ec2 no ingress Archives - AWS Security Architect https://awssecurityarchitect.com/tag/ec2-no-ingress/ Experienced AWS, GCP and Azure Security Architect Sun, 25 Sep 2022 06:20:21 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.5 214477604 AWS SSM Connect for no ingress EC2 instances https://awssecurityarchitect.com/ec2-security/aws-ssm-connect-for-ec2-with-no-ingress-security-groups/ https://awssecurityarchitect.com/ec2-security/aws-ssm-connect-for-ec2-with-no-ingress-security-groups/#comments Sun, 25 Sep 2022 06:15:24 +0000 https://awssecurityarchitect.com/?p=62 No Ingress EC2 is a great security option to completely block off all access to an EC2 instance. How then, will management users connect to this instance? This is a […]

The post AWS SSM Connect for no ingress EC2 instances appeared first on AWS Security Architect.

]]>
No Ingress EC2 is a great security option to completely block off all access to an EC2 instance. How then, will management users connect to this instance?

This is a brief post on how to connect to a completely cut off EC2 instance – which is in a private subnet and also has a no ingress Security Group attached.

Attach the SSM Managed Policy to the EC2 instance

ssm policy
ssm policy for EC2

Launch and Test the Instance

  • From the EC2 console, launch an EC2 instance (Windows Server)
  • Create  a private subnet with no Internet Gateway
  • Create a security group with no ingress ports
  • Configure or attach with no-ingress security group, and the SSM IAM role created earlier
  • Ensure that the Windows EC2 instance has SSM Agent running by viewing it in AWS Systems Manager
  • Connect to source EC2 instance via “EC2 Connect”
  • Apply this command for enabling AWS SSM Port forwarding option to a local port (We are mapping the remote desktop port of windows EC2 port 3389 to 3340 of the localhost)
aws ssm start-session --target <<windows-ec2-instanceid>> --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"],"localPortNumber":["<<desiredPortNumber>>"]}' --region <<region-where-ec2-launched>> Testing it out Telnet to Port(3640 in this example) telnet localhost 3690

Summary

No Ingress EC2 instances are a great way to protect access to your instances on AWS. For an advanced security consultation, please Contact AWS Security Architect

The post AWS SSM Connect for no ingress EC2 instances appeared first on AWS Security Architect.

]]>
https://awssecurityarchitect.com/ec2-security/aws-ssm-connect-for-ec2-with-no-ingress-security-groups/feed/ 1 62