[jon918]

I'd love to learn how you're using Session Manager or what other features/integrations you'd like to see us explore. Also if the terraform module packaging is useful. There are additional Session Manager features like port forwarding that I plan to write about soon.

[skb4]

Can you write one about port forwarding? Specifically, I would like to understand how various web interfaces on EMR cluster can be accessed through Sessions Manager. (Ganglia, Spark history server, etc.)

[mullingitover]

We'd love to use Session Manager, but we're running into the same issue mentioned here:

"Tunnel created using SSM only allows single connection to destination port" - https://forums.aws.amazon.com/thread.jspa?threadID=314882&ts...

This has been sitting open in the support forums unanswered for over two months :/

[jon918]

Cool, will do!

[klohto]

I have bunch of questions that stop me from deploying SSM into real world production scenarios.

1) Is logging for access from CLI finally supported?

2) Can I setup which shell is used?

3) Are logs readable when I switch to something else than sh?

4) Is U2F supported (awscli question)

Once all of these are fixed, then it can be possible to claim that SSM solves these issues. Otherwise it’s nothing more than for adhoc usage.

[sandGorgon]

1. does it work with hardware tokens ?

we have some regulatory requirements that require us to use hardware tokens for 2FA access to servers.

2. what about SSH tunnels ?

[jon918]

It does work with hardware tokens, IF you get your AWS IAM credentials using a hardware token. If you're using AWS IAM users then here are instructions: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

If you're doing a federated login with Okta or another provider, you need to set up the hardware MFA there.

There is SSH tunneling support as well, will add an update on that soon.

[nubs]

Our organization recently looked into AWS Session Manager for tunneling but couldn't find documentation on how to make it work for our usecase. We were trying to tunnel into our VPC in order to be able to connect to an Amazon DocumentDB cluster. We don't have any EC2 instances which seems to be the only thing Session Manager has support for. Despite the callouts that Session Manager replaces bastion servers, that didn't seem to be the case for us. Did we miss something in our research?

[russellendicott]

Last I checked the "tunneling" only works to redirect traffic to a different port on the same SSM managed instance. The tunnel cannot be established with another box in the same VPC. So I don't think you can call it tunneling until they add that feature. Here's the GitHub issue where they discuss the limitation and a workaround: https://github.com/aws/amazon-ssm-agent/issues/208