No Ingress EC2 is a great security option to completely block off all access to an EC2 instance. How then, will management users connect to this instance?

This is a brief post on how to connect to a completely cut off EC2 instance – which is in a private subnet and also has a no ingress Security Group attached.

Attach the SSM Managed Policy to the EC2 instance

ssm policy
ssm policy for EC2

Launch and Test the Instance

  • From the EC2 console, launch an EC2 instance (Windows Server)
  • Create  a private subnet with no Internet Gateway
  • Create a security group with no ingress ports
  • Configure or attach with no-ingress security group, and the SSM IAM role created earlier
  • Ensure that the Windows EC2 instance has SSM Agent running by viewing it in AWS Systems Manager
  • Connect to source EC2 instance via “EC2 Connect”
  • Apply this command for enabling AWS SSM Port forwarding option to a local port (We are mapping the remote desktop port of windows EC2 port 3389 to 3340 of the localhost)
aws ssm start-session --target <<windows-ec2-instanceid>> --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"],"localPortNumber":["<<desiredPortNumber>>"]}' --region <<region-where-ec2-launched>> Testing it out Telnet to Port(3640 in this example) telnet localhost 3690

Summary

No Ingress EC2 instances are a great way to protect access to your instances on AWS. For an advanced security consultation, please Contact AWS Security Architect