DEV Community

Hai Tran
Hai Tran

Posted on

Remote Access Private EC2 Instances via System Manager

Summary

System manager enable remote access to EC2 instances (both private and public subnet) without using SSH and opening port 22. In addition, from the private EC2, it is possible to access other services such as S3 via VPC service endpoints. In this post, I would like share how to deploy these by using CDK.

  • Remote access a prviate EC2 by system mananger
  • The private EC2 can access S3 via VPC endpoint
  • Deply by a CDK stack
  • GitHub

Architecture

aws_devops-Expriment drawio

CDK Stack

Create a VPC with a S3 VPC endpoint

    const vpc = new aws_ec2.Vpc(
      this,
      'VpcWithS3Endpoint',
      {
        gatewayEndpoints: {
          S3: {
            service: aws_ec2.GatewayVpcEndpointAwsService.S3
          }
        }
      }
    )
Enter fullscreen mode Exit fullscreen mode

Add system manager VPC interface endpoint

    vpc.addInterfaceEndpoint(
      'VpcIterfaceEndpointSSM',
      {
        service: aws_ec2.InterfaceVpcEndpointAwsService.SSM
      }
    )
Enter fullscreen mode Exit fullscreen mode

Create an IAM role for the EC2

    const role = new aws_iam.Role(
      this,
      'RoleForEc2ToAccessS3',
      {
        roleName: 'RoleForEc2ToAccessS3',
        assumedBy: new aws_iam.ServicePrincipal('ec2.amazonaws.com'),
      }
    )
Enter fullscreen mode Exit fullscreen mode

Role for EC2 to communicate with SSM

    role.addManagedPolicy(
      aws_iam.ManagedPolicy.fromManagedPolicyArn(
        this,
        'PolicySSMMangerAccessS3',
        'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
      )
    )
Enter fullscreen mode Exit fullscreen mode

Policy for EC2 to access S3

    role.attachInlinePolicy(
      new aws_iam.Policy(
        this,
        'PolicyForEc2AccessS3',
        {
          policyName: 'PolicyForEc2AccessS3',
          statements: [
            new aws_iam.PolicyStatement(
              {
                actions: ['s3:*'],
                resources: ['*']
              }
            ),
          ]
        }
      )
    )

Enter fullscreen mode Exit fullscreen mode

Launch an EC2 in a private subnet

    const ec2 = new aws_ec2.Instance(
      this,
      'Ec2ConnectVpcEndpointS3',
      {
        role: role,
        keyName: 'hai_ec2_t4g_large',
        vpc: vpc,
        instanceName: 'Ec2ConnectVpcEndpointS3',
        instanceType: aws_ec2.InstanceType.of(aws_ec2.InstanceClass.T2, aws_ec2.InstanceSize.SMALL),
        machineImage: aws_ec2.MachineImage.latestAmazonLinux(),
        securityGroup: sg,
        vpcSubnets: {
          subnetType: aws_ec2.SubnetType.PRIVATE
        }
      }
    )
Enter fullscreen mode Exit fullscreen mode

Top comments (0)