SSM for remote access through HTTPS

Documentation about SSM

• Main doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html

• Agent: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html

• Automatic update of agent: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-updates.html (setup the account to automatically update all SSM agents on all instances)

Configure access to SSM for users in an Active Directory

We suppose here that we already have an Active Directory.

1. First follow the steps in https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_manage_roles.html

2. Creating a new role https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html

3. Assign the following policies to the role - AmazonEC2ReadOnlyAccess - AmazonSSMFullAccess

4. Then enable access to services for users in AD:

5. Create an access URL to the directory services: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_create_access_url.html

6. Grant access to the management console to users in the directory (note you can limit the access to a given group of users) https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_management_console_access.html

7. Connect to the directory service URL, and go to SSM, then Session Manager and create a session

Configure Run As User for SSM sessions

1. Go to SSM/Session Manager, edit the Preferences, and activate Enable Run As support for Linux instances in General preferences

2. Add an SSMSessionRunAs tag to your IAM users to specify the OS user to user to connect to the instance https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-run-as.html

This does not work with users coming directly from an AD.

Note

RunAs user is a AWS managed feature, therefore unfortunately in your case where you are using a managed login feature of Directory service it is currently not possible to automate the retrieval of the RunAs user architecturally. However if you would have been using ADFS (Active Directory Federation Services ) and not via managed login feature of Directory service. In ADFS it would have been possible as in that case we have SAML implementation where we can add tag on user when you login into AWS console using AD user.

See

• https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/

• https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/

SSM with ADFS

Note

The next blog post is explaining the multiple steps to start a Session Manager using the federated user feature through an AD-joined Linux instance.

Configuring AWS Systems Manager Session Manager run as support for federated users using session tags, see

• https://aws.amazon.com/blogs/mt/configuring-aws-systems-manager-session-manager-support-federated-users-using-session-tags/

• Template to start an AD with ADFS on an EC2 instance: https://s3.amazonaws.com/cloudformation-templates-us-east-1/Windows_Single_Server_Active_Directory.template (from https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/)

• Enabling SAML 2.0 federated users to access the AWS Management Console: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html#configuring-IAMProvider