Ankit Yadav - Cloud Center of Excellence
Fleet Manager, a robust AWS service, facilitates secure remote access to Windows and Linux servers, including on-premises servers, without the necessity to open default ports. It further delivers seamless single sign-on (SSO) capabilities to Amazon EC2 Windows instances through integration with AWS IAM Identity Center. Its key features include:
Centralized management
Fleet Manager allows centralized management and administration of server fleets, regardless of their location, ensuring a high level of security. This eliminates the need to expose traditional remote access ports, such as RDP or SSH, thereby minimizing the attack surface and reducing the risk of unauthorized access.
Secure connections
Leveraging AWS Systems Manager, Fleet Manager establishes secure and encrypted connections between management instances and target servers. This guarantees the confidentiality and integrity of data during remote access sessions. By utilizing agent-based communication and AWS-managed infrastructure, it maintains tight control over remote access while ensuring efficiency.
IAM integration
Fleet Manager integrates seamlessly with AWS IAM Identity Center, enabling SSO to Amazon EC2 Windows instances. This integration utilizes the robust capabilities of AWS Identity and Access Management (IAM), providing granular control over user access and enhancing security by allowing only authorized individuals to log in.
How does it compare with market products?
Fleet Manager vs. BeyondTrust PAM Solution
Fleet Manager can serve as a compelling alternative to market products like BeyondTrust PAM Solution. Here's how it aligns with similar capabilities:
- Remote access. Fleet Manager ensures secure remote access to Windows and Linux servers with encrypted connections, similar to BeyondTrust PAM Solution.
- Privileged access management. Fleet Manager enables centralized management of server fleets, offering control over privileged access, akin to BeyondTrust PAM Solution.
- Security and compliance. Fleet Manager enhances security by reducing the attack surface and integrating with AWS IAM, aligning with the security features of BeyondTrust PAM Solution.
- Seamless single sign-on. Fleet Manager, in conjunction with AWS IAM Identity Center, provides seamless SSO to Amazon EC2 Windows instances, offering a secure and efficient login experience, akin to the capabilities of BeyondTrust PAM Solution.
While BeyondTrust PAM Solution may have unique features, Fleet Manager offers a scalable and integrated solution within the AWS ecosystem. This consolidation simplifies management, reduces costs, and leverages AWS's secure infrastructure, providing a seamless and secure experience for server fleet management.
How to Setup this Solution for On-Premises and AWS
Prerequisites
The prerequisites for this example are that you have:
- Configured AWS IAM Identity Centerin your account with provisioned users and groups
- An EC2 Windows instance managed by AWS Systems Manager Fleet Manager
Solution architecture
The following diagram shows the steps you will follow to configure and use an AWS IAM Identity Center user identity to login to an EC2 Windows instance.
How does it work?
- Create tunnel between on-premises to AWS Cloud (Optional – If you want to use this RDP Solution for on-premises as well)
- From the AWS IAM Identity Center console, go to AWS Accounts, select the permission sets tab, select create permission set and choose create a custom permission set.
- Name your permission set, and fill out the required fields, making sure to select create a custom permissions policy at the bottom of the page. See sample custom permissions policy below for details on the policy.
- After creating the custom permissions policy, you can also apply optional tagging. When you are done, review and choose Create to complete creating your custom permission set, as shown in Figure 2.
Sample custom permissions policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSO",
"Effect": "Allow",
"Action": [
"sso:ListDirectoryAssociations*",
"identitystore:DescribeUser"
],
"Resource": "*"
},
{
"Sid": "EC2",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:GetPasswordData"
],
"Resource": "*"
},
{
"Sid": "SSM",
"Effect": "Allow",
"Action": [
"ssm:DescribeInstanceProperties",
"ssm:GetCommandInvocation",
"ssm:GetInventorySchema"
],
"Resource": "*"
},
{
"Sid": "TerminateSession",
"Effect": "Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ssm:resourceTag/aws:ssmmessages:session-id": [
"${aws:userName}"
]
}
}
},
{
"Sid": "SSMGetDocument",
"Effect": "Allow",
"Action": [
"ssm:GetDocument"
],
"Resource": [
"arn:aws:ssm:*:*:document/AWS-StartPortForwardingSession",
"arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell"
]
},
{
"Sid": "SSMStartSession",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:managed-instance/*",
"arn:aws:ssm:*:*:document/AWS-StartPortForwardingSession"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
},
{
"Sid": "SSMSendCommand",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:managed-instance/*",
"arn:aws:ssm:*:*:document/AWSSSO-CreateSSOUser"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
},
{
"Sid": "GuiConnect",
"Effect": "Allow",
"Action": [
"ssm-guiconnect:CancelConnection",
"ssm-guiconnect:GetConnection",
"ssm-guiconnect:StartConnection"
],
"Resource": "*"
}
]
}
This permission policy contains a separate statement ID (Sid) for each service, with the required actions for each.
On line 84, notice the reference to an AWSSSO-CreateSSOUser document resource. This document is responsible for creating a local Windows account based on the AWS IAM Identity Center logged in user, as well as setting/resetting the user’s password for automatic log in to the Windows instance.
On lines 96-98, you will see a new ssm-guiconnect action. This is used to make the secure connection to your EC2 Windows instance, and render the GUI desktop in the Fleet Manager console.
How to assign your AWS IAM Identity Center group?
Assign your AWS IAM Identity Center group to the AWS Fleet Manager permission set in your selected accounts. In this procedure, we will select two AWS accounts in our AWS organization and grant our AWS IAM Identity Center group access to the previously-created permission set that enables sign-in via Fleet manager.
- From the AWS IAM Identity Center console, navigate to AWS accounts and select an account (for example, demoAccount1 and demoAccount2), as shown in Figure 3.
- Choose the assign users If you wish, you may also assign access to multiple groups or to users individually.
3. To enable multiple AWS IAM Identity Center users to access this feature, choose an AWS IAM Identity Center group from the groups tab and then choose the next button, as shown in Figure 4.
4. Select the permission set you created previously and choose the next button.
5. Review your choices, and press submit to submit your assignments, as shown in Figure 6.
AWS IAM Identity Center will now use the permission set definition to create a role in each selected account, which grants users access to sign in via Fleet Manager. Users gain access to that role by signing into the AWS IAM Identity Center user portal.
How to access Fleet Managed EC2 instances?
- Click on ‘AWS Account’ icon and identify the AWS account in which desired EC2 instance is deployed. Thereafter click on ‘Management Console’ to launch Fleet Manager window.
- In the Fleet Manager console, filter your EC2/VM instance with name or instance ID and Select the exact Node (EC2/VM) and click on ‘Node Actions’ to launch Remote Desktop Session.
- On the next prompt, enter your Active Directory user name and password.
- After providing the credentials, it will login to the VM over HTTPS enabled RDP session within the browser window.
AWS Fleet Manager helps enable secure remote access by providing centralized management and control over a fleet of instances. It allows you to securely access and manage your instances using AWS Systems Manager. This includes features like Session Manager, which provides secure and auditable instances access without the need for open inbound ports. With AWS Fleet Manager, you can enforce security best practices, automate tasks, and monitor instances, contributing to a more secure and seamless remote access solution.
Learn more about our technology services that innovate as you do, here.
Other impactful stories