In this website post, we will demonstrate ways to use AWS Systems Manager Change Manager to regulate usage of Amazon Elastic Compute Cloud (Amazon EC2) instance interactive shell sessions, to enforce separation of duties. Separation of duties is really a design principle where several person’s approval must conclude a crucial task, which is an important area of the AWS Well-Architected Framework . You’ll be using AWS Systems Manager Session Manager in this article to start out a shell session in managed EC2 instances .

To obtain approval, the operator requests permissions by developing a noticeable change obtain a shell session to an EC2 instance. An approver reviews and approves the noticeable change request. The requestor and approver can’t be the same Identity and Access Management (IAM) principal. Upon approval, an AWS Systems Manager Automation runbook is started. The Automation runbook adds a tag to the operator’s IAM principal which allows it to start out a shell in the specified targets. Automagically, the operator must start the session within ten minutes of approval (even though validity period is configurable). Following the 10 minutes elapse, the tag is removed by the Automation runbook from the main, meaning the permissions to start out new sessions are revoked.

To implement the perfect solution is described in this article, you utilize attribute-based access control (ABAC) based policy. To be able to take up a operational systems Manager session, the tag should be had by the operator’s IAM principal key SecurityAllowSessionInstance, and the tag value set to the mark EC2 instance ID. All operator principals have attached exactly the same managed policy, that allows the session to start out only when the tag exists and the worthiness is add up to the instance ID. Figure 1 shows a good example where the IAM principal tag SecurityAllowSessionInstance gets the value i-1234567890abcdefg, that is exactly like the instance ID.

In this article, we shall take you through the next steps:

1. Review the architecture of the answer. (Start to see the Architecture section.)
2. Create Systems Change and Manager Manager in the console.
3. Deploy an AWS CloudFormation template which will provision the next:
   • A noticeable change management template AllowSsmSessionStartTemplate to request permission for a Session Manager shell session on a specified EC2 instance.
   • The Systems Manager Automation runbook with three steps that: adds a tag to the main; waits ten minutes (configurable); and removes the tag. The tag key &lt is;span>SecurityAllowSessionInstance.
   • An IAM managed policy to be put into an IAM principal, that allows starting a operational systems Manager session only when the tag AllowStartSsmSessionBasedOnIamTags exists.
   • An Amazon SNS topic change-manager-ssm-approval where approvers will get notification about requests.
   • An IAM role named SsmSessionControlChangeMangerRole, to be utilized for the operational systems Manager Automation runbook.

   Note: Before you utilize the noticeable change template, you’ll approve the change management template in the AWS Management Console (onetime).

4. Perform simple test cases to show how an operator can buy permission and begin a session in a managed instance.
5. Perform status monitoring.

This solution may be used by you across your AWS Organizations to offer the advantage of managing change-related tasks in a single member account centrally, that you specify to function as delegated administrator account. To find out more about how to create this up, see Establishing Change Manager for an organization.

Note: The operator might have multiple sessions in various EC2 instances simultaneously, however the sessions should be started and approved one after another due to tag overwrite on approval.

To find out more about change management actions, including approvals and starting the runbook, see Auditing and logging Change Manager activity in the AWS Systems Manager User Guide.

Architecture

The architecture of the solution is shown in Figure 2.

The primary steps shown in Figure 2 will be the following:

1. Request: The requestor (which may be the operator) creates a big change request in Systems Manager Change Manager and selects the template AllowSsmSessionStartTemplate. You will need to provide the next mandatory parameters: name of change, approvals (users, group, or roles), IAM role for the execution of change, target account, EC2 instance ID, operator’s principal type (user or role), and operator’s principal name.
2. Send notification: The notification is delivered to the Amazon SNS topic change-manager-ssm-approval for the brand new change request.
3. Approve: The approver reviews and approves the request.
4. Start automation: The Automation runbook AllowStartSsmSession is started at the proper time specified in the change request.
5. Tag: The operator’s IAM principal is tagged with the main element SecurityAllowSessionInstance. After ten minutes, the runbook completes by detatching the tag from the IAM principal.
6. Start session: The operator can begin a session to the instance through the use of Systems Manager Session Manager within ten minutes of approval. A notification is delivered to the SNS topic change-manager-ssm-approval, where in fact the operator can sign up to be notified.

