Session Manager is a fully managed AWS system manager service, which allows you to connect your EC2 instances with temporary credentials and we can launch the servers without key pair and no SSH port in the security group.

In order to access EC2 instances we use the session manager, the instances must be running with an SSM agent installed and the operating system should be support SSM agent and also the EC2 instance should have AmazonSSMManagedCore privileges so that we can connect to the server through session manager without key pair and SSH port.

If you are using Amazon Linux 2, your SSM agent is already running and if you use Redhat or Ubuntu you should make sure that your SSM agent is already installed and The session manager basically supports Linux, Windows Server, and Raspbian. We can connect public servers and private servers through Session manager but we cannot connect to the database servers because the database servers subnets do not have a NAT gateway. if you want to use a session manager no need to maintain the key and rotate the keys

Prerequisites for Using Session Manager

  1. Create an AWS account and configure the required IAM roles.
  2. Verify that Systems Manager is supported in the AWS Regions where you want to use the service.
  3. Verify that your instances run a supported operating system.
  4. For EC2 instances, create an IAM instance profile and attach it to your machines.
  5. Verify that you are allowing HTTPS (port 443) outbound traffic to the Systems Manager endpoints.
  6. Create a VPC endpoint in Amazon Virtual Private Cloud to use with Systems Manager. (Recommended)
  7. On VMs, on-premises servers, and EC2 instances created from AMIs that are not supplied by AWS, install a Transport Layer Security (TLS) certificate.
  8. Install or verify the installation of an SSM Agent on each of your managed instances.

Now let’s see these processes in action.

Navigate to IAM console and click on ‘Role’.

Then click on ‘Create role’.

62d1344bfc73b749628b75e9 CLY1t3X7NgqvQVemkSN4 Image2

Now, select EC2 to call your AWS services on your behalf and click on the ‘Next permission’ button.

62d1344bf89ad9deac8b8ab3 T7IzOFOTC4IP4EkhvekQ Image 3

Then select the policy which you want to give to the role to and click on ‘Next: Tags’.

62d1344b4995fa6339d06b1c TiPGzdxPZDJU0SxTTwOU Image4

Enter your tags and click on ‘Review’.

62d1344c89927a78f8f07327 iErsoJFbs8ksdcaJVZgE Image6

Enter a role name and description, then click on create the role.

62d1344b6761bbfcc810af4d d8VLTyX0R6yz3oJhMgpf Image7

After this launch an EC2 instance without a key pair or SSH port and attach the created IAM role to an EC2 instance, select an instance then go to Actions → Instance Settings → Attach/Replace IAM Role and attach a Role.

62d1344cb4e06c4ef086acd9 86vjGkR6OELAB2ER58Gg Image8

Click on Attach/Replace IAM Role options, you may directly add Amazon EC2 Role for SSM policy role to an instance like the image below.

62d1344c4995faf34ad06b26 gF68MdEydLJqHZC75ZsE Image9

We will be logging into the server using Session Manager using assigned SSM permissions and the SSM agent installed. Please follow the following process to login to the server.

Navigate to Systems Manager console and go to the Session Manager section on the left pane of the window.

After clicking on Session manager we would be navigated to the session manager as shown below. Please select the start session and you would see a list of instances that are having SSM agent installed and SSM permissions assigned.

62d1344c7d7beb25fca66c11 9hIiZO6FIt2pLMgMDVOr Image11

Then click on the start session.

62d1344c9db3dd9fefff89cc FXTetEVfVynKUn8ShrYd Image12

Select the instance that you wish to log in to and click on the start session and then you will be logged in as SSM-user.

62d1344c9db3dd1feaff89cd HombAT6vuHPZkU5vhnXo Image13

To check if you are logged into the server, you can use ifconfig. You can also cross-check the private IP address of your server along with the IP address used to log in.

There are some minor restrictions when using AWS Session Manager over SSH. The most important one being that you cannot transfer files with AWS Session Manager. To get around this issue though, you can leverage an S3 bucket and the AWS CLI to swap data. It’s not quite the same as using SCP of course.

Summary

Using AWS Session Manager instead of SSH allows you to simplify authentication, authorization, networking, as well as optimize your audit logs for administrator sessions on EC2 instances for security and compliance regulations.

If you are looking for immutable virtual machines and only need remote access for debugging then say goodbye to SSH and leverage AWS Session Manager as your alternative.

Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and makes recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.