SSM & Pre-defined users for least privilege SSH

Using pre-defined users on EC2s with AWS SSM for least privilege SSH

Table Of Contents

Today I Explained

By default, AWS Systems Manager Session Manager uses the ssm-user role when connecting to EC2s that has been configured with systems manager. This user can be disabled, but is enabled by default.

aws ssm start-session --target i-52...

This user uses the sh shell by default, and doesn’t come with any useful “welcome” message when connecting to an EC2 instances within AWS. For shared Bastion nodes that are responsible for running adhoc operations within infrastructure, it can present challenges to these nodes as this user will by default have administrator permissions. This can result in undesirable actions being taken, such as installing or uninstalling packages onto the machine that can impact operations.

An approach that exists for minimizing the impact of users on these kinds of Bastion nodes is the usage of Session documents. A session document allows for more granular control over how system manager interactions with instances. One of these controls is over the terminal sessions started with start-sesion.

For this use-case, the runAsDefaultUser and shellProfile.linux provide a means of specifying which user to use when connecting to the instance, and which shell environment to use on the instance.

{
  "schemaVersion" : "1.0",
  "description" : "Document to open SSH connection over session manager to an instance as a user",
  "sessionType" : "Standard_Stream",
  "inputs" : {
    "idleSessionTimeout" : 20,
    "runAsEnabled" : true,
    "runAsDefaultUser" : "readonly-user",
    "shellProfile" : {
      "windows" : "",
      "linux" : "exec /bin/bash"
    }
  }
}

With a document created within Systems Manager, it can be used when starting sessions with an instance like so:

aws ssm start-session \
		--document-name SSHAsReadOnly \
		--target i-52...