Tutorial / Cram Notes
Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive shell or through automation scripts. It eliminates the need to open inbound ports, manage SSH keys, or use bastion hosts.
Key Concepts
- Session: A connection to your instance for running commands, exploring instance file systems, or for interactive shell access.
- Session Target: The instance or resource you connect to using Session Manager.
- IAM Roles and Policies: AWS Identity and Access Management roles and policies that control who can start or terminate sessions and what actions they can perform during a session.
- Session Data: Input and output data related to a session, which can include commands issued, results returned, and any error messages.
Security Advantages
Session Manager increases security by providing:
- Auditability: All session activity is logged to Amazon S3 or Amazon CloudWatch Logs, ensuring complete visibility into who did what.
- Centralized Access Control: Access to instances is controlled centrally through IAM policies.
- Reduced Attack Surface: With no need to open SSH ports nor manage SSH keys, the attack surface is minimized.
How Session Manager Works
When a user initiates a session, Session Manager communicates with the SSM Agent installed on the target instance. The communication is secured using TLS and can be further encrypted with AWS KMS keys. This ensures the privacy and integrity of your management operations.
Using Session Manager
Starting a Session
To start sessions with an instance you must have the necessary IAM permissions. Typically, this means having ssm:StartSession on the instance.
A session can be started through the AWS Management Console or the AWS CLI:
aws ssm start-session –target instance-id
Session Logging
To log session activity, you have to configure an Amazon S3 bucket or CloudWatch Logs log group and reference them in your SSM documents or AWS Systems Manager preferences.
Interactions During Sessions
While in a session, you can run shell commands, transfer files, or use interactive commands defined by SSM documents.
Best Practices for Using Session Manager
To effectively use Session Manager and align with AWS Certified Security – Specialty (SCS-C02) exam expectations:
- Systematically Manage Permissions: Use least privilege access when assigning IAM roles for Session Manager.
- Enable Session Logging: Always log your sessions for compliance and forensics.
- Validate SSM Agent: Ensure the SSM agent on your instances is up to date for the latest security and functionality.
- Utilize Multi-Factor Authentication: Enforce MFA to add an extra layer of security for IAM users initiating sessions.
Limitations and Considerations
- There is a limit on the number of simultaneous sessions.
- The SSM Agent must have outbound internet access to communicate with the Systems Manager service endpoints.
Conclusion
Understanding Session Manager is imperative for anyone preparing for the AWS Certified Security – Specialty (SCS-C02) exam. The service provides secure, auditable, and easy-to-manage remote management to instances without compromising on security, which aligns with the broad objectives of the exam that emphasize securing AWS workloads.
Leveraging Session Manager within your AWS environment allows you to streamline instance management, enforce stringent security practices, and provides the tooling necessary to conduct comprehensive access audits, which are key concepts to grasp for anyone aiming for the Specialty Security certification.
Practice Test with Explanation
True/False: AWS Systems Manager Session Manager allows you to manage your EC2 instances through a browser-based shell or AWS CLI.
- True
- False
Answer: True
Explanation: The AWS Systems Manager Session Manager provides a browser-based interactive shell and command-line interface to manage EC2 instances without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
Which of the following is a benefit of using Session Manager?
- It requires a VPN connection.
- It eliminates the need for SSH keys.
- It cannot be integrated with AWS Identity and Access Management (IAM).
- It provides direct access to EC2 instances from the internet.
Answer: It eliminates the need for SSH keys.
Explanation: One of the benefits of using Session Manager is that it eliminates the need for SSH keys by providing a more secure and auditable access method to EC2 instances.
True/False: Session Manager automatically encrypts the session data using the AWS Key Management Service (AWS KMS).
- True
- False
Answer: True
Explanation: Session Manager automatically encrypts session data using AWS KMS, providing an added layer of security for managing your infrastructure.
With Session Manager, you can stream session output to which AWS service for log storage and analysis?
- Amazon S3
- Amazon EC2
- AWS Lambda
- Amazon Kinesis
Answer: Amazon S3
Explanation: Session Manager allows you to stream session output to Amazon S3 buckets for storage, and you can also use Amazon CloudWatch Logs for real-time analysis of session activity.
True/False: You can only access Amazon EC2 instances using Session Manager.
- True
- False
Answer: False
Explanation: Session Manager can be used not only to access Amazon EC2 instances but also on-premises servers and virtual machines (VMs), provided they are configured with Systems Manager.
How does Session Manager help with compliance requirements?
- By automatically creating IAM users.
- By enabling logging and auditing of session activity.
- By providing encryption for data at rest only.
- By allowing unrestricted access to instances.
Answer: By enabling logging and auditing of session activity.
Explanation: Session Manager helps with compliance by enabling detailed logging and auditing of session activity, which can be reviewed for security and governance purposes.
True/False: You must install the SSM Agent on your instances to use Session Manager.
- True
- False
Answer: True
Explanation: To use Session Manager, you must have the SSM Agent installed on your instances. This agent enables communication with the Systems Manager service.
Which IAM policy is recommended for users to access Session Manager sessions for EC2 instances?
