Simplified Guide to Logging into EC2 Instances with AWS Session Manager

Takahiro Iwasa

4/19/2020

2 min read

EC2 Session Manager Systems Manager

This note describes how to use Systems Manager - Session Manager.

No SSH keys: Eliminates the need to manage and secure SSH keys.
No bastion hosts: Removes the requirement for intermediary servers to access EC2 instances.
No inbound rules on port 22: Improves security by avoiding open ports in your security group.

Building

To use Session Manager, you need an IAM role with the AmazonSSMManagedInstanceCore policy attached to your EC2 instance (line 30).

1
AWSTemplateFormatVersion: 2010-09-09
2
Resources:
3
  EC2:
4
    Type: AWS::EC2::Instance
5
    Properties:
6
      IamInstanceProfile: !Ref InstanceProfile
7
      ImageId: ami-0f310fced6141e627
8
      InstanceType: t3.small
9
      SecurityGroups:
10
        - !Ref SecurityGroup
11

12
  InstanceProfile:
13
    Type: AWS::IAM::InstanceProfile
14
    Properties:
15
      Path: /
16
      Roles:
17
      - !Ref IamRole
18

19
  IamRole:
20
    Type: AWS::IAM::Role
21
    Properties:
22
      AssumeRolePolicyDocument:
23
        Version: 2012-10-17
24
        Statement:
25
          - Effect: Allow
26
            Principal:
27
              Service: ec2.amazonaws.com
28
            Action: sts:AssumeRole
29
      ManagedPolicyArns:
30
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
31
      RoleName: ec2-role
32

33
  SecurityGroup:
34
    Type: AWS::EC2::SecurityGroup
35
    Properties:
36
      GroupDescription: Example
37
      GroupName: ec2-security-group
38
      SecurityGroupIngress:
39
        - CidrIp: 0.0.0.0/0
40
          FromPort: 443
41
          IpProtocol: tcp
42
          ToPort: 443

ℹ️ Note

If your EC2 instances are in private subnets, set up the following VPC endpoints:

com.amazonaws.region.ssm
com.amazonaws.region.ec2messages
com.amazonaws.region.ssmmessages

Refer to the official knowledge for more details.

Deploy the stack using the following command:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name ec2-session-manager \
  --capabilities CAPABILITY_NAMED_IAM

Testing

To start a session with your instance, run the following command:

aws ssm start-session --target i-xxxxxxxxxxxxxxxxx

The output will indicate a successful login:

1
Starting session with SessionId: your-session-id
2
sh-4.2$

Cleaning Up

Clean up all the AWS resources provisioned during this example with the following command:

aws cloudformation delete-stack --stack-name ec2-session-manager