Educative: Interactive Courses for Software Developers

Objective#

Make our instances inaccessible from the internet.

Steps#

Set up SSM for SSH access.

In this section, we’re going to make our EC2 instances inaccessible from the internet. The instances will be able to reach the internet using a NAT gateway, but the network will not allow anything from the internet to reach the instances without going through the load balancer.

🔍 Once we make our instances use a NAT gateway to connect to the internet, an additional data transfer charge (currently $0.045/GB in us-east-1) will apply to all traffic that transits the gateway. This includes traffic to other AWS services.

NOTE: It is very important to note that the prices mentioned above are only for the purpose of understanding cost comparisons. These prices are subject to change anytime by AWS. Therefore, most current prices should be referenced for final business decisions.

To avoid the extra charge, most AWS services can be configured to expose an endpoint that doesn’t pass through the internet. This can be done via Gateway VPC Endpoints or Interface VPC Endpoints (AWS PrivateLink).

Set up SSM for SSH access#

One thing that won’t work after we lock down our hosts is EC2 Instance Connect. In order to acquire SSH access to our instances, we’ll have to use AWS Systems Manager Session Manager (SSM).

Let’s start by adding two new managed policies to the IAM role used by our instances.

InstanceRole:
  Type: "AWS::IAM::Role"
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        Effect: Allow
        Principal:
          Service:
            - "ec2.amazonaws.com"
        Action: sts:AssumeRole
    ManagedPolicyArns:
      - arn:aws:iam::aws:policy/CloudWatchFullAccess
      - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy
      - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore 
      - arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy 
    Policies:
      - PolicyName: ec2DescribeTags
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Action: 'ec2:DescribeTags'
              Resource: '*'
    Tags:
      - Key: Name
        Value: !Ref AWS::StackName

Enter to Rename, Shift+Enter to Preview

stage.yml

Line #15 and #16: New policies required to allow SSM access.

Let’s check it in, and deploy.

Enter to Rename, Shift+Enter to Preview

terminal

Enter to Rename, Shift+Enter to Preview

terminal

Note: All the code has been already added and we are pushing it on our repository as well.

Please provide values for the following:

username

Not Specified...

AWS_ACCESS_KEY_ID

Not Specified...

AWS_SECRET_ACCESS_KEY

Not Specified...

AWS_REGION

us-east-1

Github_Token

Not Specified...

Import Values from JSON

/

package.json

stage.yml

server.js

main.yml

github.sh

setup.yml

deploy-infra.sh

stop-service.sh

start-service.sh

buildspec.yml

appspec.yml

deploy-infra.sh

source aws_credentials.sh
STACK_NAME=awsbootstrap
REGION=us-east-1 
CLI_PROFILE=awsbootstrap
EC2_INSTANCE_TYPE=t2.micro 
DOMAIN=educative-cloud-course.com
CERT=`aws acm list-certificates --region $REGION --profile awsbootstrap --output text --query "CertificateSummaryList[?DomainName=='$DOMAIN'].CertificateArn | [0]"` 
GH_ACCESS_TOKEN=$(cat ~/.github/aws-bootstrap-access-token)
GH_OWNER=$(cat ~/.github/aws-bootstrap-owner)
GH_REPO=$(cat ~/.github/aws-bootstrap-repo)
GH_BRANCH=master
AWS_ACCOUNT_ID=`aws sts get-caller-identity --profile awsbootstrap --query "Account" --output text`
CODEPIPELINE_BUCKET="$STACK_NAME-$REGION-codepipeline-$AWS_ACCOUNT_ID" 
echo $CODEPIPELINE_BUCKET
CFN_BUCKET="$STACK_NAME-cfn-$AWS_ACCOUNT_ID"
echo $CFN_BUCKET
# Deploys static resources
echo "\n\n=========== Deploying setup.yml ==========="
aws cloudformation deploy \
  --region $REGION \
  --profile $CLI_PROFILE \
  --stack-name $STACK_NAME-setup \
  --template-file setup.yml \
  --no-fail-on-empty-changeset \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides \

Enter to Rename, Shift+Enter to Preview

To connect from our local terminal, we can install the SSM plugin for the AWS CLI while the CloudFormation changes are deploying.

Enter to Rename, Shift+Enter to Preview

terminal

🔍 Sometimes it can take a while for the updated IAM role to take effect on instances that are already running. If your instances are failing to connect via SSM, you can try terminating your instances and letting the ASG replace them with fresh ones.

We should now be able to open a shell on a remote host with the AWS CLI. Once the connection goes through, we are connected as ssm-user, not our familiar ec2-user. So before we do anything else, we must switch to ec2-user and change into the appropriate home directory.

$ aws ssm start-session --profile awsbootstrap --target i-07c5a5b5907d43ca7 
Starting session with SessionId: josh-0024a17ad7747b5e6
sh-4.2$ sudo su ec2-user
[ec2-user@ip-10-0-192-31 bin]$ pwd
/usr/bin
[ec2-user@ip-10-0-192-31 bin]$ cd ~
[ec2-user@ip-10-0-192-31 ~]$ pwd
/home/ec2-user
[ec2-user@ip-10-0-52-140 ~]$ # admin commands here
[ec2-user@ip-10-0-52-140 ~]$ exit
exit
sh-4.2$ exit
exit
Exiting session with sessionId: josh-0024a17ad7747b5e6.

Enter to Rename, Shift+Enter to Preview

terminal

Line #1: Replace i-07c5a5b5907d43ca7 with an instance ID from your fleet.

We can also continue to use the AWS console to SSH to our instances. But now we have to choose Session Manager instead of EC2 Instance Connect.

SSM Connection

In the next lesson, we will add private subnets and NAT Gateway for our application.

Part 1: The Good Parts

Part 2: The Bootstrap Guide

Network Security: Set up SSM for SSH Access

Objective#

Steps#

Set up SSM for SSH access#

/