- AmazonEC2FullAccess
- AmazonSSMFullAccess
- AmazonSSMSessionManagerRunShell
- AmazonSSMReadOnlyAccess
Answer: AmazonSSMSessionManagerRunShell
Explanation: The AmazonSSMSessionManagerRunShell managed policy provides the necessary permissions for a user to start sessions with EC2 instances using Session Manager.
True/False: You can use Session Manager to connect to an instance without a public IP address.
- True
- False
Answer: True
Explanation: Session Manager allows you to connect to your instances securely without the requirement of a public IP address, as traffic is tunneled through the Systems Manager Agent and AWS infrastructure.
When using Session Manager, which statement is accurate regarding port requirements?
- Inbound SSH ports must be opened on the instances.
- No open inbound ports are required on the instance.
- All inbound ports must be opened for complete functionality.
- Only inbound RDP ports are required for Windows instances.
Answer: No open inbound ports are required on the instance.
Explanation: Session Manager does not require any open inbound ports on the instance, which improves the security posture by reducing potential attack vectors.
True/False: You can integrate AWS Systems Manager Session Manager with AWS CloudTrail for session logging and auditing.
- True
- False
Answer: True
Explanation: Session Manager integrates with AWS CloudTrail to log and audit session activity, contributing to security monitoring and compliance.
Which feature of Session Manager allows you to specify commands that users can run on instances?
- IAM policies
- SSM document permissions
- EC2 security groups
- Session policies
Answer: SSM document permissions
Explanation: SSM documents, used by the Session Manager, specify the commands or actions that users or groups are permitted to perform on instances, enhancing control and security.
Interview Questions
What is AWS Systems Manager Session Manager and what are its primary use cases?
AWS Systems Manager Session Manager is a management console that allows users to manage their instances through browser-based shell sessions. Its primary use cases include providing secure instance management without the need to open inbound ports, maintaining security by not requiring SSH keys or credentials, and offering easy compliance with logging and auditing requirements.
How does Session Manager enhance security compared to traditional SSH access?
Session Manager enhances security by not requiring SSH keys or bastion hosts, thereby reducing the attack surface. Communication between the client and instance is encrypted using TLS, and access control is managed through AWS Identity and Access Management (IAM) policies.
Can you describe how to set up and start a session with an EC2 instance using Session Manager?
To set up a session using Session Manager, first ensure that the AWS Systems Manager Agent (SSM Agent) is installed and running on the instance. The instance also needs the appropriate IAM role with Session Manager permissions. Use the AWS Management Console, the AWS CLI, or the AWS Tools for PowerShell to start a session by selecting the target instance and initiating a session.
What are the permissions required for a user to start a session with an EC2 instance through Session Manager?
A user would need an IAM policy granting the ssm:StartSession permission for the target instances. Policies can also include ssm:TerminateSession to allow the user to end sessions, ssm:ResumeSession to reconnect to disconnected sessions, and other optional permissions depending on required features.
What are some of the logging and auditing features provided by Session Manager?
Session Manager integrates with AWS CloudTrail and Amazon CloudWatch Logs for logging and auditing. It records session activity and provides detailed logs that can be stored indefinitely and used for auditing purposes. Administrators can track commands run in sessions and stream or batch logs to CloudWatch or S
How can an organization ensure that the access to Systems Manager Session Manager is restricted to certain users or groups?
Access can be restricted by creating and applying IAM policies that define which users or groups are allowed to perform actions like starting or ending sessions. These policies can be attached to IAM users, groups, or roles to enforce least privilege access.
Is it possible to use Session Manager for instances not managed by AWS, such as on-premises servers?
Yes, Session Manager can manage on-premises servers or VMs in other cloud environments provided they have the SSM Agent installed and are properly configured to communicate with AWS Systems Manager.
How do you maintain the Systems Manager Agent (SSM Agent) to ensure proper functionality with Session Manager?
The SSM Agent must be installed and kept up to date on the managed instances. AWS provides automatic updates for the agent, but manual updates can also be performed by the user if necessary. Ensuring network connectivity requirements and IAM role permissions are also vital.
What role does the AWS Key Management Service (KMS) play in securing sessions in Session Manager?
AWS KMS can be utilized to encrypt session data. When you enable KMS key encryption for Session Manager, each session’s data is encrypted using the specified KMS key, adding an additional layer of security to the session data.
How can existing command-line tools be used in conjunction with Session Manager?
Users can use the AWS CLI or AWS Tools for PowerShell to interact with Session Manager. After starting a session through one of these tools, the user’s local shell or script can interact with the instance as if commands were being entered on the instance directly.
This post on Systems Manager Session Manager concepts is incredibly useful for my upcoming AWS Certified Security – Specialty exam.
I agree! Understanding Session Manager is crucial for securing EC2 instances without opening inbound ports.
Thanks for sharing this. I needed a deeper dive into IAM roles and permissions for Session Manager.
Is it true that Session Manager can be used for both Linux and Windows instances?
What are some best practices for setting up Session Manager for an enterprise environment?
I appreciate how Session Manager eliminates the need for bastion hosts.
Can Session Manager be integrated with AWS Organizations?
This article was very beneficial. Thanks for putting it together!