{"id":6274,"date":"2020-09-03T11:56:05","date_gmt":"2020-09-03T02:56:05","guid":{"rendered":"https:\/\/www.ecomottblog.com\/?p=6274"},"modified":"2020-12-18T08:28:08","modified_gmt":"2020-12-17T23:28:08","slug":"aws-bastion-host-session-manager-%e3%81%a7%e7%a7%98%e5%af%86%e9%8d%b5%e7%ae%a1%e7%90%86%e3%81%8c%e3%81%84%e3%82%89%e3%81%aa%e3%81%84%e8%b8%8f%e3%81%bf%e5%8f%b0%e3%82%b5%e3%83%bc%e3%83%90%e3%82%92","status":"publish","type":"post","link":"https:\/\/test.ecomottblog.com\/?p=6274","title":{"rendered":"[AWS] Bastion Host + Session Manager \u3067\u79d8\u5bc6\u9375\u7ba1\u7406\u304c\u3044\u3089\u306a\u3044\u8e0f\u307f\u53f0\u30b5\u30fc\u30d0\u3092\u4f5c\u6210\u3059\u308b"},"content":{"rendered":"<p>\u3053\u3093\u306b\u3061\u306f\u3002<br \/>\n\u958b\u767a\u672c\u90e8\u306e\u85e4\u7530\u3067\u3059\u3002<\/p>\n<p>\u5df7\u3067\u306fAWS System Manager Session Manager \u3092\u4f7f\u7528\u3057\u3066SSH\u304c\u697d\u306b\u306a\u3063\u305f\uff01\u79fb\u884c\u3057\u305f\uff01<br \/>\n\u7b49\u306e\u8a18\u4e8b\u304c\u591a\u3044\u306e\u3067\u3059\u304c\u5f0a\u793e\u306f\u5f93\u6765\u306eSSH\u8e0f\u307f\u53f0\u30b5\u30fc\u30d0(bastion)\uff0bSessions Manager\u306e\u69cb\u6210\u306b\u3057\u307e\u3057\u305f\u3002<br \/>\n\u7406\u7531\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u3042\u308a\u3075\u308c\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<ul>\n<li>\u5168\u54e1\u306e\u74b0\u5883\u306bAWS-CLI\u74b0\u5883\u5c0e\u5165\u3068\u5404\u81ea\u8a2d\u5b9a\u3092\u884c\u3046\u306b\u306f\u6642\u9593\u304c\u304b\u304b\u308a\u305d\u3046<\/li>\n<li>\u5168\u3066Session Manager\u904b\u7528\u306b\u5909\u66f4\u3059\u308b\u306b\u3082SCP\u7b49\u4f5c\u696d\u304c\u30cd\u30c3\u30af<\/li>\n<li>AWS\u4ee5\u5916\u306b\u4ed6\u306e\u30d1\u30d6\u30ea\u30c3\u30af\u30af\u30e9\u30a6\u30c9\u3082\u5229\u7528\u3057\u3066\u3044\u308b\u306e\u3067\u4eca\u307e\u3067\u306eSSH\u63a5\u7d9a\u65b9\u5f0f\u304c\u671b\u307e\u3057\u3044<\/li>\n<\/ul>\n<p>\u63a5\u7d9a\u56f3\u306f\u4ee5\u4e0b\u306b\u306a\u308a\u307e\u3059\u3002\u203b\u3069\u3053\u304b\u3067\u898b\u305f\u3088\u3046\u306a\u56f3\u306a\u306e\u306f\u3054\u5bb9\u8d66\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-6276\" src=\"https:\/\/www.ecomottblog.com\/cmswp\/wp-content\/uploads\/2020\/09\/bastion-portforward-20200831-300x178.png\" alt=\"\" width=\"912\" height=\"541\" srcset=\"https:\/\/test.ecomottblog.com\/wp-content\/uploads\/2020\/09\/bastion-portforward-20200831-300x178.png 300w, https:\/\/test.ecomottblog.com\/wp-content\/uploads\/2020\/09\/bastion-portforward-20200831-768x456.png 768w, https:\/\/test.ecomottblog.com\/wp-content\/uploads\/2020\/09\/bastion-portforward-20200831-304x181.png 304w, https:\/\/test.ecomottblog.com\/wp-content\/uploads\/2020\/09\/bastion-portforward-20200831-282x167.png 282w, https:\/\/test.ecomottblog.com\/wp-content\/uploads\/2020\/09\/bastion-portforward-20200831.png 911w\" sizes=\"(max-width: 912px) 100vw, 