- EC2 Image Builder: Build your golden VM images on AWS - Wed, Jan 19 2022
- Configuring DFS Namespaces for Amazon FSx for Windows file servers - Fri, Jan 7 2022
- AWS Systems Manager Session Manager: Securely connect EC2 instances - Wed, Dec 22 2021
Additionally, it removes the need to maintain bastion hosts with different security keys and can also be controlled with IAM policies and auditing logs, which indicate important information, such as instance access and additional activities.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
}
]
}
Prerequisites
- AWS Systems Manager SSM Agent version 2.3.68.0 or later must be installed on the EC2 instance you would like to connect to via Session Manager.
- Add the following policy to the attached IAM role to the EC2 instance, assuming the current role already has sufficient SSM permissions to manage the EC2 instance via AWS Systems Manager.
Connect to Amazon EC2 using Session Manager via a web browser
You can connect to Amazon EC2 using Session Manager via the browser, either via the Amazon EC2 console or the AWS Session Manager console.
To connect via the EC2 console, do the following:
Navigate to Amazon EC2 Console.
Under the Instances section, choose Instances.
Select the instance you would like to connect to, and click Connect.
Select the instance to connect to in the EC2 console
Select Session Manager and then click Connect.
Session Manager connect option
You will be redirected to a new webpage with an established session for the EC2 instance.
Established session for the EC2 instance
Note: If you run the whoami command to check the user used to establish this session, you will see that it is using ssm-user, which is the Systems Manager agent's user account. You can switch to another account for Linux instances, such as the ec2-user account, by running the following command:
sudo su ec2-user
To close the session, click Terminate in the top right corner.
To connect via the Session Manager console, do the following:
Navigate to the AWS Systems Manager console.
Under the Node Management section, choose Session Manager.
Click Start session.
Session Manager console
Then, select the instance you would like to connect to and click Start session.
Select the instance to connect to in the Session Manager console
Connect to Amazon EC2 using the Session Manager via CLI
You can use the AWS CLI to start and terminate sessions to EC2 instances. As a prerequisite, ensure you've installed the Session Manager plugin for AWS CLI.
To install the plugin on Windows, download the installer from here and follow the on-screen instructions.
To install the plugin on MacOS, download the bundled installer from here, unzip the package, and then install it by running the following command:
sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin
To install it on Linux, follow the steps covered here. For an Ubuntu Server, follow the steps covered here.
Once the plugin is installed, run the following command to start a session with an EC2 instance:
aws ssm start-session --target <Specify Instance ID>
To terminate the session, run the following command:
aws ssm terminate-session --session-id <Specify the Session ID>
Note: Once you start the session, the session ID will be displayed in the shell. To terminate the session, you can initially run exit within the session and then run the termination command.
Conclusion
In this article, we've gone through establishing sessions with Amazon EC2 instances using the web browser and AWS CLI without having to open any ports or using any intermediate bastion hosts. If you have any further questions, please mention them in the comments.
Subscribe to 4sysops newsletter!
DISCLAIMER: This article represents my own viewpoints and not of my employer, Amazon Web Services.
