposing RDP ports to the internet.
- (A) True
- (B) False
Answer: A
Explanation: True, RDP can be tunneled through Systems Manager Session Manager to access Windows-based instances securely without exposing the RDP port directly to the internet.
Single select: Which of the following is not a feature of AWS Systems Manager Session Manager?
- (A) Interactive shell access to EC2 instances
- (B) Session logging and auditable command history
- (C) Direct internet access to EC2 instances
- (D) Integration with AWS Identity and Access Management (IAM) for access control
Answer: C
Explanation: AWS Systems Manager Session Manager does not require direct internet access; it provides a secure connection to EC2 instances without needing to open inbound ports on the instances.
True or False: You can use SSH keys for authentication when using Systems Manager Session Manager.
- (A) True
- (B) False
Answer: B
Explanation: Systems Manager Session Manager does not require SSH keys for authentication. Instead, it relies on IAM roles and policies for access control.
Single select: What does SSH stand for?
- (A) Secure Sockets Handler
- (B) Secure Shell
- (C) Secure Systems Hub
- (D) Simple Session Handler
Answer: B
Explanation: SSH stands for Secure Shell, which is a network protocol that provides administrators with a secure way to access a remote computer.
True or False: Systems Manager Session Manager requires an SSM Agent installed on the EC2 instances to initiate a session.
- (A) True
- (B) False
Answer: A
Explanation: True, Systems Manager Session Manager requires the SSM Agent to be installed and running on the EC2 instances to start and manage sessions.
Multiple select: Which security practices should be followed when using SSH for remote access? (Select TWO)
- (A) Disable SSH access entirely
- (B) Use strong passwords only
- (C) Use SSH key pairs instead of passwords
- (D) Disable root login over SSH
- (E) Allow SSH from any IP address
Answer: C, D
Explanation: Using SSH key pairs provides a more secure method of authentication than passwords, and disabling root login over SSH strengthens the security against unauthorized access.
True or False: AWS Systems Manager Session Manager logs are stored in Amazon CloudWatch Logs by default.
- (A) True
- (B) False
Answer: A
Explanation: Session Manager can be configured to send session logs to Amazon S3 and/or Amazon CloudWatch Logs, which can be used for auditing and compliance purposes.
Single select: Which protocol does RDP primarily use for secure remote access?
- (A) TCP
- (B) UDP
- (C) ICMP
- (D) SCTP
Answer: A
Explanation: Remote Desktop Protocol (RDP) primarily uses TCP (Transmission Control Protocol) for secure remote access to Windows servers and desktops.
True or False: When using Systems Manager Session Manager, you still need to manage your EC2 instance’s security groups to allow SSH/RDP access.
- (A) True
- (B) False
Answer: B
Explanation: One of the benefits of using Session Manager is that you do not need to manage security group rules to allow SSH or RDP access, as the service does not require open inbound ports for these protocols.
Single select: To enhance the security of SSH sessions, what can you implement in addition to using SSH keys?
- (A) Multi-factor authentication
- (B) Use of default port 22 for SSH
- (C) Single-factor authentication
- (D) No additional measures are necessary
Answer: A
Explanation: Implementing multi-factor authentication (MFA) adds an additional layer of security to SSH sessions, reducing the risk of unauthorized access even if SSH keys are compromised.
Interview Questions
What is the primary difference between SSH and RDP when it comes to remote access?
SSH, or Secure Shell, is a protocol primarily used for secure command-line access and file transfers over unsecured networks, typically between a client and a server on Unix-like operating systems. RDP, or Remote Desktop Protocol, is designed for graphical remote desktop connections, mainly on Windows-based systems. SSH encrypts the session to provide confidentiality and integrity, while RDP provides a full graphical user interface experience, which can also be secured using encryption.
How can AWS Systems Manager Session Manager enhance the security of SSH and RDP access?
AWS Systems Manager Session Manager allows administrators to manage servers without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. It provides a browser-based interactive shell and RDP session while logging all session activity to S3 and CloudWatch Logs for auditing, thus enhancing security and simplification of access.
