Secure Administrative Access to Compute Resources: Curriculum Overview
Configure secure administrative access to compute resources (for example, Systems Manager Session Manager, EC2 Instance Connect)
Secure Administrative Access to Compute Resources
This curriculum provides a deep dive into modern, secure methods for managing AWS compute resources (EC2) while minimizing the attack surface. It focuses on moving away from traditional bastion hosts toward managed services like AWS Systems Manager (SSM) Session Manager and EC2 Instance Connect.
Prerequisites
Before starting this module, learners should possess the following foundational knowledge:
- IAM Fundamentals: Understanding of IAM Users, Roles, and Instance Profiles.
- VPC Networking: Familiarity with public/private subnets, Security Groups, and Network ACLs.
- Basic CLI Usage: Comfort with terminal-based interaction (Bash or PowerShell).
- AWS Management Console: General navigation skills within the AWS ecosystem.
Module Breakdown
| Module | Topic | Difficulty | Focus Area |
|---|---|---|---|
| 1 | The Evolution of Access | Beginner | Bastions vs. SSM vs. EC2 Instance Connect |
| 2 | Systems Manager (SSM) Deep Dive | Intermediate | SSM Agent, IAM Roles, and Session Manager |
| 3 | Network Isolation & VPC Endpoints | Intermediate | Connecting to private instances without IGWs |
| 4 | EC2 Instance Connect | Intermediate | Temporary SSH keys and IAM-based SSH |
| 5 | Auditing & Compliance | Advanced | CloudTrail logging and Session recording |
Learning Objectives per Module
Module 1: The Evolution of Access
- Compare and contrast the architecture of Bastion Hosts versus SSM Session Manager.
- Identify the risks associated with leaving port 22 (SSH) or 3389 (RDP) open to the internet.
Module 2: Systems Manager (SSM) Deep Dive
- Configure IAM Instance Profiles to allow EC2 instances to communicate with the SSM service.
- Verify the installation and status of the SSM Agent on various operating systems.
- Initiate a web-based shell session via the AWS Management Console.
Module 3: Network Isolation & VPC Endpoints
- Design a network architecture that allows administrative access to instances in a private subnet without a NAT Gateway or Internet Gateway using Interface VPC Endpoints.
Module 4: EC2 Instance Connect
- Deploy EC2 Instance Connect to provide short-lived SSH keys for administrative access.
- Use the AWS CLI to push public keys to instances dynamically.
Module 5: Auditing & Compliance
- Configure CloudWatch Logs and S3 to archive session transcripts for forensic analysis.
- Use AWS CloudTrail to audit
StartSessionAPI calls.
Visual Anchors
Architecture Comparison: Bastion vs. Session Manager
Session Manager Connectivity Flow
\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, rounded corners, align=center, fill=blue!10}] \node (User) {Administrator \ (IAM Auth)}; \node (SSM) [right=of User, fill=green!10] {AWS Systems \ Manager Service}; \node (EC2) [right=of SSM, fill=orange!10] {EC2 Instance \ (SSM Agent)}; \node (Logs) [below=of SSM, fill=red!10] {S3 / CloudWatch \ (Audit Logs)};
\draw[->, thick] (User) -- node[above] {1. StartSession} (SSM);
\draw[<->, thick] (SSM) -- node[above] {2. HTTPS Tunnel} (EC2);
\draw[->, thick] (SSM) -- node[left] {3. Log Stream} (Logs);\end{tikzpicture}
Success Metrics
You have mastered this curriculum when you can:
- Eliminate Inbound Rules: Successfully connect to a Linux or Windows instance whose Security Group has zero inbound rules.
- IAM Policy Precision: Write a Least-Privilege IAM policy that restricts a user to only accessing specific instances based on Tags.
- End-to-End Audit: Produce an S3-stored transcript of every command executed during a remote session.
- Connectivity Troubleshooting: Identify and resolve common issues such as missing IAM permissions or lack of outbound network connectivity to SSM endpoints.
Real-World Application
In a production enterprise environment, secure administrative access is the "keys to the kingdom."
- Incident Response: During a security event, engineers can use Session Manager to access isolated instances to collect memory dumps or logs without modifying network security groups that might expose the instance further.
- Compliance: For industries like Finance (PCI-DSS) or Healthcare (HIPAA), the automatic logging of administrative sessions provided by SSM is a mandatory control that replaces manual, error-prone spreadsheets of "who logged in when."
- Cost Reduction: By removing Bastion hosts, organizations save on the compute costs of the jump box and the operational overhead of patching and hardening those extra servers.
[!IMPORTANT] AWS Session Manager relies on outbound traffic. If your instance is in a private subnet without a NAT Gateway, you must configure Interface VPC Endpoints for
ssm,ssmmessages, andec2messagesto ensure the agent can reach the service.