Configure SSM – SESSION MANAGER to allow remote access without open port on destination instance


Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based terminal or via the AWS CLI.

Session Manager has several benefits over using SSH:

  • No need to manage SSH keys.
  • No need to open up any inbound ports in Security Groups.
  • You can use IAM policies and users to control access to your instances.
  • Commands and responses can be logged to Amazon CloudWatch and to an S3 bucket.

How Session Manager works

  1. The administrator authenticates against IAM.
  2. IAM authorizes to start a session on an EC2 instance by evaluating applicable IAM policies.
  3. The administrator uses the AWS Management Console or the terminal (AWS CLI and additional plugin required) to start a session via Systems Manager.
  4. The Systems Manager agent running on the EC2 instance connects to the AWS Systems Manager service and executes the commands on the instance.
  5. The Session Manager sends audit logs to CloudWatch Logs or S3.

The EC2 instance needs access to the internet, or a VPC Endpoint for Session Manager to work.


Topics Covered

In this Lab, you will learn:

  • How to create IAM role for the EC2 instance which grants access to the AWS Systems Manager.
  • Attach the IAM role to the EC2 instance.
  • Log in to instance using SSM Session Manager.

Start Lab

  1. Go to the code/30-launching-ec2/ directory.
  2. Open the 03-lab07-SSM-SM.yaml file.
  3. Copy the code as you go through the topics below.
  4. Resources >> All of your YAML and reference can be downloaded from here

1. Install the AWS Systems Manager agent on EC2 instance

You can proceed to the next step as SSM Agent is pre-installed on Amazon Linux AMIs. For other operating systems, please refer to the AWS documentation for Working with SSM Agent

2. Create an IAM role for the EC2 instance

The AWS managed policy, AmazonSSMManagedInstanceCore, allows an instance to use AWS Systems Manager service core functionality. This will allow you to connect to the EC2 instance using Systems Manager Session Manager.

    Type: AWS::IAM::Role
          - Effect: Allow
              - sts:AssumeRole
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

3. Create an IAM Instance Profile

Create Instance profile resource.

    Type: AWS::IAM::InstanceProfile
      Path: /
        - !Ref SSMIAMRole

4. Attach the IAM Instance Profile to an Amazon EC2 Instance

Attach the role to the instance with IamInstanceProfile property.

    Type: AWS::EC2::Instance
      IamInstanceProfile: !Ref WebServerInstanceProfile
      ImageId: !Ref AmiID
      InstanceType: !FindInMap [EnvironmentToInstanceType, !Ref EnvironmentType, InstanceType]
        - Key: Name
          Value: !Join [ '-', [ !Ref EnvironmentType, webserver ] ]

You can attach the instance profile to the new Amazon EC2 instances at launch time, or to existing Amazon EC2 instances.

5. Update the Stack

Go to the AWS console and update your stack with a new template.

  1. Open the AWS CloudFormation link in a new tab and log in to your AWS account.
  2. Click on the stack name, for example cfn-workshop-ec2.
  3. In the top right corner click on Update.
  4. In Prepare template, choose Replace current template.
  5. In Template source, choose Upload a template file.
  6. Click on Choose file button and navigate to your workshop directory.
  7. Select the file 04-lab07-SSM-SM.yaml and click Next.
  8. For Amazon Machine Image ID leave the default value in.
  9. For EnvironmentType select the different environment than is listed. For example if you have Dev selected, choose Test and click Next.For System Manager to work, the instance need to meet following conditions: – Access to the internet, or a VPC Endpoint.
    – Role attached with correct permission.
    By changing the environment, instance will be stopped and started again. This will help to start ssm-agent which may have timed-out as the role wasn’t attached in a previous lab.
  10. You can leave Configure stack options default, click Next.
  11. On the Review <stack_name> page, scroll down to the bottom and tick I acknowledge that AWS CloudFormation might create IAM resources check box, then click on Update stack.
  12. You can click the refresh button a few times until you see in the status UPDATE_COMPLETE.


Log in to instance using SSM Session Manager and retrieve the AMI ID from instance metadata using curl Need a hint? Want to see the solution?

Outside this workshop you should take additional steps to configure and secure access to SSM Session Manager. See recommendations and documentation link below for further details.

  • Use IAM policies to restrict which IAM user or role can start a session on an EC2 instance.
  • Configure Amazon CloudWatch Logs and/or S3 bucket to audit logs.
  • Use IAM policies to make sure IAM users are not able to modify the audit log settings.