Skip to content

Instantly share code, notes, and snippets.

@ejlp12

ejlp12/aws_session_manager.md

Last active December 8, 2020 03:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ejlp12/1439ca732006f57c70a7be120b75fa1f to your computer and use it in GitHub Desktop.
Save ejlp12/1439ca732006f57c70a7be120b75fa1f to your computer and use it in GitHub Desktop.
Download ZIP
Setup Session Manager to access EC2 instance without SSH
Raw
aws_session_manager.md

Session Manager offers these benefits:

  • Centralized access control to instances using IAM policies
  • No open inbound ports and no need to manage bastion hosts or SSH keys
  • One-click access to instances from the console and CLI
  • Logging and auditing session activity

Reference:

For Amazon Linux AMI, add this line in UserData to enable and start SSM Agent:

sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

For Ubuntu:

sudo snap start amazon-ssm-agent
sudo snap services amazon-ssm-agent

Reference:

Create a new Role, at minimum add AmazonSSMManagedInstanceCore and this custom policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:UpdateInstanceInformation",
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": "*"
        }
    ]
}

Reference:

Assign the Role you've created to EC2 Instance.

DONE.

Access Session Manager from System Manager Console.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment