Benefits of AWS Systems Manager Session Manager

AWS Systems Manager Session Manager (SSM) has many benefits to secure remote connections:

• Inbound ports do not need to be open
• SSH keys are not required
• Access can be defined in IAM policies
• Works with regular AWS command line Single Sign On (SSO) + Multi Factor Authentication (MFA) (triggered via Single Sign on)

Shortcomings

• SSH sessions are not recorded
• IAM (Identity Access Manager) Policies are not user friendly
• A SSO provider compromise could leave your infrastructure vulnerable

Enhancing Security

Use something like a Yubikey would improve your security when connecting to to SSM

Fixing all the Shortcomings (and Enhanced Security)

I recently became aware of BastionZero, which has fixed these problems. 

Additional Independent MFA

Their product adds an additional independent MFA to the authentication process.  This means if Okta (for example) were compromised, or your employee was a victim of credential stuffing + MFA Push bombing, your infrastructure stays secure (as there is a separate, independent, MFA to Bastion Zero).

I put together a little video that shows how it works:

Targets

The BastionZero product is easy to deploy and will autodiscover your assets.

Policy Management

Their product also provides an easy way to manage which end users can access what asset (and role).

SSH Session Recording

Regular SSM does not record SSH sessions, but BastionZero does! Here is an example of how to view your recordings: