AWS Sessions Manager- How to use scp?

2024-09-19

So I get this a lot when trying to reduce customers’ costs. One of the items to reduce the cost is by eliminating the bastion servers.

When I ask customers why they are using bastion servers instead of AWS sessions managers I get one of the following responses:

  • We never heard of it
  • It doesn’t support scp
  • It doesn’t support RDP
  • It doesn’t support different users
  • We would need a different solution for our on-prem/ multi-cloud instances.

But it actually does support scp, RDP and different OS users, and you can also use it on your data center servers or other cloud instances providing you get them network access to Systems Manager API. So just use it.

Why?

It’s more secure- it allows you to connect to your instance without opening it to the internet.

It’s cost effective- you don’t need to keep bastion instances running.

It’s easier- You can connect directly from your own desktop and use your own tools.

How?

The basics

  • First you need to verify your instances are running the systems manager agent. Most of the AWS provided OS a;ready include it by default, but incase you are using the other OS or image- here are the instructions.

  • Then verify the role attached to the instances have the permissions required.

  • Verify the VPCs have endpoints to the systems manager service

  • Verify you have the latest AWS CLI installed on your desktop.

  • If you go to systems manager’s console and navigate to fleet manager, can you see your instances? Good.

Using SCP

  • To use SCP with Systems manager you need to install the systems manager plug-in on your desktop.

  • Verify your computer has AWs credentials, preferably temporary credentials provided by AWS identity center. If you are using AWS user credentials, please don’t. It’s not the safest thing to do, but it would also work. Those credentials should be of a role with a policy to use SSM.

  • Configure your desktop’s ssh config file:

 vi ~/.ssh/config

Add the following to the config file:


 host i-* mi-*
  ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
  • Verify your EC2 key has permissions to be used by ssh:
 chmod 400 <MY_EC2_Key>.pem
  • Check your ssh connection:
 ssh -i "<MY_EC2_Key>.pem" ec2-user@i-123456abcde
  • copy a file to your instance using SCP:
 scp -i "<MY_EC2_Key>.pem" my_file ec2-user@i--123456abcde:myfile

Using RDP

  • To use RDP with Systems manager you need to install the systems manager plug-in on your desktop.

  • Verify your computer has AWs credentials, preferably temporary credentials provided by AWS identity center. If you are using AWS user credentials, please don’t. It’s not the safest thing to do, but it would also work. Those credentials should be of a role with a policy to use SSM.

  • Open a session for port forwarding in your desktop:


 aws ssm start-session --target i-1234567890abcde --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=12345, portNumber=3389" --region <my_region>
  • While the port forwarding session is open, you can create an RDP connection to your localhost in the port you specified above (12345) and it would be forwarded to the EC2 in your account. Just use 127.0.0.1:12345 as the address.

  • When you are done with your session, you can close the CLI window with the port forwarding connection.

I hope this helps!