All Products
Search
Document Center

Elastic Compute Service:Working mechanism and security of Session Manager

Last Updated:Jan 30, 2024

Session Manager is a feature provided by Cloud Assistant. Compared with SSH and Virtual Network Computing (VNC), Session Manager makes your connections to Elastic Compute Service (ECS) instances more convenient and secure. This topic describes the regions in which Session Manager is supported, how Session Manager works, and the security of Session Manager.

Supported regions

Session Manager is supported in the following regions: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Japan (Tokyo), US (Silicon Valley), and US (Virginia).

How Session Manager works

The following clients and server are used in Session Manager:

  • Session Manager Client: initiates sessions, receives commands sent by users, and displays command outputs.

  • Cloud Assistant server: controls permissions and manages session status.

  • Cloud Assistant Agent installed on an instance: runs commands sent by users.

The following section describes the procedure to establish a connection by using Session Manager:

  1. Session Manager Client initiates a session.

  2. The Cloud Assistant server authenticates the session request. After the request is authenticated, the server generates a WebSocket URL and a token that remains valid for 10 minutes and returns the URL and the token to Session Manager Client.

  3. Session Manager Client establishes a WebSocket connection to the Cloud Assistant server by using the URL and the token.

  4. The Cloud Assistant server requests to establish a WebSocket connection to Cloud Assistant Agent that is installed on an instance.

  5. A WebSocket connection is established between the Cloud Assistant server and Cloud Assistant Agent.

  6. After the WebSocket connection is established, you can enter a command in Session Manager Client. The command is streamed to and run on the instance on which Cloud Assistant Agent is installed. The command output is displayed in Session Manager Client.

image

Security

  • The Web Socket Secure (WSS) protocol is used to establish persistent WebSocket connections between Session Manager Client and the Cloud Assistant server as well as between the Cloud Assistant server and Cloud Assistant Agent. The WSS protocol encrypts persistent WebSocket connections by using the SSL protocol to ensure security.

  • When you use Session Manager to connect to instances, you do not need to manage the instance passwords. Unlike SSH and VNC that use username and password authentication, Session Manager uses Resource Access Management (RAM) based authorization. You can use your Alibaba Cloud account to enable or disable Session Manager for all instances within the account. After Session Manager is enabled, both Alibaba Cloud accounts and RAM users can connect to instances by using this feature.

  • You can attach policies to RAM users and then manage ECS instances as the RAM users to improve security. If you want to use Session Manager as a RAM user, the RAM user must be attached policies to call the StartTerminalSession operation. RAM policies allow you to control permissions from various dimensions, such as tags, regions, ECS instances, and connection IP addresses. Thanks to RAM policies, you can connect to instances and manage the instances in a secure manner without using passwords. For more information, see Connect to an instance by using Session Manager.

  • After WebSocket connections are established between Cloud Assistant Agents installed on instances and the Cloud Assistant servers, you can use Session Manager instead of SSH or VNC to connect to instances, without the need to open ports for inbound traffic on instances. This way, you can improve the security of the instances.

Use Session Manager for remote logons in your applications

The open source project cloud-assistant-starter contains the complete code for using the Session Manager feature to remotely connect to an ECS instance or a managed instance. In the project, AxtSession.tsx provides the complete code for connecting to instances and using WebSocket URLs that are returned by StartTerminalSession. You can copy the code snippet to your application code to implement password-free and public IP address-free remote logons.