Abstract: This disclosure describes techniques for defining a set of permissions, or privileges, for users who manage resources of a network-based service provisioned in a network-based service platform managed by a service provider. The techniques may include mapping cloud identities of the users to operating system (OS) user groups defined local to the resources that specify the set of permissions for user group members. Systems-manager agents that execute locally on the resources may determine to which OS user group the user belongs based on their cloud identity, and launch shells that are restricted by the set of permissions. Using these shells, a network-based service platform may allow users to remotely manage resources of the network-based service in various ways, such as through batch run commands and/or remote user sessions, while ensuring that the users are unable to execute commands on the resources that are outside the set of permissions.

Abstract: This disclosure is directed to one or more computing services that provide users with secure access to a computing instance, which is auditable and accessible via a cross-platform browser-based shell or command-line interface (CLI). The computing service(s) forego any need to open up inbound ports, thereby improving security. The computing service(s) employ centralized authentication and auditing to ensure compliance with policies and to log activities for auditing, forensics, or other purposes. A message gateway service creates secure channels with a client device and the computing instance to establish a secure communication tunnel between the client device and computing instance. Once the tunnel is established, a user can send a command via the client device to the computing instance, via the message gateway service. The command output is uploaded to this tunnel and is sent back to the client device, via the message gateway service.

Abstract: This disclosure describes techniques for defining a set of permissions, or privileges, for users who manage resources of a network-based service provisioned in a network-based service platform managed by a service provider. The techniques may include mapping cloud identities of the users to operating system (OS) user groups defined local to the resources that specify the set of permissions for user group members. Systems-manager agents that execute locally on the resources may determine to which OS user group the user belongs based on their cloud identity, and launch shells that are restricted by the set of permissions. Using these shells, a network-based service platform may allow users to remotely manage resources of the network-based service in various ways, such as through batch run commands and/or remote user sessions, while ensuring that the users are unable to execute commands on the resources that are outside the set of permissions.

Abstract: Embodiments described herein are directed to establishing a terminal services (TS) session between a TS server and the client without creating a temporary session. In one embodiment, a computer system receives a user request indicating that a TS session with a first TS server is to be initiated. The request includes an indication that the user is authenticated and authorized to use the first TS server. The computer system searches for any prior TS sessions previously initiated by the user with other TS servers and determines, based on the search, that at least one prior TS session was initiated with a second TS server. The computer system also sends redirection data to the user indicating that the user request is to be redirected to the second TS server to reestablish the prior TS session with the second TS server.

Abstract: Embodiments described herein are directed to establishing a terminal services (TS) session between a TS server and the client without creating a temporary session. In one embodiment, a computer system receives a user request indicating that a TS session with a first TS server is to be initiated. The request includes an indication that the user is authenticated and authorized to use the first TS server. The computer system searches for any prior TS sessions previously initiated by the user with other TS servers and determines, based on the search, that at least one prior TS session was initiated with a second TS server. The computer system also sends redirection data to the user indicating that the user request is to be redirected to the second TS server to reestablish the prior TS session with the second TS server.