Encrypting Systems Manager Sessions
j

Prasiddha Bista

August 16, 2020

I recently discovered that we can encrypt ec2 sessions launched via AWS Systems Manager. I figured it needs a few things in place to make it happen,

  • A KMS key to be used for encrypting sessions with the following policy attached to it.

Refrence

   "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111111111:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.ap-southeast-2.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*"
        }
    ]
}
  • A S3 bucket to store the logs; also encrypted. Turn on default encryption for the bucket using the same KMS Key.
  • A cloudwatch log group.
  • Association of the cloudwatch log group with the KMS key defined above. Example command,

aws logs associate-kms-key --log-group-name stax-session-manager --kms-key-id "arn:aws:kms:ap-southeast-2:1111111111:key/17624518-1d24-4205-9801-a4138937206c"

  • Also, the instances need to have KMS list and get permissions to verify the KMS key presented by Systems Manager.

Hoorah! Easily done!

An aviation enthusiast turned IT geek, Prasiddha comes from a hospitality background where he learnt valuable lessons of life in terms of customer engagements. He recently started his career in IT, working as a Software Engineer focused on Cloud and DevOps. Prasiddha values work ethics and customer relationship and always puts customers first.

Prasiddha Bista

Software Engineer, Cloud and DevOps at Versent

Get connected with Prasiddha :

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Articles