I have mixed emotions about this after recently reading some articles about Systems Manager agent essentially being a trojan horse.
Read about that here: https://cloudonaut.io/aws-ssm-is-a-trojan-horse-fix-it-now/
I note the blog links to a CDK to replicate an environment you can test this with. So that would indicate the next CFN is CDK 🙂
The primary configuration places for a security head to take note is this:
Once port forwarding is configured, you can connect to the local port and access the server application running inside the instance. Systems Manager Session Manager’s Port Forwarding use is controlled through IAM policies on API access and the Port Forwarding SSM Document. These are two different places where you can control who in your organisation is authorised to create tunnels.
So important to make sure the IAM Policies and SSM Document are sorted out properly.
For those of us using Azure AD Federated access into AWS the aws cli session manager command will be fun 🙂 You’ll need to use the npm module to allow you to federate a session first before using aws cli.