912px\" \/><\/p>\n<h2>\u63a5\u7d9a\u307e\u3067\u306e\u6d41\u308c<\/h2>\n<ol>\n<li>\u30e6\u30fc\u30b6\u304c\u79d8\u5bc6\u9375\u3067\u8e0f\u307f\u53f0\u3078SSH\u63a5\u7d9a<\/li>\n<li>\u8e0f\u307f\u53f0\u304b\u3089\u63a5\u7d9a\u5148\u3078SSH\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c<br \/>\n2.1. sshconfig\u5185\u3067ssh-ssm.sh\u306e\u547c\u3073\u51fa\u3057<br \/>\n2.2. ssh-keygen\u30b3\u30de\u30f3\u30c9\u3067\u4e00\u6642\u9375\u3092\u4f5c\u6210<br \/>\n2.3. aws ssm send-command\u3067\u63a5\u7d9a\u5148EC2\u306b\u4e00\u6642\u516c\u958b\u9375\u3092\u767b\u9332<br \/>\n2.4. aws ssm start-session \u3067SSH Port Forwarding\u958b\u59cb<br \/>\n2.5. 15\u79d2\u5f8c\u306b\u63a5\u7d9a\u306e\u6709\u7121\u306b\u95a2\u308f\u3089\u305a\u4e00\u6642\u9375\u306e\u524a\u9664<\/li>\n<li>Session Manager \u7d4c\u7531\u3067\u306eSSH Port Forwarding\u63a5\u7d9a\u306e\u78ba\u7acb<\/li>\n<\/ol>\n<p>\u8e0f\u307f\u53f0\u30b5\u30fc\u30d0\u306f\u30d1\u30d6\u30ea\u30c3\u30af\u30b5\u30d6\u30cd\u30c3\u30c8\u306b\u8a2d\u7f6e\u3057\u3066\u3044\u308bEC2\u3067\u3059\u3002<br \/>\n\u6614\u304b\u3089\u3042\u308bLinux Bastion Host\u306b\u5f93\u3063\u305f\u69cb\u7bc9\u3092\u884c\u3044\u30ed\u30b0\u30a4\u30f3\u6642\u306b\u30ed\u30b0\u304c\u53d6\u5f97\u3055\u308c\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<br \/>\n\u53c2\u8003URL\uff1a<br \/>\n<a href=\"https:\/\/aws.amazon.com\/jp\/blogs\/security\/how-to-record-ssh-sessions-established-through-a-bastion-host\/\">How to Record SSH Sessions Established Through a Bastion Host &#124; AWS Security Blog<\/a><br \/>\n<a href=\"https:\/\/dev.classmethod.jp\/articles\/20160929-bastion\/\">[5\u5206\u3067]AWS\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9\u306b\u306e\u3063\u3068\u3063\u3066\u8e0f\u307f\u53f0(Bastion)\u30b5\u30fc\u30d0\u3092\u69cb\u7bc9\u3059\u308b \u2013 Linux\u7de8 \u2013 &#124; Developers.IO<\/a><\/p>\n<p>\u8e0f\u307f\u53f0\u304b\u3089sshconfig\u5185\u3067\u547c\u3073\u51fa\u3059ssh-ssm.sh\u306e\u8a2d\u5b9a\u306b\u306f\u4ee5\u4e0b\u3092\u5229\u7528\u3057\u3066\u3044\u307e\u3059\u3002<br \/>\nssm-tools\u306f\u30cd\u30fc\u30e0\u30bf\u30b0\u306e\u63a5\u7d9a\u8a2d\u5b9a\u3082\u542b\u3081\u305fsshconfig\u3092\u81ea\u52d5\u751f\u6210\u3057\u3066\u304f\u308c\u308b\u306e\u3067\u52a9\u304b\u308a\u307e\u3059\u3002<br \/>\n&#8211; <a href=\"https:\/\/github.com\/elpy1\/ssh-over-ssm\">GitHub &#8211; elpy1\/ssh-over-ssm: SSH over AWS SSM<\/a><br \/>\n&#8211; <a href=\"https:\/\/github.com\/elpy1\/ssm-tool\">GitHub &#8211; elpy1\/ssm-tool: AWS SSM and SSH toolkit<\/a><\/p>\n<h3>\u8e0f\u307f\u53f0\u30b5\u30fc\u30d0\u30fc\u3068\u306e\u6bd4\u8f03<\/h3>\n<ul>\n<li>\u8e0f\u307f\u53f0\u306b\u8a2d\u7f6e\u3059\u308b\u79d8\u5bc6\u9375\u306e\u7ba1\u7406\u304c\u4e0d\u8981<\/li>\n<li>\u63a5\u7d9a\u5148\u306eSecurity Group \u30dd\u30fc\u30c8\u7ba1\u7406\u4e0d\u8981<\/li>\n<\/ul>\n<h3>Systems Manager\u3068\u306e\u6bd4\u8f03<\/h3>\n<ul>\n<li>\u30e6\u30fc\u30b6\u5074\u3067\u306eAWS-CLI\u74b0\u5883\u3001sshconfig\u8a2d\u5b9a\u4e0d\u8981<\/li>\n<li>IAM\u30a2\u30ab\u30a6\u30f3\u30c8\u306a\u3057\u3067\u3082\u5229\u7528\u53ef\u80fd<\/li>\n<li>\u63a5\u7d9a\u5148EC2\u3078\u306e\u516c\u958b\u9375\u306e\u767b\u9332\u4e0d\u8981<\/li>\n<li>SCP\u3082\u554f\u984c\u306a\u304f\u53ef\u80fd<\/li>\n<li>\u9375\u8981\u3089\u305a\u3067\u666e\u901a\u306bAnsible\u5b9f\u884c\u53ef\u80fd(ssh_args