# AWS Systems Manager Just In Time Node Access ## Метаданные - **Канал:** Loi Liang Yang - **YouTube:** https://www.youtube.com/watch?v=M6oo5cCJH28 ## Содержание ### [0:00](https://www.youtube.com/watch?v=M6oo5cCJH28) Segment 1 (00:00 - 05:00) Now what we have here is AWS systems manager and what AWS systems manager does for us is that it allow us to manage all this fleet of virtual servers that you have. So for example if you have your Windows server or Linux server and whether they're running on for example your EC2 virtual servers in AWS or even on premises where you have other workloads and virtual servers that you want to manage. All you have to do is plan an agent into the server and systems manager will be able to manage them for you. And one super neat tool that we have is of course going to be our session manager. So what session manager does for us is that it allows for example a user like scrip keyoy to access through session manager and then into systems manager and allows Mr. script kitty lloy to remotely access say Windows server as well as Linux server and session manager has this super cool function that allow us to record the session of what is going on for example all the commands that are entered by the user so you see what is going on as well as being able to record remote desktop protocol session so seeing what users are doing over the graphical user interface and because it's such a powerful tool what we want to do here now is to ensure that anytime script Kitty Loy accesses session manager. He requests from someone for example his BFF Mr. Hacker Loy. So Mr. Hackaloy will then receive a request and this request will go over to be reviewed by Mr. Hackaloy. And once he approves it, this will then allow Mr. script keyoy the ability to access the systems manager and then over into the Windows computer or into the Linux virtual server and say yes you now have access and we can continue recording what is going on and this feature is called just in time note access and over here I'm logged in Mr. Hackaloy and we have two virtual servers running a WordPress as well as a Windows server. As you can see here, they're both in the running instance state and right here I've switched over into script KDOY and what we're going to do now is to go ahead and access one of the servers for example the WordPress server. So if I select onto it, I click on to connect and I select onto session manager. And what can happen right here is I'll go ahead and select on to connect. And you can see right here we have a load up of a new page. And this will bring us over into AWS systems manager. And once we're right here is checking permission. And this is where we have a popup requesting for the reason why we want to access this specific server. So I will say the following of I want to help you shut down this server please. Then I click on to create access request and right here we can see that an access has now been requested over to Mr. Hackaloy. So when I navigate over into just in time note access you can see right here your access request was created successfully. And if I scroll down further, all right, you can see the following of access request approvals. And we have the following of approval Mr. Hackaloy. All right. And this is from the IM identity center user, which is basically the central access management across all their AWS accounts. And the approval status of pending. And right here, I've navigated back over into Mr. Heckaloy as you can see here from the signin. And what we can do now is I see over on the request for me under the just in time node access we have a specific approval status of pending approval. So I can click onto the request ID over here and see the following. All right. So this is the requester script kitty and the request details. I want to help you shut down this server please. Oh very kind of you Mr. Script Kitty Loy. So I'll go ahead and click approve. This request has been approved. Thank you for helping me shut down my server. And I go ahead and click on to approve. Boom. Done. All right. So, successfully approved one request. And we can see the following of excess request approvals. All right. So, this is the first level approval. And right now, navigating back to Scrip Kitty Loy, you can see right here we have the approval status. And now, all we have to do is go ahead and select on to start session. And this would help us start up the session over into the Linux computer. I can enter who am I? Print working directory. Mr. Hecker Loy is so handsome. Hit enter on that command not file. But this totally cool. We're able to log all of those events are happening. So you can see right here we have who am I? SSM- user. I scroll down further. Print working directory as well as Mr. Hacker Loy is so handsome. Now heading back over into the explorer ### [5:00](https://www.youtube.com/watch?v=M6oo5cCJH28&t=300s) Segment 2 (05:00 - 10:00) nodes in script kitty lloy I can also select for windows server and I can click onto the node actions I can select on to connect and connect with remote desktop. So if I select onto it right here same thing I can select onto say key pair and I can browse a local machine to select the key pair and you can see right here I've uploaded a win key pair. pm and all I have to do right now is go ahead and select on to connect and right here same thing. All right, we can see that we have an possible incoming connection. All right, we'll start soon if you have the required permission to access the note. However, I do not have. So, I'm requesting access to note right now. Thank you, Mr. Hackaloy, for the review and approval. And I can go ahead and select on to create access request. And you can see right here once again, your access request was created successfully. And of course, heading back to Mr. Hackaloy's profile, all I have to