Open an SSH connection to your ec2 instances via AWS SSM without the need to open any ssh port in you security groups.
brew install awscli
brew install session-manager-plugin
ssm:StartSession
for DocumentName: AWS-StartSSHSession
and Target Instancessm:SendCommand
for DocumentName: AWS-RunShellScript
and Target Instanceyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm & service amazon-ssm-agent restart
~/.ssh/aws-ssm-ec2-proxy-command.sh
chmod +x ~/.ssh/aws-ssm-ec2-proxy-command.sh
)~/.ssh/config
. Adjust key file path if needed.
host i-* mi-*
IdentityFile ~/.ssh/id_rsa
ProxyCommand ~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub
StrictHostKeyChecking no
export AWS_PROFILE=default
or AWS_PROFILE=default ssh ... <INSTACEC_USER>@<INSTANCE_ID>
<INSTACEC_USER>@<INSTANCE_ID>--<INSTANCE_REGION>
ssh <INSTACEC_USER>@<INSTANCE_ID>
ssh ec2-user@i-1234567890
ssh <INSTACEC_USER>@<INSTANCE_ID> \
-i "~/.ssh/id_rsa" \
-o ProxyCommand="~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub"
ec2-instance-connect:SendSSHPublicKey
The advantage from a security perspective is that you don't need to grant ssm:SendCommand
to users and there by the permission to execute everything as root.
Instead you only grant ec2-instance-connect:SendSSHPublicKey
permission to a specific instance user e.g. ec2-user
.
ssm:StartSession
for DocumentName: AWS-StartSSHSession
and Target Instance
ec2-instance-connect:SendSSHPublicKey
ec2:osuser
to match your needs. Default is ec2-user