How to SetupIn order to perform SCP and SSH operations from your local host to the remote cloud asset, you will need to perform the following setup steps:
- Install or Update Systems Manager Agent on your EC2 instance– Most importantly, these new capabilities require the newest SSM agents to be running on your cloud assets. If you were already running the Systems Manager agent, you must upgrade.
- Create IAM Instance Profile– You must grant IAM permissions to allow Systems Manager to perform actions on your systems.
- Update to the latest AWS CLI– An updated command line interface is required on your local host in order to use these new Session Manager features.
- Install the Session Manager Plugin– This plugin allows the AWS cli to launch Session Manager sessions with your local SSH client.
- Update local host SSH config– The tricky portion of this setup involves altering your local host SSH configuration in order to proxy commands through the AWS session manager for any aws ec2 instance-id.
For Linux:You will typically find your SSH config file at ~/.ssh/config Add the following to the SSH config file:
# SSH over Session Manager host i-* mi-* ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
For Windows:The OpenSSH Client is available as an installable component in newer versions of Windows, see this link for further information on installation. You will typically find your SSH config file at C:\Users\username\.ssh\config though the .ssh directory will not exist until ssh has been used. Add the following to the SSH config file:
# SSH over Session Manager host i-* mi-* ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"
How to UseOnce these steps are complete, you will be ready to initiate SSH and SCP connections to your cloud assets directly from your local machine. Obtain the instance-id of the cloud asset. This can be done via the AWS management console or with the AWS cli command “aws ec2 describe-instances,” and will have a format similar to “i-0ba3d05e2b6c0fb36” SSH can be performed as normal using the instance-id as the hostname and many SSH command line switches can be used. For example providing a key with the -i switch can be performed like so:
$ ssh -i dev.key [email protected] Last login: Thu Jul 13 14:45:21 2019 from ::1 [[email protected] ~]$SCP may now be used as well for copying files onto the remote system without the need for an intermediate step.
$ scp /Users/blayer/bugfix.tar.gz [email protected]:/dir/fix.tar.gz bugfix.tar.gz 100% 18KB 106.2KB/s 00:00 $Best of all, these connections are secured by IAM access and generate cloudtrail events for logging and monitoring. While immutable infrastructure is a desired goal for multiple reasons, many will find themselves with a need to access or alter systems running live. The AWS Systems Manager Session Manager allows this capability without the need for additional firewall ingress or bastion hosts.