Session Manager offers these benefits:
- Centralized access control to instances using IAM policies
- No open inbound ports and no need to manage bastion hosts or SSH keys
- One-click access to instances from the console and CLI
- Logging and auditing session activity
Reference:
For Amazon Linux AMI, add this line in UserData to enable and start SSM Agent:
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
For Ubuntu:
sudo snap start amazon-ssm-agent
sudo snap services amazon-ssm-agent
Reference:
Create a new Role, at minimum add AmazonSSMManagedInstanceCore
and this custom policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:UpdateInstanceInformation",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
}
]
}
Reference:
- Step 4: Create an IAM Instance Profile for Systems Manager - AWS Systems Manager
- Create a Custom IAM Instance Profile for Session Manager - AWS Systems Manager
Assign the Role you've created to EC2 Instance.
DONE.
Access Session Manager from System Manager Console.