Fleet Manager, a robust AWS service, facilitates secure remote access to Windows and Linux servers, including on-premises servers, without the necessity to open default ports. It further delivers seamless single sign-on (SSO) capabilities to Amazon EC2 Windows instances through integration with AWS IAM Identity Center. Its key features include:
Centralized management
Fleet Manager allows centralized management and administration of server fleets, regardless of their location, ensuring a high level of security. This eliminates the need to expose traditional remote access ports, such as RDP or SSH, thereby minimizing the attack surface and reducing the risk of unauthorized access.
Secure connections
Leveraging AWS Systems Manager, Fleet Manager establishes secure and encrypted connections between management instances and target servers. This guarantees the confidentiality and integrity of data during remote access sessions. By utilizing agent-based communication and AWS-managed infrastructure, it maintains tight control over remote access while ensuring efficiency.
IAM integration
Fleet Manager integrates seamlessly with AWS IAM Identity Center, enabling SSO to Amazon EC2 Windows instances. This integration utilizes the robust capabilities of AWS Identity and Access Management (IAM), providing granular control over user access and enhancing security by allowing only authorized individuals to log in.
How does it compare with market products?
Fleet Manager vs. BeyondTrust PAM Solution
Fleet Manager can serve as a compelling alternative to market products like BeyondTrust PAM Solution. Here's how it aligns with similar capabilities:
While BeyondTrust PAM Solution may have unique features, Fleet Manager offers a scalable and integrated solution within the AWS ecosystem. This consolidation simplifies management, reduces costs, and leverages AWS's secure infrastructure, providing a seamless and secure experience for server fleet management.
Prerequisites
The prerequisites for this example are that you have:
Solution architecture
The following diagram shows the steps you will follow to configure and use an AWS IAM Identity Center user identity to login to an EC2 Windows instance.
How does it work?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSO",
"Effect": "Allow",
"Action": [
"sso:ListDirectoryAssociations*",
"identitystore:DescribeUser"
],
"Resource": "*"
},
{
"Sid": "EC2",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:GetPasswordData"
],
"Resource": "*"
},
{
"Sid": "SSM",
"Effect": "Allow",
"Action": [
"ssm:DescribeInstanceProperties",
"ssm:GetCommandInvocation",
"ssm:GetInventorySchema"
],
"Resource": "*"
},
{
"Sid": "TerminateSession",
"Effect": "Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ssm:resourceTag/aws:ssmmessages:session-id": [
"${aws:userName}"
]
}
}
},
{
"Sid": "SSMGetDocument",
"Effect": "Allow",
"Action": [
"ssm:GetDocument"
],
"Resource": [
"arn:aws:ssm:*:*:document/AWS-StartPortForwardingSession",
"arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell"
]
},
{
"Sid": "SSMStartSession",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:managed-instance/*",
"arn:aws:ssm:*:*:document/AWS-StartPortForwardingSession"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
},
{
"Sid": "SSMSendCommand",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:managed-instance/*",
"arn:aws:ssm:*:*:document/AWSSSO-CreateSSOUser"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
},
{
"Sid": "GuiConnect",
"Effect": "Allow",
"Action": [
"ssm-guiconnect:CancelConnection",
"ssm-guiconnect:GetConnection",
"ssm-guiconnect:StartConnection"
],
"Resource": "*"
}
]
}
This permission policy contains a separate statement ID (Sid) for each service, with the required actions for each.
On line 84, notice the reference to an AWSSSO-CreateSSOUser document resource. This document is responsible for creating a local Windows account based on the AWS IAM Identity Center logged in user, as well as setting/resetting the user’s password for automatic log in to the Windows instance.
On lines 96-98, you will see a new ssm-guiconnect action. This is used to make the secure connection to your EC2 Windows instance, and render the GUI desktop in the Fleet Manager console.
Assign your AWS IAM Identity Center group to the AWS Fleet Manager permission set in your selected accounts. In this procedure, we will select two AWS accounts in our AWS organization and grant our AWS IAM Identity Center group access to the previously-created permission set that enables sign-in via Fleet manager.
3. To enable multiple AWS IAM Identity Center users to access this feature, choose an AWS IAM Identity Center group from the groups tab and then choose the next button, as shown in Figure 4.
With its strategic location that connects continents and offers widespread access to international markets, Greece is an ideal hub for investment and trade, making it instrumental to global business expansions. A high quality of life drives its well-educated and highly skilled workforce. The country’s strong connection to culture, heritage, and history makes its environment thrive in creativity and inspiration.
TP in Greece has helped clients connect better with their customers since 1989, constantly adapting to master the future through digital services that transform businesses for the better and drive growth. We are proud to employ more than 12,000 people in the country, supporting 80 brands across 140 markets. Our multilingual tenure in the country is 20 years, with six hubs providing support in more than 43 languages and dialects.
4. Select the permission set you created previously and choose the next button.
5. Review your choices, and press submit to submit your assignments, as shown in Figure 6.
AWS IAM Identity Center will now use the permission set definition to create a role in each selected account, which grants users access to sign in via Fleet Manager. Users gain access to that role by signing into the AWS IAM Identity Center user portal.
How to access Fleet Managed EC2 instances?
AWS Fleet Manager helps enable secure remote access by providing centralized management and control over a fleet of instances. It allows you to securely access and manage your instances using AWS Systems Manager. This includes features like Session Manager, which provides secure and auditable instances access without the need for open inbound ports. With AWS Fleet Manager, you can enforce security best practices, automate tasks, and monitor instances, contributing to a more secure and seamless remote access solution.
Learn more about our technology services that innovate as you do, here.