Can you describe the process of setting up an RDP session over AWS Systems Manager Session Manager?
To set up an RDP session over AWS Systems Manager Session Manager, you need to:
- Ensure your instance is managed by AWS Systems Manager with the SSM Agent installed and running.
- Assign an IAM role to the instance with the necessary permissions for Systems Manager.
- Open the AWS Management Console, navigate to Systems Manager, and choose Session Manager.
- Start a new session with the desired instance and choose the ‘Start session’ option.
- Once the command-line session is active, you can port forward the RDP port (3389) and use an RDP client to connect using ‘localhost’.
How can AWS Identity and Access Management (IAM) be used to control who has access to initiate SSH sessions through Systems Manager?
AWS Identity and Access Management (IAM) can be utilized to create policies that specify which users or roles have permission to initiate SSH sessions. Policies can control access by specifying the ‘ssmmessages:CreateControlChannel’ action and other related actions, and attaching them to IAM users, groups, or roles.
What are some best practices for securing an SSH session when using AWS?
Best practices for securing an SSH session in AWS include:
- Use Systems Manager Session Manager for centralized access control and auditability.
- Disable SSH password-based authentication and use key-based authentication.
- Rotate SSH keys regularly.
- Limit access by using security groups and network ACLs.
- Implement Multi-Factor Authentication (MFA).
- Keep the systems and SSH daemon updated with the latest patches.
Why is key rotation important for secure remote access, and how can you enforce it in an AWS environment?
Key rotation is important because it reduces the window of opportunity for an attacker to use a compromised key to gain unauthorized access. In an AWS environment, you can enforce key rotation by setting up an IAM policy that requires users to rotate their SSH keys within a specified time period or using AWS Secrets Manager to automate the rotation of SSH keys.
How does Systems Manager Session Manager log and audit remote access sessions to ensure compliance and security?
Session Manager logs all session activity including command history to Amazon S3 and/or Amazon CloudWatch Logs. This provides an audit trail that can be reviewed for compliance and security analysis. Session Manager also allows you to stream these logs in real-time, which is essential for monitoring and immediate incident response activities.
What are the implications of using a bastion host for SSH access compared to using AWS Systems Manager?
Using a bastion host for SSH access involves managing and securing an additional EC2 instance used as a jump host to access private instances in your VPC. It increases the attack surface and requires keeping the bastion host secure. In comparison, AWS Systems Manager Session Manager eliminates the need for a bastion host, reduces the attack surface, simplifies the management of access keys, and provides centralized logging and audit trails.
Can you explain the role of the SSM Agent when using Systems Manager Session Manager for secure remote access?
The SSM Agent is software that is installed on EC2 instances (or hybrid instances) to enable interaction with AWS Systems Manager. For Session Manager, the agent facilitates the initialization and management of secure sessions to the instance from the AWS Console or CLI, helping to maintain a secure communication channel without the need for open inbound ports or publicly accessible services.
How would you securely manage access to instances in private subnets using Systems Manager Session Manager and VPC endpoints?
To manage access securely, you would:
- Install and configure the SSM Agent on the instances to make them Systems Manager managed.
- Set up an IAM policy to define who can access the instances through Session Manager.
- Create a VPC endpoint for Systems Manager to ensure that all traffic between the VPC and Systems Manager stays within the AWS network, enhancing security by not traversing the public internet.
- Use Session Manager to access the instances securely without the need for a public IP address or inbound security group rules.
Great post on secure remote access methods! SSH and RDP over Systems Manager Session Manager are really essential for AWS security.
I really appreciate the detailed explanation. This was very helpful for my AWS Certified Security Specialty exam preparation.
How does Session Manager improve over traditional SSH?
Thanks for the insights!
Does anyone have experience with using AWS IAM roles for SSH access? How secure is it compared to traditional methods?
This blog was a game-changer for me. I finally understood the importance of using Systems Manager for RDP.
A quick question, is there a performance overhead using Session Manager?
I didn’t find much on troubleshooting SSH access through Session Manager. Any suggestions?