AWS EC2 permissions configuration change draws cheers, confusion
What... what's happening here exactly?
The AWS Systems Manager now lets customers/AWS users configure permissions for all EC2 instances in one account, via a single action using its Default Host Management Configuration (DHMC) Agent.
“Life saver”; “thank goodness”; “this is huge” were among some early user reactions to the move, which was designed -- AWS said on February 17 -- for "simple, scalable process to standardize the availability of System Manager tools for users who manage a large number of instances.” (Often still a very manual process.)
(Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. DHMC lets Systems Manager manage your Amazon EC2 instances automatically. The update provides a way to ensure all core Systems Manager capabilities such as Patch Manager, Session Manager, and Inventory are available for all new and existing instances in an account, said AWS -- with the AWS Systems Manager feature essentially letting customers enable the service on all EC2 instances in an account, without having to attach an IAM Role/instance profile to every EC2 instance.)
"Even more useful to me is that you can access the instances without opening ports with security groups” said one AWS user on Reddit: “You can even log into instances with no access to public internet.
"Technically, you've always had that ability with SSM [Simple Systems Manager], but now you can enable it by default across entire accounts" – the SSM agent runs inside EC2 instances and lets users do things like run a script, get remote access (e.g. via shell or powershell) on EC2, they added on the AWS Reddit page discussion.
Read this: AWS Support will no longer fall over with US-EAST-1
Yet the update has raised some questions about access and security among users.
SSM and the ability to "SSH" with it have been around since ~2019, when AWS released the same functionality a month apart with EC2 Instance Connect and then SSM SSH tunneling noted AWS security expert Scott Piper -- who is principal cloud security researcher at Wiz. He told The Stack: "Neither of those have completely replaced SSH as much as one might expect. In part, it could just be because some folks don't know about them, but a big reason is that with SSM, you've needed to ensure the IAM role has a certain set of privileges. In some ways this is good that there is this friction there, because some AWS customers have large monolithic accounts where they may have some engineers that need access to one set of EC2s, and another group of engineers that need access to a different set, and you don't want to accidentally grant one group access to the wrong set of EC2s..."
One of the questions may have been wondering is whether this feature suddenly grants everyone in an account access to all EC2s then -- with Piper noting that "Another big question is if this functionality is working outside of the IAM role privileges that for the past 3 years have been used to control SSM on an EC2, then what is giving these EC2s this capability? Is there a second set of privileges that are being used on the EC2? And is so, then how do you know what access an EC2 has if now it has potentially two different sets of privileges?
"It seems that there is a second set of credentials that the EC2 ends up with through this functionality, but that it can only be used by SSM" he mused -- AWS is understood to be adding some documentation to help answer these questions in the near future and The Stack will update this story as/when we see it.
The move comes as hyperscaler continues to tweak its services for cross-AWS service interoperability and improved user experience/ease of use however; The Stack noted a real quiet focus from AWS on this when reviewing each 100+ update announced during 2022’s re:Invent conference; see our synopsis of each below.
AWS added February 17: “DHMC also simplifies the experience of managing access to EC2 instances by attaching permissions at the account level, and removing the requirement to alter existing instance profile roles to enable Systems Manager” with a “few clicks” from the Fleet Manager console. The feature is available in all commercial and AWS GovCloud (US) Regions, excluding the China (Beijing) region(s)."