Permissions&lt and roles;/h3>

The provided managed policy AllowStartSsmSessionBasedOnIamTags gives permission to start out the operational systems Manager session once the instance ID is add up to principal tag, also to terminate the session additionally. The managed policy allows the operator to help keep an already active session beyond the approval interval and terminate it as preferred. Resumption of the session isn’t supported, and the operator should instead take up a new session.

WARNING: You need to validate that the operator principal (that is an IAM user or role) doesn’t have permissions on what ssm:StartSession, ssm:TerminateSession, ssm:ResumeSession beyond your managed policy found in this solution.

WARNING: It is vital that the operator should never have permission to improve the relevant IAM roles, users, policies, or principal tags, so the operator cannot bypass the approval process.

Setup Systems Change and Manager Manager

You will need to initially activate Systems Manager and Systems Manager Change Manager in your account. When you have activated them already, it is possible to skip this section.

Note: You need to enable Systems Manager as described in Establishing AWS Systems Manager, in accordance with your organization needs. The minimal requirement would be to create the service-linked role AWSServiceRoleForAmazonSSM which will be utilized by Systems Manager.

To generate the service-linked IAM role

1. Open the IAM console. In the navigation pane, choose Roles, choose &lt then;strong>Create role.
2. For the AWS Service role type, choose Systems Manager.
3. Pick the use case Systems Manager – Maintenance and Inventory Windows, then choose Next: Permissions.
4. Keep all default values, choose Next: Tags, and choose &lt then;strong>Next: Review.
5. Review the role and choose Create role.

To find out more, see Developing a service-linked role for Systems Manager.

Next, you setup Systems Manager Change Manager as described in Establishing Change Manager. Your specifics shall vary based on whether you utilize AWS Organizations or perhaps a single account.

Define the IAM groups or users that get to approve change templates

Every change template ought to be approved before use (optional). The approval can be carried out by groups and users. If you are using IAM roles in your company, you shall require a temporary user, which you can create as described in Creating IAM users (console). Alternatively, you should use the noticeable change templates without explicit approval, as described in this section later.

To include reviewers for change templates

1. In the AWS Systems Manager console, choose Change Manager, choose Settings, then choose Template reviewers.
2. On the Select IAM approvers page, review the Users &lt and tab;strong>Groups tab, as shown in Figure 3, and add approvers if necessary.

If you like never to review and approve the change template before use explicitly, you must switch off approval the following.

To show off approval of change templates before use

1. In the operational systems Manager console, choose Change Manager, then choose Settings.
2. Under Best practices, set the choice Require template approval and review before use to disabled.

Deploy the solution

Following the setup is completed by you, you’ll &lt perform the next steps;em>one time in your selected AWS and account Region. The permissions are managed by the perfect solution is in all Regions you decide on, because IAM policies and roles are global entities.

To launch the stack

1. Pick the following Launch Stack button to open the AWS CloudFormation console pre-loaded with the template. You need to register to your AWS account to be able to launch the stack in the mandatory Region.
   
2. On the CloudFormation launch panel, specify the parameter Approval validity in minutes to match your organization policy, or keep carefully the default value of ten minutes.

(Optional) To approve the template

1. To request approval of the noticeable change Manager template, in the Systems Manager console, choose Change Manager, and choose Change templates. Select AllowSsmSessionStartTemplate and submit for approval.
2. To approve the Change Manager template, register to the Systems Manager console because the required approver group or user. Choose Change Manager, and choose Change templates. Select AllowSsmSessionStartTemplate and choose Actions, Approve template. To find out more, see Approving and reviewing or rejecting change templates.
3. (Optional) The Systems Manager session approvers should sign up to the SNS topic change-manager-ssm-approval, to obtain notification on new requests.

You’re prepared to utilize the solution now.

Test the solution

Next, we’ll demonstrate ways to test the answer end-to-end by doing the next: creating two IAM roles (Operator and Approver), launching an EC2 instance, requesting access by Operator to the instance, approving the request by Approver, and lastly starting a operational systems Manager session on the EC2 instance by Operator. You shall run the test in the single account where you deployed the perfect solution is. We assume that you have setup Systems Manager as described in the Create Systems Manager and Change Manager section.

