Using AWS Systems Manager Session Manager to Eliminate the Need for a Bastion Host

Introduction

Bastion hosts have long been a standard solution for managing access to private EC2 instances. While effective, they introduce operational complexity, incur costs, and require continuous maintenance to remain secure.

AWS Systems Manager Session Manager offers an alternative that eliminates the need for bastion hosts entirely. By leveraging Session Manager, you can securely and efficiently access your instances without opening ports, managing SSH keys, or maintaining additional infrastructure.

This article will provide a detailed overview of how to set up Session Manager, its benefits for security, and how it can significantly reduce costs.

What is AWS Systems Manager Session Manager?

AWS Systems Manager Session Manager is a feature of AWS Systems Manager that enables secure, browser-based or CLI-based shell access to EC2 instances without requiring SSH or a bastion host.

Key features include:

• No need for open ports: Instances can operate in private subnets with all inbound access blocked.
• Auditable sessions: All user activity is logged, aiding in compliance and troubleshooting.
• IAM-based access control: Centralized management of permissions eliminates reliance on static SSH keys.

Setting Up AWS Systems Manager Session Manager

Configure IAM Roles and Policies

Each EC2 instance requires an IAM role with permissions to interact with Systems Manager.

1. Attach the following managed policies to an IAM role:
   • AmazonSSMManagedInstanceCore
   • Optionally, add policies for logging, such as CloudWatchAgentServerPolicy.
2. Assign this role to the EC2 instances you want to manage.

Ensure SSM Agent is Installed and Running

• Most Amazon Linux, Ubuntu, and Windows AMIs have the SSM Agent pre-installed.
• For custom AMIs, install the SSM Agent manually and ensure it is up to date.

Enable Session Manager in the AWS Console

Navigate to Systems Manager > Session Manager > Preferences to configure session logging and encryption.

Start a Session

• From the AWS Console: Go to Systems Manager > Session Manager, select the target instance, and click Start Session.

• From the CLI:

  aws ssm start-session --target i-xxxxxxxxxxxxxxxxx

Benefits of Using Session Manager

Improved Security

1. Elimination of Open Ports: By closing SSH (port 22) on all instances, you reduce the attack surface of your infrastructure.
2. Centralized Access Control: Session Manager uses IAM policies to define who can access instances, reducing the risk associated with managing and sharing SSH keys.
3. Auditability: All session activity is logged to AWS CloudTrail or CloudWatch Logs, creating a detailed audit trail for compliance and troubleshooting.
4. Encryption by Default: Session traffic is encrypted end-to-end using AWS Key Management Service (KMS).

Streamlined Operations

1. Simplified Access: Users can initiate a session directly from the AWS Console or CLI without the need for a bastion host or VPN.
2. Built-in Port Forwarding: Session Manager supports tunneling, enabling secure access to databases and other internal services without additional tools.

How Session Manager Reduces Costs

No Bastion Host Infrastructure

Running a bastion host incurs costs related to the instance itself, storage, and any additional monitoring or security tools. Eliminating bastion hosts can save ~$8/month for a t3.micro instance, multiplied across environments.

No Elastic IPs

Bastion hosts typically require Elastic IPs for connectivity, which add to costs. With Session Manager, instances can reside entirely in private subnets, avoiding these charges.

Reduced Administrative Overhead

Maintaining bastion hosts involves patching, monitoring, and key management. By removing these tasks, operational costs decrease, and engineering resources can focus on higher-value activities.

Consolidated Logging

Session Manager automatically logs all activity, reducing the need for third-party logging solutions or custom monitoring scripts.

Best Practices for Using Session Manager

1. Enable Logging: Configure session logging to an S3 bucket or CloudWatch Logs to maintain a comprehensive audit trail.
2. Integrate with Parameter Store: Use AWS Parameter Store to securely manage sensitive data, such as application credentials, accessed during sessions.
3. Restrict IAM Policies: Grant least privilege access to Session Manager by carefully designing IAM roles and policies.
4. Use Port Forwarding for Private Resources: Leverage the port forwarding feature to access databases or internal services securely without exposing them publicly.

Why Replace Bastion Hosts with Session Manager?

By removing the need for bastion hosts, Session Manager simplifies infrastructure, improves security, and reduces costs. Key advantages include:

• Enhanced Security: No open ports and centralized IAM-based access control.
• Cost Savings: Eliminate EC2 costs for bastion hosts and related overhead.
• Operational Efficiency: Simplify access management and reduce the burden of maintaining additional infrastructure.

Conclusion

AWS Systems Manager Session Manager is a robust solution for managing EC2 instances without relying on bastion hosts. It provides secure, auditable access while reducing costs and operational complexity.

If your AWS environment still relies on bastion hosts, consider transitioning to Session Manager. The improved security, cost savings, and simplicity make it a compelling choice for modern infrastructure management.