This is a brief post on how to connect to a completely cut off EC2 instance – which is in a private subnet and also has a no ingress Security Group attached.

Attach the SSM Managed Policy to the EC2 instance

Launch and Test the Instance

• From the EC2 console, launch an EC2 instance (Windows Server)
• Create  a private subnet with no Internet Gateway
• Create a security group with no ingress ports
• Configure or attach with no-ingress security group, and the SSM IAM role created earlier
• Ensure that the Windows EC2 instance has SSM Agent running by viewing it in AWS Systems Manager
• Connect to source EC2 instance via “EC2 Connect”
• Apply this command for enabling AWS SSM Port forwarding option to a local port (We are mapping the remote desktop port of windows EC2 port 3389 to 3340 of the localhost)

aws ssm start-session --target <<windows-ec2-instanceid>> --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"],"localPortNumber":["<<desiredPortNumber>>"]}' --region <<region-where-ec2-launched>> Testing it out Telnet to Port(3640 in this example) telnet localhost 3690

Summary

No Ingress EC2 instances are a great way to protect access to your instances on AWS. For an advanced security consultation, please Contact AWS Security Architect

The post AWS SSM Connect for no ingress EC2 instances appeared first on AWS Security Architect.