Make SSM Session Manager Access the Default
DarwinJS opened this issue · 3 comments
My use case is most frequently with the EKS Quick Start where an SSM bastion host can be combined with a private K8s Control API endpoint to create a very secure, auditable cluster administration setup.
SSM Session Manager is currently possible and has the following benefits over the traditional SSH to a public IP:
- No public IP nor SSH port needs to be exposed - which eliminates the need to collect a CIDR from users for bastion host access
- No Key pairs need to be created, shared and rotated - which eliminates the need to create or collect a key pair name from the users for bastion host access
- No network routing, security groups nor internet ingresses need to expose the bastion to the outside world
- Multiple users are accommodated because SSM Session Manager controls what IAM users can access and it fully logs all command sessions and the invoking IAM user in CloudWatch
- With the AWS CLI SSM Session Manager plugin, local SSH commands on clients outside of AWS can be configured if desired or needed, but all of the above still applies.
If SSM was the default (or simply fully enabled) the following changes would be helpful.
- Public IP address is optional (and defaults to off if SSM is considered default)
- Bastion Host CIDR parameter is made optional.
- Key pair parameter is made optional.
It would then become exception instructions that if one wants the old public bastion host exposing port 22, that the above be setup to enable the less secure posture.
This has been added in the EKS QS. This QS is designed to be used in more legacy situations. We will review and make this a feature request.
This is now affected by changes made to Amazon Linux 2 as described in this issue: Parameter to put ssm-user in /etc/sudoers.d/ssm-users
IMO this is blocked because needing OS level SUDO will be common requirement for Kubernetes Admin that requires package installs and other bastion changes.
@troy-ameigh - I just realized that your comment might mean that this code is forked into the EKS QS? It appears to me to be a dependency? Can you please clarify?