A platform that provides researchers with one-click access to collaborative workspace environments operating across teams, universities, and datasets while enabling university IT stakeholders to manage, monitor, and control spending, apply security best practices, and comply with corporate governance.
Is your feature request related to a problem? Please describe.
Currently Service Workbench uses EC2 Instance Connect to push SSH keys to Linux instances, and opens up ports for the user's current IP address (or other CIDR they supply).
If the user enters an arbitrarily large CIDR (such as 0.0.0.0/0), the security of the instance can potentially be compromised.
Logging or auditing commands entered during an SSH session might technically be possible, but would require additional software and/or configuration in the AMI.
Describe the solution you'd like
AWS offers the free Session Manager product as part of Systems Manager, which provides SSH-like interaction with instances, over HTTPS with access controlled by IAM, with logging (to CloudWatch or S3) of all commands entered. This requires no ports to be opened and also provides auditing of sessions via CloudTrail.
Describe alternatives you've considered
n/a
Additional context
Session Manager could potentially be offered as a another 'connection' option that could be enabled either alongside, or instead of, SSH.
I'm not sure of the best way to handle authentication, however. In a test env I've set up federated access via Okta to both Service Workbench and AWS and am using Session Manager with that, however without federation it might need further thought.
Is your feature request related to a problem? Please describe. Currently Service Workbench uses EC2 Instance Connect to push SSH keys to Linux instances, and opens up ports for the user's current IP address (or other CIDR they supply).
0.0.0.0/0
), the security of the instance can potentially be compromised.Describe the solution you'd like AWS offers the free Session Manager product as part of Systems Manager, which provides SSH-like interaction with instances, over HTTPS with access controlled by IAM, with logging (to CloudWatch or S3) of all commands entered. This requires no ports to be opened and also provides auditing of sessions via CloudTrail.
Describe alternatives you've considered n/a
Additional context Session Manager could potentially be offered as a another 'connection' option that could be enabled either alongside, or instead of, SSH.
I'm not sure of the best way to handle authentication, however. In a test env I've set up federated access via Okta to both Service Workbench and AWS and am using Session Manager with that, however without federation it might need further thought.