Encrypting Systems Manager Sessions
j

Prasiddha Bista

August 16, 2020

I recently discovered that we can encrypt ec2 sessions launched via AWS Systems Manager. I figured it needs a few things in place to make it happen,

  • A KMS key to be used for encrypting sessions with the following policy attached to it.

Refrence

   "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111111111:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.ap-southeast-2.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*"
        }
    ]
}
  • A S3 bucket to store the logs; also encrypted. Turn on default encryption for the bucket using the same KMS Key.
  • A cloudwatch log group.
  • Association of the cloudwatch log group with the KMS key defined above. Example command,

aws logs associate-kms-key --log-group-name stax-session-manager --kms-key-id "arn:aws:kms:ap-southeast-2:1111111111:key/17624518-1d24-4205-9801-a4138937206c"

  • Also, the instances need to have KMS list and get permissions to verify the KMS key presented by Systems Manager.

Hoorah! Easily done!

An aviation enthusiast turned IT geek, Prasiddha comes from a hospitality background where he learnt valuable lessons of life in terms of customer engagements. He recently started his career in IT, working as a Software Engineer focused on Cloud and DevOps. Prasiddha values work ethics and customer relationship and always puts customers first.

Prasiddha Bista

Software Engineer, Cloud and DevOps at Versent

Get connected with Prasiddha :

3 Comments

  1. Sweta Sharma

    I think this is among the most vital information for me. And im glad reading your article. But want to remark on some general things, The site style is ideal, the articles is really great : D. Good job, cheers

    Reply
  2. Naprawa Doshi

    A interesting post right there mate . Cheers for it .

    Reply
  3. Raje Podatkowe

    This can be a really excellent read personally, Must admit that you are among the finest bloggers I ever saw.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Articles