--- title: "Secure Data Transfer with AWS SSM" slug: "aws-ssm" description: "Establish reliable and secure data pipelines to your AWS data storages. Dataddo offers an additional security layer by enabling SSH tunneling through AWS SSM." updated: 2024-05-15T15:07:12Z published: 2024-05-15T15:07:12Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.dataddo.com/llms.txt > Use this file to discover all available pages before exploring further. # Secure Data Transfer with AWS SSM **AWS Systems Manager (SSM)** is a service that allows you to manage resources on AWS, including instances, VMs, containers, and services, from a central location. It provides capabilities for configuration management, automation, and security management, simplifying operational tasks and improving efficiency in managing AWS infrastructure. **DATADDO TIP** This articles covers configuring **SSH tunnelling via AWS SSM**. See [Secure Data Transfer with SSH Tunnelling](/docs/ssh-tunnelling) for a general setup. To set up SSH tunnelling through AWS SSM, see the following sections. ## Prerequisites To set up **SSH tunneling through AWS SSM** in Dataddo, ensure that - You have an AWS EC2 instance that acts as an **SSH bastion server**. - The bastion server accepts incoming SSH connections from [Dataddo IPs](/docs/network-acl). You can refer to the architecture as illustrated in the schema below. ![SSH tunnel](https://cdn.document360.io/084ed225-3f99-4644-a2da-39ca0cd5ef45/Images/Documentation/SSH%20tunnel.png) ## Create and Set up a Bastion Host ### Create a Bastion Host Create a new instance to be a bastion host, or configure your existing one. 1. Go to your [Amazon EC2 console](https://console.aws.amazon.com/ec2/) and click on **Launch instance**. 2. Name your instance and select the following: 1. **Application and OS Images:** Select a minimal and secure Amazon Machine Image (AMI), such as Amazon Linux 2 with a [**pre-installed SSM Agent**](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html). 2. **Instance type:** Choose a **minimal instance type** (e.g., `t3.micro` or `t3a.micro`). 3. **Key pair (login)**: Click on **Create new key pair**. Name it and select RSA type and `.pem` key file format. A key will download automatically to your device which you will later [upload to Dataddo](/docs/aws-ssm#authentication-using-a-publicprivate-key-pair). 3. For **Network settings**, make sure **Allow SSH traffic from** box is checked and select **Custom**. To allows SSH traffic from Dataddo, add all Dataddo IPs (https://docs.dataddo.com/docs/network-acl) using CIDR notation as individual **rules**. 4. **Launch** your instance. ### Integrate Bastion Host with AWS SSM 1. In your AWS console, use the search bar to navigate to **IAM** service. 2. Go to **Roles** and click on **Create role**. 3. For **Use case**, select **EC2** and click on **Next.** 4. On the **Set permissions** step, look for the `AmazonSSMManagedInstanceCore` policy and add it (check the box on the left). This role will enable the bastion host to communicate with AWS SSM. 5. Name the role, review, and add it. **Now, attach this IAM role** to the bastion host for proper SSM functionality. 1. In your **EC2 dashboard**, navigate to **Instances** and select the bastion host instance. 2. In the top-right, click on **Actions**, select **Security** and click on **Modify IAM role**. 3. Select your newly created role with the `AmazonSSMManagedInstanceCore` policy and click on **Update IAM role**. Make sure to connect your database to the instance. ## Authentication Using a Public/Private Key Pair We recommend using **a public and private key pair for authentication**. While password-based authentication is an option, it's less secure and not recommended. As illustrated in the schema above, ensure - The **private key** is provided to Dataddo, and - The **public key** is automatically assigned to the SSH bastion server. 1. Go to the [Security](https://app.dataddo.com/settings/security) page and navigate to the **Certificates** tab. 2. Click on **Add Certificate**. 1. Name your certificate. 2. For certificate type, select **RSA Private Key** 3. Upload your private key. 3. **Save** your certificate. #### Generate a New Public/Private Key Pair Alternatively, Dataddo can generate a public/private key pair for you. In this scenario, you only need to ensure that the public key is uploaded to your SSH Bastion Server. For this option, please [contact us](https://www.dataddo.com/contact). ## Configuring SSH Tunnel to Data Destination Dataddo supports SSH tunneling for a variety of AWS systems, including, but not limited to, [Redshift](/docs/redshift), [SQL Server](/docs/universal-sql-server), [MySQL](/docs/mysql-destination) or [Postgres](/docs/postgres). To establish a connection via an SSH tunnel, follow these steps: 1. Navigate to **Authorizers** and click on [**Authorize New Service**](https://app.dataddo.com/service/new) to select a service or system of your choice (e.g. MySQL, Postgres, Redshift ...). 2. Fill in the standard database connection details. 3. Choose **Yes** for the **Use SSH tunnel** field. 4. Input the necessary information for your SSH bastion server: 1. **SSH Server IP or Hostname**: Enter the IP address of your SSH server. Ensure your firewall settings permit incoming connections from Dataddo IPs. 2. **SSH Server Port**: Specify the port for the SSH connection (the default is usually 22). 3. **SSH Server Username**: Provide the username for authentication. The username depends on your AMI. See Amazon's official documentation for list of [default usernames](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html#ami-default-user-names). 4. **SSH Server Password**: Leave the field empty and select your certificate instead. 5. **Certificate**: Select the Certificate you uploaded to Dataddo [in the previous step](/v1/docs/aws-ssm#authentication-using-a-publicprivate-key-pair).