Encryption of SSM session data using KMS

 
 

Encryption of SSM session data using KMS SSM header

Connecting to your EC2 Instances using Session Manager is for years already a default. However most of the users are just using the defaultTLS 1.2 encryption that AWS already provides by default. For most of the usecases this is ok, but sometimes it is required to encrypt your sessions with your own KMS Keys. Encrypting session data with your key also enables sessions to handle confidential data interactions, such as password resets, and further improves your security posture when using Systems Manager Session Manager. To use the option to encrypt session data using a key created in AWS KMS, version 2.3.539.0 or later AWS Systems Manager SSM Agent must be installed on the managed instance.

In addition i would also recommend to log the session data either to S3 or to CloudWatch and to encrypt the session data which is logged to the destination using your own KMS Key. In the following post I will explain how to automatically configure the SSM default settings to secure your session data using your own KMS key.

Architecture
Architecture Overview

Setup

  1. Set up the required KMS Keys using this template using StackSet or Stack - this template will create the needed KMS Keys for SSM and CloudWatch with permissions.
  2. Create a LambdaLayer with boto3 or use a prebuild layer.
  3. Deploy the following template using StackSet or Stack - the template which I provided will configure your Session Manager.

After successfull deployment:

Session Manager Settings
Session Manager Settings

  1. Optionally secure CloudWatch LogGroup using SCPs. Since the CloudWatch LogGroup from Session Manager will contain sensitve data, I would recommend to secure the LogGroup using SCPs so that only a few people from your audit team can read them.
{
  "Version": "2012-10-17",
  "Statement": [
{
      "Sid": "CloudWatchLogsDeny",
      "Effect": "Deny",
      "Action": [
        "logs:DescribeLogStreams"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:/aws/ssm/SessionManagerLogGroup:*"
      ],
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/AuditRole"
          ]
        }
      }
    }
  ]
}

Usage

Now you can either use your browser or CLI to connect to your instance using the Session Manager and during the session all data will be encrypted using your own KMS Key.

ℹ️ You can not use aws ssm start-session with the --profile flag that needs a MFA because there is an 🚨 issue right now that the command doens't ask for MFA.

Workaround: Using awsume solves this problem.



      

Best practices for REST API development

What to consider when designing a REST API

 

Jun 13th 2021

 

Walter Kopp

CloudFront Functions

Run your code highly favorable and next to your Customer

 

May 31st 2021

 

David Krohn

Terraform CLI Workflow Improvements

Tips and Tricks to make navigating terraform easier

 

May 27th 2021

 

Felix Brilej