+1
Thank you for the feedback, we'll investigate this.
+1
+1
@YujiaozhAws do you have this on the roadmap possibly? It is hard to achieve some NIST control requirements without the ability to display a message to users on login.
@shannonrdunn if you do ssh over ssm the banner is displayed if that helps
@jimilinuxguy thanks! but we are trying not to allow ssh at all, and force ssm use. ssh over ssm you still have to use/manage the key pair right, and have port 22 exposed to the user?
This might help some of you:
https://github.com/elpy1/ssh-over-ssm
I can't vouch for that project, though it uses standard SSH, but does it OVER SSM, so far as I can tell does not require port 22 exposed, and it manages dynamic keypairs for short term use that the user themselves doesn't have to have, create, or even see.
Note I still thumb'd up the overall topic here which is getting a banner/MOTD through standard SSM Connect as ideal for my use cases, though was looking into other options.
@shannonrdunn Unfortunately key management is still required. The agency I work with implemented ssh over ssm and closed port 22 and used a script similar to https://www.keepsecure.ca/blog/automating-access-through-a-jump-host-aws/ to automatically add the keys to the instance and expire them shortly to help fight the issue you are having.
@adamdmharvey @jimilinuxguy wow these are great, and work great. thanks so much.
This would be fantastic to have especially for highly regulated industries.
I forgot about this a bit. You can sort of achieve this now with the introduction of shell profiles.
This can be accomplished by using shell profiles.
Closing.
Most helpful comment
@shannonrdunn Unfortunately key management is still required. The agency I work with implemented ssh over ssm and closed port 22 and used a script similar to https://www.keepsecure.ca/blog/automating-access-through-a-jump-host-aws/ to automatically add the keys to the instance and expire them shortly to help fight the issue you are having.