Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setup Session Manager to access EC2 instance without SSH

Session Manager offers these benefits:

  • Centralized access control to instances using IAM policies
  • No open inbound ports and no need to manage bastion hosts or SSH keys
  • One-click access to instances from the console and CLI
  • Logging and auditing session activity

Reference:

For Amazon Linux AMI, add this line in UserData to enable and start SSM Agent:

sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

For Ubuntu:

sudo snap start amazon-ssm-agent
sudo snap services amazon-ssm-agent

Reference:

Create a new Role, at minimum add AmazonSSMManagedInstanceCore and this custom policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:UpdateInstanceInformation",
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": "*"
        }
    ]
}

Reference:

Assign the Role you've created to EC2 Instance.

DONE.

Access Session Manager from System Manager Console.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.