How to securely connect EC2 via SSH with AWS Systems Manager

Modern best practice to connect Amazon EC2 instance via SSH without SSH key/password and with closed inbound 22 port. AWS Systems Manager Session Manager tutorial.

Table of Contents

  • Step 1: Launch Amazon EC2 Instance

Disclaimer: I do not represent my current/previous employers on my personal Medium blog.

Step 1: Launch Amazon EC2 Instance

Navigate to Amazon EC2 and start launching new instance. In this tutorial I will use Amazon Linux 2 AMI (HVM) operating system.

Create a new security group with no rules (e.g. MediumSG) and assign to your EC2 instance:

Image for post
Image for post

Proceed without SSH key pair:

Image for post
Image for post

Finally copy and save Instance ID (e.g. i-06fd9f063a7cf53fd).

Step 2: Create AWS IAM Role

Navigate to AWS IAM and create new role. Choose EC2 service and click Next: Permissions:

Image for post
Image for post

Select AmazonSSMManagedInstanceCore policy. Click Next: Tags. Click Next: Review. Enter Role name (e.g. MediumRole) and Role description (e.g. AWS Systems Manager Session Manager for EC2 Instance). Click Create role:

Image for post
Image for post

Attach your new role (e.g. MediumRole) to your EC2 instance from Step 1. Navigate to Amazon EC2 select your instance (e.g. i-06fd9f063a7cf53fd) and click Actions -> Instance Settings -> Attach/Replace IAM Role. Select the role and click Apply:

Image for post
Image for post

Step 3: Connect Amazon EC2 via SSH

You can connect EC2 instance with AWS Systems Manager Session Manager in multiple ways: E2 console, Systems Manager console, AWS CLI.

3.1 Connect using Amazon EC2 console

Navigate to Amazon EC2 select your instance and click Connect. Select Session Manager and click Connect:

Image for post
Image for post
Image for post
Image for post

Note: If you saw We weren’t able to connect to your instance error, navigate to AWS Systems Manager. Select the same region as for your EC2 instance (e.g. N. Virginia). Click Get Started with Systems Manager. Finish Systems Manager Quick Setup.

3.2 Connect using AWS Systems Manager console

Navigate to AWS Systems Manager and select Instances & Nodes -> Session Manager. Click Start session. Select your instance and click Start session:

Image for post
Image for post
Image for post
Image for post

3.3 Connect using AWS CLI

$ aws ssm start-session --target INSTANCE_ID

Example:

$ aws ssm start-session --target i-06fd9f063a7cf53fd
Image for post
Image for post

Extra: Connect using SSH command and SSH key

Launch new EC2 instance (e.g. i-077b1f947c98988d5) and download SSH key (e.g. key.pem).

The Amazon EC2 instance must have the latest SSM Agent installed to allow connection using SSH. You can install the agent on both Windows instances and Linux instances.

On Amazon Linux 2, you can install the latest SSM Agent by using the following command:

$ sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm

Let’s prepare your local machine. First, install the latest Session Manager Plugin on you local machine.

Second, update ~/.ssh/config file on your local machine and add the code below:

Third, start a session by using the following ssh command:

$ ssh -i SSH_KEY ec2-user@INSTANCE_ID

Example:

$ ssh -i key.pem ec2-user@i-077b1f947c98988d5
Image for post
Image for post

Sources

  1. Toward a bastion-less world

Written by

Python Developer and Artificial Intelligence Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store