MMS • RSS
Amazon released a new Session Manager in the AWS Systems Manager. This new session manager will provide a new of way of shell-level access to EC2 instances. IT Administrators can now use a new browser-based interactive shell and a command-line interface (CLI) to manage their Windows and Linux instances.
In the past, Amazon has already provided a secure option for shell-level access to EC2 instances with the AWS Systems Manager Run Command – allowing to create command documents and run them on any desired set of EC2 instances, including Linux and Windows. Moreover, these commands run asynchronously and the output is captured for review. Now with the new Session Manager in AWS System Manager, IT administrators will have a browser-based UI and CLI for it.
According to the release announcement, the new browser-based session manager will provide the following capabilities:
- Secure Access – No need to manually set up user accounts, passwords or SSH keys on the instances and IT Administrators don’t have to open any inbound ports.
- Access Control – IT Administrators can use IAM policies and users to control access to their instances and don’t need to distribute SSH keys.
- Auditability – Commands and responses can be logged to Amazon CloudWatch and an S3 bucket.
- Interactivity – Commands are executed synchronously in a full interactive bash (Linux) or PowerShell (Windows) environment.
- Programming and Scripting – In addition to the console access, IT Administrators can also initiate sessions from the command line (aws ssm …) or via the Session Manager APIs.
Access to EC2 instances with the new Session Manager require an SSM agent on the instances, provided the agent’s version is 2.3.12 or above. Furthermore, the agent must be able to connect to Session Manager’s public endpoint or through a PrivateLink connection in case of no internet access or public available IP address. For security purposes, the instance role on each instance must reference a policy to allow access to the appropriate services. With these prerequisites in place, an IT administrator can specify preferences for the session to an instance – for instance, to write the session output to an S3 bucket, and sending the output to CloudWatch Logs. Subsequently, the IT administrator can start a session in an instance.
Once a session starts, the IT administrator can issue commands in a session and examine log streams (each stream represents one session) in CloudWatch later.
The Session Manager is available in all AWS regions (including AWS GovCloud) at no extra charge. Furthermore, Amazon is planning additional features for the Session Manager, such as an SSH client and access to on-premise instances. More details on the Session Manager are available in the AWS Documentation.