DB External Access
Closed this issue · 4 comments
Approach 1: Bastion Host with EC2 configured SSH Key
[1] EC2 instance with security group
[2] DB security group allowing VPC access
Local
ssh -i "bastion-host.pem" -f -N -L 5432:<rds_url>:5432 ec2-user@<instance_url> -vvv
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to ec2-xxx.compute-1.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file bastion-host.pem type -1
debug1: identity file bastion-host.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
Approach 2: Bastion Host with generated SSH Key and Session Manager (uses port 443)
Pre-reqs:
[1] IAM role with below permissions
AmazonSSMManagedInstanceCore (https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-instance-profile.html)
SendSSHPublicKey policy permission
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": [
"arn:aws:ec2:us-east-1:xxx:instance/i-xxx"
],
"Condition": {
"StringEquals": {
"ec2:osuser": "ec2-user"
}
}
}
]
}
Combined policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": [
"arn:aws:ec2:us-east-1:xxx:instance/i-xxx"
],
"Condition": {
"StringEquals": {
"ec2:osuser": "ec2-user"
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:us-east-1:xxx:instance/i-xxx",
"arn:aws:ssm:*:*:document/AWS-StartSSHSession"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:username}-*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:xxx:key/xxx"
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
}
]
}
mkdir tmp
ssh-keygen -t rsa -f tmp/ec2-bastion-host
aws ec2-instance-connect send-ssh-public-key \
--instance-id i-xxx --availability-zone us-east-1c \
--instance-os-user ec2-user \
--ssh-public-key file://ec2-bastion-host.pub
(within 60 secs)
ssh -v -i tmp/ec2-bastion-host \
-Nf -M \
-L "5432:<rds_url>:5432" \
-o "StrictHostKeyChecking=no" \
-o ProxyCommand="aws ssm start-session --target %h --document AWS-StartSSHSession --parameters portNumber=%p --region=us-east-1" \
ec2-user@i-xxx
Successful
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Executing proxy command: exec aws ssm start-session --target i-xxx --document AWS-StartSSHSession --parameters portNumber=22 --region=us-east-1
debug1: identity file tmp/ec2-bastion-host type 0
debug1: identity file tmp/ec2-bastion-host-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: kex_exchange_identification: banner line 0:
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to i-xxx:22 as 'ec2-user'
debug1: Authentication succeeded (publickey).
Authenticated to i-xxx (via proxy).
debug1: Local connections to LOCALHOST:5432 forwarded to remote address xxx:5432
debug1: Local forwarding listening on ::1 port 5432.
debug1: Local forwarding listening on 127.0.0.1 port 5432.
debug1: channel 1: new [port listener]
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: proc
Failure
debug1: No more authentication methods to try.
ec2-user@i-xxx: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
IAM Anywhere
[1] https://docs.aws.amazon.com/rolesanywhere/latest/userguide/getting-started.html
[2] https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html
./aws_signing_helper credential-process \
--certificate certificate.txt \
--private-key private_key_unencrypted.txt \
--trust-anchor-arn <arn> \
--profile-arn <arn> \
--role-arn <arn>
ACM:
[1] Create private CA
[2] Export private key https://docs.aws.amazon.com/acm/latest/userguide/export-private.html
openssl x509 -noout -text -in certificate.txt
openssl rsa -noout -text -in private_key.txt
openssl rsa -in private_key.txt -out private_key_unencrypted.txt
aws ssm start-session
--target i-xxx
--document-name AWS-StartPortForwardingSessionToRemoteHost
--parameters '{"host":["xxx.us-east-1.rds.amazonaws.com"],"portNumber":["5432"], "localPortNumber":["5432"]}'
Starting session with SessionId:
Port 5432 opened for sessionId
Waiting for connections...