ControlMaster=auto \u5fc5\u9808\u3067\u3059)<\/li>\n<\/ul>\n<h3>\u904b\u7528\u4e0a\u306e\u6c17\u306b\u306a\u308b\u70b9\u306a\u3069\u3092\u307e\u3068\u3081\u308b\u3068<\/h3>\n<ul>\n<li>\u30e6\u30fc\u30b6\u767b\u9332+\u500b\u4eba\u9375\u7ba1\u7406\u306f\u3064\u304d\u307e\u3068\u3046<\/li>\n<li>\u8e0f\u307f\u53f0\u30b5\u30fc\u30d0\u69cb\u7bc9\u3084\u7ba1\u7406\u304c\u5c11\u3057\u7169\u96d1(Log\u56de\u308a\u3084\u53ef\u7528\u6027)<\/li>\n<li>\u8e0f\u307f\u53f0\u30b5\u30fc\u30d0\u306esshconfig\u7ba1\u7406(\u30b5\u30fc\u30d0\u8ffd\u52a0\u6642\u306b\u66f4\u65b0\u304c\u5fc5\u8981)<\/li>\n<li>\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u30b5\u30d6\u30cd\u30c3\u30c8\u7528\u306eSSM\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u304c\u9ad8\u984d<\/li>\n<li>ed25519\u3092\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u306a\u3044\u53e4\u3044EC2\u304c\u3042\u308b\u5834\u5408ssh-ssm.sh\u306e\u4fee\u6b63\u304c\u5fc5\u8981<\/li>\n<li>\u30dd\u30fc\u30c8\u30d5\u30a9\u30ef\u30fc\u30c9\u7981\u6b62\u306e\u70ba\u3001\u8e0f\u307f\u53f0\u30b5\u30fc\u30d0\u307e\u3067\u306fSFTP\u3057\u5404\u30b5\u30fc\u30d0\u306b\u306fSCP\u5229\u7528\u306b\u306a\u3063\u3066\u3057\u307e\u3063\u305f&#8230;<\/li>\n<\/ul>\n<h3>\u304a\u308f\u308a\u306b<\/h3>\n<p>\u3044\u304b\u304c\u3060\u3063\u305f\u3067\u3057\u3087\u3046\u304b\u3002<br \/>\nSSH\u306e\u7ba1\u7406\u81ea\u4f53\u5927\u5909\u3067\u3059\u3088\u306d\u3002<\/p>\n<p>\u3053\u306e\u8a18\u4e8b\u304c\u7686\u3055\u307e\u306e\u5feb\u9069\u306a\u30a4\u30f3\u30d5\u30e9\u696d\u52d9\u306e\u4e00\u52a9\u306b\u306a\u308c\u3070\u5e78\u3044\u3067\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u3053\u3093\u306b\u3061\u306f\u3002 \u958b\u767a\u672c\u90e8\u306e\u85e4\u7530\u3067\u3059\u3002 \u5df7\u3067\u306fAWS System Manager Session Manager \u3092\u4f7f\u7528\u3057\u3066SSH\u304c\u697d\u306b\u306a\u3063\u305f\uff01\u79fb\u884c\u3057\u305f\uff01 \u7b49\u306e\u8a18\u4e8b\u304c\u591a\u3044\u306e\u3067\u3059\u304c\u5f0a\u793e\u306f\u5f93\u6765\u306eSSH\u8e0f\u307f\u53f0\u30b5\u30fc\u30d0(bastio [&hellip;]<\/p>\n","protected":false},"author":69,"featured_media":6276,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[24,31],"_links":{"self":[{"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=\/wp\/v2\/posts\/6274"}],"collection":[{"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=\/wp\/v2\/users\/69"}],"replies":[{"embeddable":true,"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6274"}],"version-history":[{"count":13,"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=\/wp\/v2\/posts\/6274\/revisions"}],"predecessor-version":[{"id":6716,"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=\/wp\/v2\/posts\/6274\/revisions\/6716"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=\/wp\/v2\/media\/6276"}],"wp:attachment":[{"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/test.ecomottblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}