Skip to content
/ SSM-Bastion Public

SSM-Bastion : How to connect to your AWS private instance's from internet

License

Apache-2.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Menahem1/SSM-Bastion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
script
script
 
 
terraform
terraform
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

SSM-BASTION : How to connect to your AWS private instance's from internet

  • Architecture
  • Terraform
  • Script

Architecture

Architecture

Blog post

Terraform

The Terraform folder deploy's the following elements :

  • SSM Document : to automatically create the socket
  • Auto Scaling Group: with Scheduling option (for the weekend or the evening for example)
  • IAM Role/Policy: with custom variable to define the output bucket + KMS Key of Session Manager and S3 Log's
  • User Data : install socat and get the latest version of ssm-agent (to customize if you use T4g instance)
  • Security Group : allow only himself in ingress in 443 (for endpoint's) and in egress all the destination (you can customize with only your VPC CIDR)

Variables :

ssm_arn : ARN for Managed policy of SSM (no need to custom)

region : Region where you want to deploy SSM-Bastion (need to define)

ami : AMI of EC2, recommended to use Amazon Linux 2 To find the latest version

bucket_logs : Name of the bucket where the logs of Session Manager will be set (useful only when using the console for troubleshooting an EC2) -> Details Note that in terraform the default path will bucket_logs/ssm/

session_manager_key : ARN of KMS Key for Session Manager

s3_key : ARN of KMS S3 Logs for Session Manager

vpc_id : VPC ID where the SSM-Bastion will be deployed

kms_ebs_id : ARN of KMS Key for the EBS disk

key_name : Optionnal, if you want also put a SSH Key into the EC2 Bastion-SSM

sub1a : Subnet ID of AZ A for ASG

sub1b : Subnet ID of AZ B for ASG

sub1c : Subnet ID of AZ C for ASG

schedule_stop : When stop the SSM-Bastion, cron format, default 30 22 * * MON-FRI (monday to friday, stop at 22:30)

schedule_start : When start the SSM-Bastion, cron format, default 30 7 * * MON-FRI (monday to friday, start at 7:30)

Script

The script need in input the following information for creating the port forwarding 2 possibilities

1/ Interactive session, without parameter

./ssm-bastion-port-forwarding.sh

2/ With line arguments

./ssm-bastion-port-forwarding.sh hostname_destination port_destination port_source

Hostname_destination : DNS or IP of the Database/EC2

Port_destination : Listening port of the destination (ex. 3306 for RDS MySQL Database)

Port_source : Listening port on your local laptop (free to choose between 1000 and 65535, in a team ensure that there is no overlap)

Example :

./ssm-bastion-port-forwarding.sh 10.0.0.1 3306 8900

Open a port forwarding to 10.0.0.1 port 3306 on local (laptop) port 8900

About

SSM-Bastion : How to connect to your AWS private instance's from internet

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages