In this article I will show how you can launch an Amazon Linux EC2 instance with a desktop environment that will serve as a jumpbox. Connections to this jumpbox will be made through RDP via a session manager port tunneling session. By using session manager, our EC2 instance’s security group does not require ingress rules allowing RDP or other ports to connect, thus improving the security of the jumpbox.
Recommended Reading
Before continuing with this article I would strongly recommend reading my earlier article Access Private EC2 Instances With AWS Systems Manager Session Manager. That article will explain the fundamental workings of session manager and shows how to deploy resources to your AWS account that will be required for setting up the jumpbox described in this article.
Terraform
Firstly, if you haven’t already done so, deploy the Terraform code at aw5academy/terraform/session-manager to setup session manager. Be sure to also follow the Post Apply Steps documented in the README.md.
When the session-manager stack is deployed we need to read some of the Terraform outputs as we will need their values for the jumpbox stack’s input variables. We can retrieve the outputs and set them as environment variables with:
export TF_VAR_private_subnet_id=`terraform output private-subnet-id`
export TF_VAR_vpc_id=`terraform output vpc-id`Now we can deploy the jumpbox Terraform code:
cd ../
git clone https://gitlab.com/aw5academy/terraform/jumpbox.git
cd jumpbox
terraform init
terraform applyAfter the stack deploys, wait approximately 5 minutes. This is to allow time for the converge of the aw5academy/chef/jumpbox Chef cookbook which, is part of the EC2 instance’s user data. This cookbook installs the MATE desktop environment on the Amazon Linux instance. Also see here for more information on installing a GUI on Amazon Linux.
Jump
Let’s make sure we can connect to the jumpbox with a terminal session. The jump.sh script can be used:
bash jump.shYou should see something like the following:
Now we can try a remote desktop session. Terminate the terminal session with exit and then run:
bash jump.sh -dYou should now see the port forwarding session being started:
Also printed are the connection details for RDP. Open your RDP client and enter localhost:55678 for the computer to connect to and provide the supplied user name. Check the Allow me to save credentials option and click Connect:
Provide the password at the prompt and click OK:
Success!
Behind The Scenes
An explanation of what is occurring when we use our jump.sh script…
In order to start an RDP session the client needs to know the username and password for an account on the jumpbox. Rather than creating a generic account to be shared among clients we dynamically create temporary (1 day lifetime) accounts. This is accomplished through the following actions:
- The client creates a random username using
urandom; - The client creates a random password using
urandom; - The client creates a SHA-512 hash of the password using
openssl; - The client puts the hashed password into an AWS Systems Manager Parameter Store encrypted parameter with a parameter name including the username;
- The client uses the send-command API action to run the /root/create-temp-user.sh script on the jumpbox passing the username as a parameter;
- The jumpbox retrieves the hashed password from parameter store;
- The jumpbox deletes the hashed password from parameter store;
- The jumpbox creates an account with the provided username and the retrieved hash of the password;
- The jumpbox marks the account and password to expire after 1 day;
With these steps, the password never leaves the client and is always stored either encrypted and/or hashed and is only stored for as long as it is required.
Summary
That’s all there is to it. After your jumpbox is enabled you can configure your private applications to accept traffic from the jumpbox’s security group. The chromium browser can then be used to access these applications securely. I hope you find this article useful.
AW5 Academy 