This step-by-step guide explains how to securely connect to your Amazon EC2 instances using AWS Systems Manager Session Manager. AWS Systems Manager Session Manager is a browser/CLI based shell that enables you to connect to Amazon EC2 instances without the need to open ports.

Additionally, it removes the need to maintain bastion hosts with different security keys and can also be controlled with IAM policies and auditing logs, which indicate important information, such as instance access and additional activities.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        }
    ]
}

Prerequisites

  • AWS Systems Manager SSM Agent version 2.3.68.0 or later must be installed on the EC2 instance you would like to connect to via Session Manager.
  • Add the following policy to the attached IAM role to the EC2 instance, assuming the current role already has sufficient SSM permissions to manage the EC2 instance via AWS Systems Manager.

Connect to Amazon EC2 using Session Manager via a web browser

You can connect to Amazon EC2 using Session Manager via the browser, either via the Amazon EC2 console or the AWS Session Manager console.

To connect via the EC2 console, do the following:

Navigate to Amazon EC2 Console.

Under the Instances section, choose Instances.

Select the instance you would like to connect to, and click Connect.

Select the instance to connect to in the EC2 console

Select the instance to connect to in the EC2 console

Select Session Manager and then click Connect.

Session Manager connect option

Session Manager connect option

You will be redirected to a new webpage with an established session for the EC2 instance.

Established session for the EC2 instance

Established session for the EC2 instance

Note: If you run the whoami command to check the user used to establish this session, you will see that it is using ssm-user, which is the Systems Manager agent's user account. You can switch to another account for Linux instances, such as the ec2-user account, by running the following command:

sudo su ec2-user

To close the session, click Terminate in the top right corner.

To connect via the Session Manager console, do the following:

Navigate to the AWS Systems Manager console.

Under the Node Management section, choose Session Manager.

Click Start session.

Session Manager console

Session Manager console

Then, select the instance you would like to connect to and click Start session.

Select the instance to connect to in the Session Manager console

Select the instance to connect to in the Session Manager console

Connect to Amazon EC2 using the Session Manager via CLI

You can use the AWS CLI to start and terminate sessions to EC2 instances. As a prerequisite, ensure you've installed the Session Manager plugin for AWS CLI.

To install the plugin on Windows, download the installer from here and follow the on-screen instructions.

To install the plugin on MacOS, download the bundled installer from here, unzip the package, and then install it by running the following command:

sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin 

To install it on Linux, follow the steps covered here. For an Ubuntu Server, follow the steps covered here.

Once the plugin is installed, run the following command to start a session with an EC2 instance:

aws ssm start-session --target <Specify Instance ID>

To terminate the session, run the following command:

aws ssm terminate-session --session-id <Specify the Session ID>

Note: Once you start the session, the session ID will be displayed in the shell. To terminate the session, you can initially run exit within the session and then run the termination command.

Conclusion

In this article, we've gone through establishing sessions with Amazon EC2 instances using the web browser and AWS CLI without having to open any ports or using any intermediate bastion hosts. If you have any further questions, please mention them in the comments.

Subscribe to 4sysops newsletter!

DISCLAIMER: This article represents my own viewpoints and not of my employer, Amazon Web Services.

0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account