Skip to content

SSM

AWS SSM documents and SSM session-start command to ssh directly to an instance without using the ssh keys

Assuming you have a role with the necessary permissions, you can list the instances InstanceId and the tags Name if present, within the region you define.

aws-ec2-list-all-ec2-instance-and-their-tag-name

for instance in $(aws ec2 describe-instances | jq -r '.Reservations[].Instances[].InstanceId' ); do
    echo "${instance} : $(aws ec2 describe-instances --instance-ids ${instance} | jq '.Reservations[].Instances[].Tags[] | select(.Key == "Name")|.Value') "
done

("ping me" if you know how to simplify the above comand with the --query native from aws cli)

Then you can run various AWS Systems Manager documents (SSM document) against a "target" instance(s).

docs here - https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html

aws-ssm-list-documents-example

If you prefer the AWS CLI, you can list available documents.

aws ssm list-documents

docs here - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/list-documents.html

example-using-aws-ssm-start-session

docs here - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/start-session.html

aws ssm start-session --target i-123456789012

by-antonio-feijao-uk

Thank you for you time and happy learning,

Antonio Feijao

AWS SSM command to tunnel proxy network traffic to another remote instance

If you have access to an instance (server, virtual machine) in AWS,

and this instance can access to other applications,

this means you can use this machine to proxy traffic from your local laptop (desktop or server) to the specified host.

requirements

Your local laptop needs permission to use the AWS SSM agent - AWS STS role or temporary token.

Your local laptop connects to the instance in AWS and then forward the traffic to the host specified in the command.

If you do not specify the remote host, you will be connected to a local port on your AWS instance.

example

For example, adjust as needed.

Connect to ${INSTANCE_ID} and tunnel (forward, proxy) traffic to the remote IP 192.168.0.10.

INSTANCE_ID="i-123456789012345"

aws ssm start-session \
    --target ${INSTANCE_ID} \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters '{ "host":["192.168.0.10"], "portNumber":["443"], "localPortNumber":["8443"] }'

documentation

antonio feijao uk

Happy learning,

Antonio Feijao

AWS Systems Manager or AWS SSM to create a private Networking tunnel to resources in the private subnet

AWS Systems Manager or AWS SSM to create a private Networking tunnel to resources in the private subnet

Pre-requisit

you need the AWS SSM agent installed on your laptop/desktop - documentation here https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html

AWS SSM create a tunnel to Linux instance in an AWS private subnet

1) Assume a role in the account

2) Get the instance ID you want to tunnel to

3) Start a session with AWS SSM agent

Sample commands for creating a tunnel to the instance on port 3389 and my PC/laptop localhost on port 5222

# Using a variable, so easier to reuse the command

instance_id="i-Xxxxxx"


# Sample command for creating a tunnel to the instance on port 22 and my PC/laptop localhost on port 5222

aws ssm start-session --target ${instance_id} \
    --document-name AWS-StartPortForwardingSession \
    --parameters portNumber="22",localPortNumber="5222" \
    --region eu-west-2

After creating the tunnel to the instance, you still need a valid ssh key to ssh into the ec2 instance.

Via the SSM in the console, you could add your public key to the authorized-keys - where is another website explaning that https://www.ssh.com/academy/ssh/authorized-keys-file

Example using AWS SSM to create a private networking tunnel to use as remote desktop into a Windows instance in a private subnet

Sample command for creating a tunnel to the instance on port 3389 and my PC/laptop localhost on port 5222

Same step above 1) and 2)

3) Create the tunnel with the RDP port as a destination portNumber

# Using a variable, so easier to reuse the command

instance_id="i-Xxxxxx"


# Sample command for creating a tunnel to the instance on port 22 and my PC/laptop localhost on port 5222

aws ssm start-session --target ${instance_id} \
    --document-name AWS-StartPortForwardingSession \
    --parameters portNumber="3389",localPortNumber="5222" \
    --region eu-west-2

Now, using your favourity remote destop application, you can RDP to localhost:5222 which will be tunneled into the Windows instance in the private subnet on port 3389.

Additional documentation

  • "Port Forwarding Using AWS System Manager Session Manager"

https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/

  • "... Tunnel through AWS Systems Manager to access my private VPC resources"

https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/