do is select onto the request and click on to approve. And with this approval, Mr. Scripty Loy will be able to access the Windows computer. And of course, right now, heading back over into Mr. Scripy. All I have to do is click on to connect with remote desktop. And all I have to do right now is go ahead and select on the key pair again and choose the key pair that we have. I've uploaded that. Scroll all the way down. Click on to connect. So, this will allow us to connect with a Windows interface onto the computer. So, here we have the Wind server for RDP. We're checking for permissions and once we're connected we would have the interface and whatever I will be doing here is going to be recorded and stream over into an S3 bucket. So right now we're connecting with the administrator preparing Windows and for example if I go ahead and surf the internet say for example heading over into YouTube. com with Mr. Heckoy's YouTube channel. Okay. So for example I open up Microsoft H And I can go ahead likewise expand this further. All right. So we have Microsoft H over here. And I go ahead and select onto the following. All right. Start with all your data. I click confirm and continue whichever. And I hit over to say youtube. com/c/loyangyang. I'll hit enter on this. So, we're now surfing a site and whichever site we're going into, whatever commands they were issuing over into this virtual server. It will all be recorded by session manager. And right here, right, we are on the site. We can see the videos and so on, which is good enough for us. All right. So, we can go ahead and close off this connection. We have all those recorded session. So, if I select onto the object over here, I can download and view what is going on throughout the session. I have opened up the recording and we're able to fast forward. You can see the user clicking onto the buttons and also likewise heading over to youtube. com/cloyang. So we are able to view all this information through the session recording. And now the most important question is how can we set all this up and it's super easy to use very neat convenient feature. So right here I am back to Mr. Hackaloy and I have the just in time note access. So go ahead and select onto this feature and I can see something called approval policies. So there are two options available for you. The first option is going to be auto approval policy. So this is for example if you want certain users to be able to quickly get automatic approval as they access over into the workloads and requesting for approval. You can set this up. So perhaps you want Mr. Hackaloy to be able to quickly access all this virtual service. You can craft your policy statements right here. So perhaps for example this example statement auto approves a principle if they belong to the specified group in AWS IM identity center. So if I select onto this all right we have the following and we can insert to editor. Okay so you can see right here principle action and then we have the placeholder for group ID. So just copy and paste the group ID right here and the user will be able to quickly access into all this EC2 through just in time node access. The second option over here is going to be manual approval policies. So if I select on to evaluation right here which I've created you can see the following. All right we have the manual approval policy details. So here we have the author hackeroy. If I scroll down further we have someone called approval which is hackaloy. So if I click on to edit to give you a view of what's going on. So I scroll down further we have the name of the policy. We have the access duration in this case 24 hours. And this is going to be targeting all nodes. That means all EC2 virtual servers or all systems manager manage nodes and of course we have the first level approval. So for this to be done all you have to do is add approval. So these are the people who will be approving the request to these notes. So once you're done all you have to do is go ahead and publish manual approval policy. And what you can ### [10:00](https://www.youtube.com/watch?v=M6oo5cCJH28&t=600s) Segment 3 (10:00 - 11:00) see right here is that we have first level approvals number of approvals required at this level as well as other levels of approval. So perhaps you have master hackaloy. All right, perhaps you have manager Lloyd and they can be part of the approval chain too. The only important part of this is in terms of the settings. So you can see right here we have just in time node access and you want to ensure that you're logging all the activities that the user is doing. So now we have enabled just in time node access and of course we have the user identity of IM identity center and of course if I scroll down further we have the session preferences. I can go ahead and click on to add it. So we have the idle session timeout and if I scroll down we can enable for example S3 session locks in my case I have logging session to cloudatch and I've selected onto JIT session manager is the target and we're streaming session logs as they come in which is the recommended option. If I scroll down further we also have the RDP recording. So this is what you saw earlier. We were using the reboot desktop protocol over into the Windows VC2 virtual server and I have the following RDP recording bucket name as well as a key management service key Amazon resource name right here that is used to encrypt the information and in AWS identity access management right here I am on AM identity center. So what's really important is ensuring that your user do not have direct access to systems manager start session else they can bypass the whole just in time access process. Okay that's it. This is a super simple easy tutorial. Go ahead, try it all out and let me know how it goes. --- *Источник: https://ekstraktznaniy.ru/video/38729*