2

I have an EC2 instance running with the following networking setup:

  • it resides in a public subnet with an Internet Gateway attached
  • it has a security group attached with an outbound rule to allow all traffic (all ports on 0.0.0.0/0)

According to the documentation, it should be possible to connect to the instance using AWS Session Manager:

In order for your managed instances and the Systems Manager service to communicate with each other, you must do one of the following:
-Configure Systems Manager to use an interface Virtual Private Cloud (VPC)
endpoint
-Enable outbound internet access on your managed instances

Note
Enabling inbound internet access is not required.

(source: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html)

But when I'm trying to connect with Session Manager, the connection is not initialized (a black screen shows up but it stays empty).

If I enable all inbound traffic in the security group (by adding an inbound rule on all ports on 0.0.0.0/0), then Session Manager works properly. But it should not be required and of course I want to avoid it due to security reasons.

So what is wrong in the setup?

Jacek Barecki
  • 429
  • 3
  • 7
  • Confirm that your instance *does have* a public IP address? That is a requirement implied by *it resides in a public subnet with an Internet Gateway attached*. I can't imagine that not being the case, but would like to clarify. – Michael - sqlbot Mar 17 '19 at 16:30
  • Yes, it has a public IP address – Jacek Barecki Mar 18 '19 at 04:47
  • [Edited to remove the recentness reference, SSH tunneling support is new]. Hard to tell why you are running into issues, if you can provide a reproducible template I can take a look. Alternatively, I recently wrote a blog that maybe of interest to you: https://aws.amazon.com/blogs/infrastructure-and-automation/toward-a-bastion-less-world/. I provide an example of connecting to the instance in private subnet without requiring open ports or a key pair. – vsnyc Aug 06 '19 at 02:01

2 Answers2

0

As I understand you do not configure VPC Endpoint. VPC Endpoint is an interface that enables you to use AWS Services through private AWS network (not through the internet). Therefore you do not need to enable the inbound rule, AWS System Manager connects to your EC2 via VPC Endpoint (It is secure and recommended a way of connection). However, when you allow inbound rule in Security Group, it connects to your instance through the internet and it is not secure. So use VPC Endpoint interface. It is not so hard to use, you can refer to VPC Endpoint AWS System Manager Documentation

Gor Kotikyan
  • 723
  • 4
  • 12
  • Yes, that's also an option but AWS docs states that "one of the following" is required - either VPC or enabling outbound internet access. The downside of VPC endpoint is its cost. – Jacek Barecki Mar 18 '19 at 04:46
  • Could you clarify? When you enable only outbound rules, do you have internet access in your EC2. For instance are you able to communicate with other websites or services within EC2? – Gor Kotikyan Mar 18 '19 at 06:36
0

AWS Session Manager service does not initiate a TCP connection to your instances. The instances initiate connections to the AWS Systems Manager service endpoints (ssm, ssmmessages, ec2messages). Therefore you need to open outbound traffic from the instances to the corresponding services (either on the Internet or your System Manager VPC endpoint).

In order to allow your instances to call the SSM endpoint, you need to provide credentials, since all communication to AWS service endpoints are SigV4 protected. The best way to do so (for EC2 instances) is to create a corresponding IAM role and attach it to the instances using the instance profile.

The problem you were describing might have had multiple reasons, but the EC2 instance inbound Security Group rules did not have an impact on the outcome. In a lot of debugging sessions there were no SSM roles attached to the instances.

gekart
  • 143
  • 7