Using SSH Gateway to access EC2 Instances in Amazon Web Services
search cancel

Using SSH Gateway to access EC2 Instances in Amazon Web Services


Article ID: 174894


Updated On:


Symantec ZTNA


 Using SSH Gateway to access EC2 Instances in Amazon Web Services


The SSH Gateway object in Luminate Secure Access Cloud (TM) allows you to provide specific end users (and groups) with SSH access to multiple destinations (multiple EC2 instances) described by specific AWS metadata tags.  




Currently Luminate Secure Access Cloud (TM) supports creating SSH Gateway applications for AWS environments only. Support for other datacenter platforms and additional inclusion criteria (besides AWS EC2 metadata tags) will be implemented in the future.


 SSH Gateway can help addressing the following use-cases:

  • DevOps SSH access to all EC2 instances in the production environment.  
  • Developer SSH access to all EC2 instances in the staging or development environment.  
  • Accessing all machines inside an Auto-Scaling Group or ECS Cluster

This is especially helpful when you’re required to provide SSH access to dynamic environments managed using Infrastrucutre-as-Code solutions (such as Ansible or Hashicorp TerraForm) or are using orchestrators such as Kubernetes or Spotinst. 


Step 1 – Define an AWS Integration 

Before you can create an SSH Gateway application you will need to create an integration between Luminate and your AWS account (or multiple accounts). 

For more information on how to setup the integration please refer to the KB article at



Step 2 – Create an SSH Gateway Object

In the Luminate admin portal browse to the applications page and create a new application with a type of “SSH Gateway”



Step 3 – Configure the application 


Step 3.1 – Define the application name and Site 

In the “New SSH Gateway” page provide a name for the application – this is the name the end-user will use in the command line to specify the SSH Gateway via which to connect to a specific SSH endpoint. 


Step 3.2 – Make sure your EC2 instances trust Luminate’s public for SSH connection 

For AWS instances it is MANDATORY to deploy the Luminate public key on all target VMs in order for the end-user to successfully authenticate to the VM.  

You can execute the script provided in the “AUTHENTICATION” section manually, add the script into your Amazon Machine Image (AMI) or use an orchestration tool to execute it across all VMs. 

Step 3.3 – Define the Authorization policy 

Step 3.3.1 – Define the users and groups will be allowed to SSH to the environment 

Use the authorization section to assign users and groups from your Identity Provider and define the inclusion criteria for the EC2 instances to which the defined accounts will be allowed to SSH. 


Step 3.3.2 – Define the inclusion criteria for EC2 instances to which SSH will be allowed 


In order to define the inclusion criteria, you will need to select the VPCs in which these VMs are located. 

By opening the drop-down list of VPCs you will be able to select the VPCs in which the instances are located:

Note: Only define VPCs which are accessible by the connectors in the site selected for the SSH Gateway application.

Once you have defined the VPCs you can now enter the tag names which describe the VMs to which SSHing should be allowed.  

For example, if you have a key named ‘environment’ which contain description of the environment (such as ‘production’, ‘staging’ or ‘development’) you can define the inclusion criteria for specific a specific environment. 

Note: If need different authorization policies for different environments that’s the point to create an additional SSH Gateway which will represent the additional environment.  


Step 3.4 – Save the application 

Click on "Save"


Step 4 – Access the SSH Gateway via the Luminate Applications portal 

Browse to the Application Portal with one of the users which are authorized to SSH to the application.  


Click on the name of the SSH Gateway application created in the previous steps and enter the Name or the IP address of the EC2 instance to which you want to SSH. 


Note: The Name to IP resolution is performed based on the ‘Resolver Tag’ defined in the AWS integration settings. (By default it’s the Name tag which usually contains the hostname of the server).