Note: If you’re not using IAM roles in your company, it is possible to instead use IAM users, as described in Creating IAM users (console).

To get ready to check the solution

1. Open the IAM console and create an IAM role named Operator in your account, and attach the next managed policies: ReadOnlyAccess (AWS managed) and AllowStartSsmSessionBasedOnIamTags (that you created in this article). To find out more, see Creating IAM roles
2. Develop a second IAM role named Approver in your account, and attach the next AWS managed policies: ReadOnlyAccess and AmazonSSMFullAccess.
3. Create an IAM role named EC2Role with a trust policy to the EC2 service (ec2.amazonaws.com) and attach the AWS managed policy AmazonEC2RoleforSSM. Alternatively, it is possible to concur that your existing EC2 instances have the AmazonEC2RoleforSSM policy mounted on their role. To find out more, see Developing a role for an AWS service (console).
4. Open the Amazon EC2 console and begin a test EC2 instance of type Amazon Linux 2 with the IAM role EC2Role that you created in step 3. The default could be kept by you values for all your other parameters. You don’t have to create VPC Security Group rules to permit inbound SSH to the EC2 instance. Observe the instance-id, as you will later&lt require it;em>. To find out more, see Launch an Amazon EC2 Instance.
5. Open the Amazon SNS console. Under Simple Notification Service, for Topics, sign up to the SNS topic change-manager-ssm-approval. To find out more, see Subscribing to an Amazon SNS topic.

To accomplish a confident test of the solution

1. Open the Systems Manager console, register as Operator, choose Change Manager, and develop a noticeable change request.
2. Choose the template AllowSsmSessionStartTemplate.
3. On the Specify change details page, enter a genuine name and description, and choose the IAM role Approver as approver.
4. For Target notification topic, choose the SNS topic change-manager-ssm-approval, as shown in Figure 4. Choose Next.

   

   Figure 4: Developing a change request

5. On the Specify parameters page, supply the automation IAM role SsmSessionControlChangeMangerRole, the instance-id you earlier noted, the main name Operator, and the main type role, as shown in Figure 5.

   

   Figure 5: Specify parameters for the change request

6. Next, register as Approver. In the operational systems Manager console, choose Change Manager.
7. On the Requests tab, as shown in Figure 6, choose the request and choose Approve. (To find out more, see Reviewing and approving or rejecting change requests (console).) The Automation runbook will be started.

   

   Figure 6: Change Manager overview

8. Register as Operator. Within the approval validity time that you provided in the template (ten minutes is the default), hook up to the instance through the use of Systems Manager as described in Take up a session.Once the session has started and you also see Unix shell at the instance, the positive test is performed.

Next, you can certainly do a negative test, to show that access isn’t possible following the approval validity period (ten minutes) has elapsed.

To accomplish a poor test of the solution

1. Do steps 1 through 7 of the prior procedure, in the event that you haven’t already done so.
2. Register as IAM role Operator. Wait several minutes longer compared to the approval validity time (10-minute default) and hook up to the instance through the use of Systems Manager as described in Take up a session.So as to the IAM role Operator doesn’t have permission to start out a session.

Tidy up the resources

Following the tests are finished, terminate the EC2 instance in order to avoid incurring future costs and take away the roles if they are no more needed.

Status monitoring

In the Systems Manager console, on the Change Manager page, on the Requests tab, you’ll find all ongoing service requests and their status, and a web link to the log of the runbook, as shown in Figure 7.

In the example shown in Figure 7, you can view the status of the next steps in the Automation runbook: tagging the main, waiting, and removing the main tag. To find out more about login and audit, see Auditing and logging Change Manager activity.

Conclusion

In this article, you‘ve learned ways to enforce separation of duties through the use of an approval workflow in AWS Systems Manager Change Manager. It is possible to extend this pattern to utilize it with AWS Organizations also, as described in Establishing Change Manager for an organization. To find out more, see Configuring Change Manager options and best practices.

When you have feedback concerning this post, submit comments in the Comments section below. When you have questions concerning this post, take up a new thread on the AWS Systems Manager forum.

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter.