In this episode, we learn how to secure connections to own on-prem servers using cloud tools like AWS Systems Manager.

We’re talking about SSH and RDP connections, that are two protocols used for connecting to Linux or Windows O.S.

These protocols can be easily attacked and someone with bad intentions can connect to your environments and – for example – encrypt your files and ask for ransom in bitcoin. Most secure action is to deny definitely from corporate network or VPN network SSH/RDP protocols. In this case, the question arises: how can I administering my servers if these protocols are closed?

There are some open-source tools like Apache Guacamole; it’s a great tool, it can register RDP or SSH sessions. If you want a dedicated how-to guide, let me know in comments. I implemented Guacamole in production for some customers and it works well. In this case you need to open SSH/RDP ports only from Guacamole Server. But in these series of article I want to show how to use easily some server-less tools available in cloud with a low effort.

For connecting in SSH or RDP to our on-premises servers, we can use feature Fleet Manager of AWS Systems Manager service. This service allows Customers to manage EC2 instances, on-premise instances, or simply if you want to access to your Raspberry Pi at home from external network, without activating VPN access or open SSH port in internal network. Everything without opening SSH or RDP protocols in inbound firewall rules, but simply using a secure browser-based connection from AWS console. In this way, we add an additional security layer, because users need to connect to AWS console using their AWS credentials (IAM User) and MFA that can be set up as mandatory.

The prerequisites are the same: sign-up an AWS account for free and register your own payment method in Billing and Cost Management console. I described steps on my first episode here.

On Systems Manager console select Hybrid Activation and create an activation token to run on our servers we want to register to AWS.

In the activation setting section we can give a description and expiration date for token you will generate at the end of procedure.

Activation Code   97+jjlBepvv2+QXqBcon

Activation ID   1fafbdde-1c95-4266-85d5-a8aa2e6b14b4

After you safety save these activation code and ID let’s start to install amazon-ssm-agent on our servers. In my case I used my own RPI 3 that is compatible with this service since 2017.

mkdir /tmp/ssm
curl https://amazon-ssm-eu-south-1.s3.eu-south-1.amazonaws.com/latest/debian_arm/ssm-setup-cli -o /tmp/ssm/ssm-setup-cli
sudo chmod +x /tmp/ssm/ssm-setup-cli
sudo /tmp/ssm/ssm-setup-cli -register -activation-code "97+jjlBepvv2+QXqBcon" -activation-id "1fafbdde-1c95-4266-85d5-a8aa2e6b14b4" -region "eu-south-1"

I used eu-south-1 (Milan) region but if you choose to use Systems Manager in other region adjust link and command with appropriate region code .

After last command used for register your OS on AWS, move on Fleet Manager section and find our node.

Please note that to enable on-premise registration node we need to change Instance tier to advanced and AWS will applys you additional charges: $0.00695 per advanced on-premises instance per hour

After enabling this tier, we can connect in SSH to our node from Node Action menu

There you go! You are in terminal console of a Raspberry PI without any opened port.

If managed node is Windows, you can choose both Powershell session and Remote Desktop session.

With Systems Manager we can perform others administration tasks with Run-command feature such as Patching Node, Registry Edit, User Management or Software Installations, to a single or group of instances.

Hope this guide has been helpful if you are looking for a solution that allow you to use secure connections without opening firewall ports.

I leave you link to official product page https://aws.amazon.com/systems-manager/features/ for more information.

Thanks for reading.