AWS SSM EC2 SSH Proxy Command
Open an SSH connection to your ec2 instances via AWS SSM without the need to open any ssh port in you security groups.
brew install awscli
brew install session-manager-plugin
ssm:StartSession
for DocumentName: AWS-StartSSHSession
and Target Instance
ssm:SendCommand
for DocumentName: AWS-RunShellScript
and Target Instance
yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm & service amazon-ssm-agent restart
~/.ssh/aws-ssm-ec2-proxy-command.sh
chmod +x ~/.ssh/aws-ssm-ec2-proxy-command.sh
)~/.ssh/config
. Adjust key file path if needed.
host i-* mi-*
IdentityFile ~/.ssh/id_rsa
ProxyCommand ~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub
StrictHostKeyChecking no
export AWS_PROFILE=default
or AWS_PROFILE=default ssh ... <INSTACEC_USER>@<INSTANCE_ID>
<INSTACEC_USER>@<INSTANCE_ID>--<INSTANCE_REGION>
ssh <INSTACEC_USER>@<INSTANCE_ID>
ssh ec2-user@i-1234567890
ssh <INSTACEC_USER>@<INSTANCE_ID> \
-i "~/.ssh/id_rsa" \
-o ProxyCommand="~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub"
ec2-instance-connect:SendSSHPublicKey
The advantage from a security perspective is that you don't need to grant ssm:SendCommand
to users and there by the permission to execute everything as root.
Instead you only grant ec2-instance-connect:SendSSHPublicKey
permission to a specific instance user e.g. ec2-user
.
ssm:StartSession
for DocumentName: AWS-StartSSHSession
and Target Instance
ec2-instance-connect:SendSSHPublicKey
ec2:osuser
to match your needs. Default is ec2-user