{"id":1775,"date":"2025-01-07T10:13:13","date_gmt":"2025-01-07T02:13:13","guid":{"rendered":"https:\/\/www.fanyamin.com\/wordpress\/?p=1775"},"modified":"2025-01-07T10:13:13","modified_gmt":"2025-01-07T02:13:13","slug":"how-aws-ssm-agent-works-for-credential-management","status":"publish","type":"post","link":"https:\/\/www.fanyamin.com\/wordpress\/?p=1775","title":{"rendered":"How AWS SSM Agent Works for Credential Management"},"content":{"rendered":"<p>The <strong>AWS Systems Manager (SSM) Agent<\/strong> is a lightweight software component installed on your instances (e.g., EC2, on-premises servers, or VMs). It facilitates secure communication between your instance and the AWS Systems Manager service. <\/p>\n<p>A key feature of the SSM Agent is the ability to <strong>retrieve and update credentials dynamically<\/strong> to interact with AWS services securely.<\/p>\n<hr \/>\n<h3><strong>How AWS SSM Agent Works for Credential Management<\/strong><\/h3>\n<h4><strong>1. Credential Retrieval<\/strong><\/h4>\n<p>AWS SSM Agent retrieves credentials via the <strong>Instance Metadata Service (IMDS)<\/strong> or other methods depending on the instance's environment.<\/p>\n<ul>\n<li>\n<p><strong>AWS Instances (e.g., EC2):<\/strong><\/p>\n<ul>\n<li>The SSM Agent interacts with <strong>Instance Metadata Service Version 2 (IMDSv2)<\/strong> to fetch temporary credentials for the instance\u2019s <strong>IAM Role<\/strong>.<\/li>\n<li>The credentials are short-lived and include:<\/li>\n<li><strong>Access Key<\/strong><\/li>\n<li><strong>Secret Key<\/strong><\/li>\n<li><strong>Session Token<\/strong><\/li>\n<li>Example: The SSM Agent makes HTTP requests to the IMDS endpoint:\n<pre><code class=\"language-bash\">\ncurl -X PUT -H \"X-aws-ec2-metadata-token-ttl-seconds: 21600\" \\\n\"http:\/\/169.254.169.254\/latest\/api\/token\"<\/code><\/pre>\n<\/li>\n<\/ul>\n<p>curl -H &quot;X-aws-ec2-metadata-token: <TOKEN>&quot; \\<br \/>\n&quot;<a href=\"http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/\">http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/<\/a><ROLE_NAME>&quot;<\/p>\n<pre><code><\/code><\/pre>\n<\/li>\n<li>\n<p><strong>On-Premises or Non-AWS Environments:<\/strong><\/p>\n<ul>\n<li>Use <strong>AWS Systems Manager Hybrid Activation<\/strong>:<\/li>\n<li>Register the instance as a managed node.<\/li>\n<li>The managed instance uses an <strong>Activation Code and Activation ID<\/strong> to authenticate with Systems Manager and retrieve credentials.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4><strong>2. Credential Updates<\/strong><\/h4>\n<p>Temporary credentials retrieved by the SSM Agent are automatically refreshed:<\/p>\n<ul>\n<li>The expiration of temporary credentials is managed by AWS Security Token Service (STS).<\/li>\n<li>The SSM Agent automatically requests new credentials before the current ones expire (typically every hour).<\/li>\n<\/ul>\n<h4><strong>3. Using Retrieved Credentials<\/strong><\/h4>\n<p>After obtaining the credentials, the SSM Agent uses them to:<\/p>\n<ul>\n<li>\n<p><strong>Run commands<\/strong>:<\/p>\n<ul>\n<li>Execute AWS Systems Manager Command documents (SSM Documents).<\/li>\n<li>Example: <code>aws s3 ls<\/code> using retrieved credentials.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Access AWS services<\/strong>:<\/p>\n<ul>\n<li>The agent can upload logs, fetch scripts, or store session data in S3 using the instance role permissions.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Session Manager<\/strong>:<\/p>\n<ul>\n<li>Establish secure, browser-based or CLI-based shell access.<\/li>\n<li>The SSM Agent uses the credentials to authenticate and open a WebSocket-based connection with the AWS Session Manager.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h3><strong>Flow Diagram: Credential Retrieval &amp; Use<\/strong><\/h3>\n<pre><code class=\"language-plaintext\">[ SSM Agent ] -&gt; [ IMDS (EC2) or Activation Credentials (On-Premises) ] -&gt; [ Temporary Credentials ]\n       |\n       v\n[ AWS Services (e.g., S3, DynamoDB, CloudWatch) ]<\/code><\/pre>\n<hr \/>\n<h3><strong>Credential Rotation Process<\/strong><\/h3>\n<ol>\n<li>\n<p><strong>Expiration Detection<\/strong>:<\/p>\n<ul>\n<li>The SSM Agent detects the expiration time of the temporary credentials.