My variation is to use a custom script as `ProxyCommand` that resolves private route53 DNS names to instance ids, because remembering instance IDs is insane.
Mine is to run a Tailscale node on a tiny ec2 instance. Not only enabling ssh but direct access to database instances, s3 buckets that are blocked from public access etc
How are S3 buckets blocked from public access? I mean I know there is literally a “Block public access” feature that keeps S3 buckets from being read or written by unauthenticated users. But as far as I know without some really weird bucket ACLs you can still access S3 buckets if you have the IAM credentials.
Before anyone well actually’s me. Yes I know you can also route S3 via AWS internal network with VPC Endpoints between AWS services.
Specifically the vpce one as the other poster mentioned but there's other like IP limits
Another way is an IdP that supports network or device rules. For instance, Cloudflare Access and Okta you can add policies where they'll only let you auth if you meet device or network requirements which achieved the same thing
> Specifically the vpce one as the other poster mentioned but there's other like IP limits
IPs don't cut it to prevent public access. I can create my own personal AWS account, with the private IP I want, and use the credentials from there. There's really just VPC endpoints AFAIK.
I run an EC2 instance with SSM enabled. I then use the AWS CLI to port forward into the 'private' database instance or whatever from my desktop. The nice thing about this is it's all native AWS stuff, no need for 3rd party packages, etc.
Very excited about the fork's improvements given the lack of responsiveness in core repo. I've hit some of these bugs including the registry issue. Thank you for open sourcing it.
I've used a combination of ProxyCommand directive in ssh config + a script it calls w/ the `%h` (host) to unpack what the correct instance-id is (like @galanwe). For the proxycommand, you can embed an `aws ec2-instance-connect send-ssh-public-key` for pushing a key valid for 60s followed by activating the SSM session.
The downside is it adds ~20-30s delay in connection due to the API requests, but if you're making repeated rapid requests to same instance, I recommend looking into ssh's ControlPath, ControlMaster and ControlPersist to keep a longer lived session that's re-used for client re-connections (ref: https://blog.scottlowe.org/2015/12/11/using-ssh-multiplexing...)
[Edit to add that I've hit the registry bug myself]
The System Manager Agent on EC2 instances is meant to have enough privileges to manage fleet of instances at scale. System Manager Session Manager (yes that’s the real name) is a part of it.
What do you suggest as an alternative? Session Manager is IAM controlled and much more secure and easily managed than the traditional means involving direct access via SSH and opening a port through the security group for a certain IP address or a jump box server.
Was wondering if it's possible to use sshuttle with SSM but didn't realize SSM had its own mixing protocol.
An SSM client library is super helpful for embedding the tunneling into the client app. At a previous employer, we'd access jumphosts from AWS Session Manager and GCP Identity Aware Proxy and were looking to embed that connection flow into some cli management utilities to ease use. At the time, we ended up starting the tunneling processes separately inside the code but it would have been much nicer and easier with a library.
https://gist.github.com/nicornk/5d2c0cd02179f9b46cc7df459af0...
host i-* IdentityFile ~/.ssh/id_rsa TCPKeepAlive yes ServerAliveInterval 120 User ec2-user ProxyCommand sh -c "aws ec2 start-instances --instance-ids %h ; aws ec2 wait instance-running --instance-ids %h ; aws ec2-instance-connect send-ssh-public-key --instance-id %h --instance-os-user %r --ssh-public-key 'file://~/.ssh/id_rsa.pub' --availability-zone $(aws ec2 describe-instances --instance-ids %h --query 'Reservations[0].Instances[0].Placement.AvailabilityZone') ; aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
This will also allow VSCode remote development.