Replace SSH with SSM on AWS

Setting up SSM can be a bit of a black art.  The AWS docs are extensive, but it's hard to figure out exactly what you need to do.  A lot of it is that SSM can do so much and it's got ops center various other stuff bundled in.  So let's do this quick and dirty.

Setup System Manager

• Go to AWS System Manager
• On the left of the screen select Quick Setup
• If it’s already been used select “Edit all” button on the right side of the screen.
• Use default roles
• Use default quick setup options
• For targets select “Specify instance tags”
• I used the tag ssm:true
• Click reset

Add Instance to Inventory

• Find instance in EC2 console
• Attach IAM role “AmazonSSMRoleForInstancesQuickSetup
• Alternately add "AmazonSSMManagedInstanceCore" to the existing role.
• Set the tag for ssm (example ssm:true)
• Install SSM agent 
• You’re are done if you are using a recent Amazon Linux image, but it may take 10 minutes to connect up if it's backed off.  
• If you are in a hurry manually restart it or reboot the instance.
• Some newer Ubuntu AMIs also seem to have the ssm agent installed via snap.
• 
  

Install SSM Agent Ubuntu

Note that newer Ubuntu AMIs also seem to have the ssm agent installed via snap.

• wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
• sudo dpkg -i amazon-ssm-agent.deb
• sudo systemctl enable amazon-ssm-agent
• sudo systemctl start amazon-ssm-agent

Note if this fails because ssm agent was installed with snap.  Just restart the agent:

• sudo snap restart amazon-ssm-agent
• sudo snap services amazon-ssm-agent
• dpkg -r amazon-ssm-agent

Install SSM Centos

• sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
• sudo systemctl enable amazon-ssm-agent
• sudo systemctl start amazon-ssm-agent

Installing SSM at install.

Setup Instance normally with the following changes on the Configure Instance Page:

• Set IAM role to AmazonSSMRoleForInstancesQuickSetup
• Add Tags add ssm:true
• For Linux Images without ssm agent install by default
• Open Advanced Details and add the installation commands to user data.

Install via Snap

Snap really isn't what you want to use for this, but if there is no native rpm, deb or whatever it's better than a tar file install.

• sudo snap install amazon-ssm-agent --classic
• sudo snap enable amazon-ssm-agent
• sudo snap restart amazon-ssm-agent

SSM endpoints

You must create these endpoints if your instances don’t have public ips and are on isolated networks. If you have a NAT you should be fine as well. Note you only need to get out to ssm.

• Go to VPC service, and select “Endpoints” on the left.
• Create endpoints for various services (note the region is different for various regions)
• com.amazonaws.region.ssm
• com.amazonaws.region.ssmmessages
• com.amazonaws.region.ec2
• com.amazonaws.region.ec2messages
• com.amazonaws.region.s3

Getting a Console

Web

• Go to AWS Systems Manager
• Find Session Manager on the Left
• Select Start Session on Right
• Select instance, and click start session.

CLI

• Install session manager plugin https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
• Check that you can see instances with “aws ssm get-inventory”
• Run “aws ssm start-session --target <instance ID>”

SSH via SSM

Install session manager plugin https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

• Check that you can see instances with “aws ssm get-inventory”
• Edit ~/.ssh/config to add:

# SSH over Session Manager
host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session  --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

• Use the instance name instead of the dns name or ip.

Now you can do this.
sftp -i my.pem ubuntu@i-ffdfgdsb:

scp -i my.pem stuff.tgz ubuntu@i-dsdffgds:

ssh -i my.pem ubuntu@i-dsdfsdf

You may need to set the region or profile in .ssh/config.  You can set an exact host if you have a one in another region.  If you have multiple accounts you might need to set a profle.

Troubleshooting

Can’t connect with the aws cli

• Are you trying the right region? “--region <region>”
• Are you using the right profile.

Can connect via the web, but not the cli on an instance you recently installed the ssm agent on.

• Check that the ssm-user user and group exist
• Check the logs for the amazon-ssm-agent

Can’t get the ssm agent to connect on an isolated network.

Remember that SSM needs to connect to AWS services to work so do one of the following:

• Create a NAT gateway and network access to it allowing connection to AWS services.
• Create endpoints (lots of endpoints) https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html
• Note that you’ll need to adjust the path to the regional S3 url to download the agent.