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Automatic Refresh<\/strong>:<\/p>\n<ul>\n<li>Before expiration, the agent queries IMDS or requests new credentials from the Systems Manager service.<\/li>\n<li>The refresh ensures uninterrupted access to AWS services.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Seamless Usage<\/strong>:<\/p>\n<ul>\n<li>The refreshed credentials are seamlessly used by the agent to execute its tasks.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<hr \/>\n<h3><strong>Security Best Practices<\/strong><\/h3>\n<ol>\n<li>\n<p><strong>Use Instance Profiles (EC2 Instances):<\/strong><\/p>\n<ul>\n<li>Attach least-privilege IAM roles to EC2 instances.<\/li>\n<li>Example:\n<pre><code class=\"language-json\">{\n\"Version\": \"2012-10-17\",\n\"Statement\": [\n {\n   \"Effect\": \"Allow\",\n   \"Action\": \"ssm:*\",\n   \"Resource\": \"arn:aws:ssm:region:account-id:managed-instance\/instance-id\"\n }\n]\n}<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Enable IMDSv2<\/strong>:<\/p>\n<ul>\n<li>Ensure that instances use IMDSv2, which is more secure than IMDSv1.<\/li>\n<li>Disable IMDSv1 to reduce risks of credential leakage:\n<pre><code class=\"language-bash\">aws ec2 modify-instance-metadata-options --instance-id <instance-id> \\\n --http-tokens required --http-endpoint enabled<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Hybrid Activations for On-Premises Nodes<\/strong>:<\/p>\n<ul>\n<li>Use activation codes and secure configurations for non-AWS environments.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Session Logging<\/strong>:<\/p>\n<ul>\n<li>Enable <strong>Session Manager Logging<\/strong> to CloudWatch or S3 for monitoring.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Instance Isolation<\/strong>:<\/p>\n<ul>\n<li>Limit the IAM role permissions and network access to reduce attack surface.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<hr \/>\n<h3><strong>Comparison of AWS SSM and IAM Roles Anywhere<\/strong><\/h3>\n<table>\n<thead>\n<tr>\n<th>Feature<\/th>\n<th>AWS SSM Agent<\/th>\n<th>IAM Roles Anywhere<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Environment<\/strong><\/td>\n<td>Primarily AWS-managed instances<\/td>\n<td>Hybrid, multi-cloud, on-prem<\/td>\n<\/tr>\n<tr>\n<td><strong>Credential Management<\/strong><\/td>\n<td>Automatic via IMDS or activation<\/td>\n<td>X.509 Certificates<\/td>\n<\/tr>\n<tr>\n<td><strong>Use Cases<\/strong><\/td>\n<td>Command execution, patching<\/td>\n<td>Hybrid workloads, custom apps<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>AWS SSM Agent is a managed and automated solution for EC2 or registered nodes, making it an ideal choice for AWS-centric environments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The AWS Systems Manager (SSM) Agent is a lightweight software component installed on your instances (e.g., EC2, on-premises servers, or VMs). It facilitates secure communication between your instance and the AWS Systems Manager service. A key feature of the SSM Agent is the ability to retrieve and update credentials dynamically to interact with AWS services [&hellip;] <a class=\"read-more\" href=\"https:\/\/www.fanyamin.com\/wordpress\/?p=1775\" title=\"Permanent Link to: How AWS SSM Agent Works for Credential Management\">&rarr;Read&nbsp;more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1775","post","type-post","status-publish","format-standard","hentry","category-5"],"_links":{"self":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1775"}],"collection":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1775"}],"version-history":[{"count":1,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1775\/revisions"}],"predecessor-version":[{"id":1776,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1775\/revisions\/1776"}],"wp:attachment":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1775"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}