AWS SSM port forwarding bind to external interface

Question

I have managed to get SSM port forwarding working to an AWS instance using the following from my "jump server".

aws ssm start-session --target $INSTANCE_ID \
                       --document-name AWS-StartPortForwardingSession \
                       --parameters '{"portNumber":["3389"],"localPortNumber":["33389"]}'

However this seems to bind to localhost only i.e. I can remote desktop to localhost:33389.

I am trying to set this up so I remote desktop to the "jump server" on :33389 from an external machine and this gets forwarded to the AWS instance. Is there any way this can be done?

I can't seem to find any documentation on the AWS-StartPortForwardingSession document.

score 1 · Answer 1 · answered Apr 16 '20 at 09:23

Unfortunately AWS-StartPortForwardingSession only gives access to the target instance which is very limiting.

You can use AWS-StartSSHSession together with ssh -L 3389:other-instance:3389.

For ease of use check out aws-ssm-tools and its ssm-ssh script, installable e.g. with pip3 install aws-ssm-tools.

Then you can do:

~ $ ssm-ssh [--profile / --region ..] --list
~ $ ssm-ssh ec2-user@{your-instance} -L 3389:other-instance:3389

With ssm-ssh you don't need to know the instance id and don't have to worry about all the necessary ssh parameters, simply use it as a normal ssh.

Hope that helps :)

score 1 · Answer 2 · answered Jun 22 '22 at 19:03

1

You can now use a new document called AWS-StartPortForwardingSessionToRemoteHost. https://aws.amazon.com/about-aws/whats-new/2022/05/aws-systems-manager-support-port-forwarding-remote-hosts-using-session-manager/

answered Jun 22 '22 at 19:03

Danny G

111
4

AWS documentation about this new feature is availble here : https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html – C.Vergnaud Aug 18 '22 at 09:13

AWS SSM port forwarding bind to external interface

2 Answers2