Session Manager via VPC EndPoint

Session Manager

For some time I’ve come to rely on AWS’s Session Manager for remote administration of my EC2 instances. The ability to drop into a admin shell with nothing other than a browser is too handy to pass up. Especially when you can begin removing ingress points which can be abused, reducing attack surface is always a laudable goal.

But a recent project hit a use-case I’d not encountered. A truly private subnet, not just no ingress allowed via Security Group, not just a private IP address via NAT gateway; a subnet with no Internet connectivity.

Should still work…

Admittedly, my first instinct was this should still work. I was still connecting to AWS via the web browser, and the instance was still within AWS’s infrastructure. Set everything up as normal, yet no remote connection. Investigation ensured and eventually (with some assistance) came across the explanation – Instances require access to various AWS services, which were unavailable in the configuration described above, and those requirements can be plumbed directly into an otherwise private subnet via VPC EndPoints

To Terraform!

A couple of hours trial and error later, and a working demo environment deployed with Terraform was surprisingly easy.

Basic requirements are:

  • EC2 instance with Session Manager agent installed and active –
    • Amazon2 OS have agent pre-installed
  • IAM instance role with permissions to access ec2Messages, SSM and SSMMessages APIs
    • Native IAM Policy AmazonSSMManagedInstanceCore works nicely
  • VPC EndPoints for the same APIs.

Example VPC configuration:

resource "aws_vpc_endpoint" "ec2messages" {
  vpc_id              = aws_vpc.private.id
  service_name        = "com.amazonaws.eu-west-1.ec2messages"
  vpc_endpoint_type   = "Interface"
  security_group_ids  = [aws_security_group.vpc_ep_sg.id]
  subnet_ids          = [aws_subnet.private.id]
  private_dns_enabled = true
  tags = {
    "Name" = "ec2Messages"
  }
}

If you’d like to play along yourself, my demo deployment is available here, albeit with a caveat…

Deploying the project will incur (minimal) costs, and it was developed rapidly from the sofa, in a single evening, specifically as a quick proof of concept; it works, but I’d definitely recommend further review before deploying into a production environment, do so at your own risk.


Andrew

Leave a comment

Your email address will not be published. Required fields are marked *