DEV Community

Natalia Marek for AWS Community Builders

Posted on

How to set up Session Manager and enable SSH over SSM

This is a quick guide on how to set up sessions manager on your EC2 instance and enable SSH connections through SSM.

Setting up sessions manager on EC2 instance

1. Create IAM instance profile to allow Sessions Manager to connect to your instance (this is not enabled by default)

You can do that either by creating a new IAM role with Session Manager permissions or by adding inline policy permissions to an existing role already attached to our instance.

To create/add instance profile:

  • Go to IAM and click on Create role
  • Select EC2 as trusted entity. EC2 truested entity
  • Add AmazonSSMManagedInstanceCore policy to your role or AmazonSSMFullAccess if you require to grant all Systems Manager permissions and click next. Adding AmazonSSMManagedInstanceCore permission to a new role
  • Add tags and then click Create role.

  • To add SSM permissions to an existing role, find the role that is attached to the instance, and then add SSM permissions as an inline policy.

2. Next add newly created role as your instance profile:

  • Go to EC2 instances, select the instance you would like to enable SSM on.
  • Click on Actions, select Security, and then Modify IAM roleModifying IAM role
  • Next select IAM role we have created in the previous stepSelecting IAM role

3. You can now connect to your instance through Session Manager.Connect to your instance!

Your can find out more information about EC2 instance profiles and IAM roles for SSM over here.

Enabling SSH over SSM from your local machine

First of all we need to make sure we meet all the prerequisites:

  1. Have installed latestaws-cliinstalled.
  2. Install Session Manager pluginon the machine you want to connect to your instance from.
  3. Make sure your instance has latest SSM agent installed
  4. Update local .ssh configuration on your machine.

Windows (usually located at: C:\Users\username\.ssh\config):



# SSH over Session Manager
host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"


Enter fullscreen mode Exit fullscreen mode

Mac (usually located at: ~/.ssh/config):



# SSH over Session Manager
host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"


Enter fullscreen mode Exit fullscreen mode
  1. Add permissions to role/user that you are using to connect to the console.

You can use policy below to allow SSH connections through Sessions Manager.



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:region:987654321098:instance/i-02573cafcfEXAMPLE",
                "arn:aws:ssm:*:*:document/AWS-StartSSHSession"
            ]
        }
    ]
}


Enter fullscreen mode Exit fullscreen mode

Now, after assuming your chosen role/connecting through command line to AWS, you can connect to your instance through SSH over SSM by running this command:

aws ssm start-session --target i-02573cafcfEXAMPLE --region your-chosen-region.

You can remove any port 22 access in your node's security groups - this will no longer be needed to connect to your instance.

Any further reading about this, make sure to check AWS documentation about this.

Note that you can make sure that your instance has the latest SSM agent installed, by Automating Updates to SSM Agent.

Top comments (2)

Collapse
 
rusver profile image
Ruslan ver

I did this tutorial via console its works well
but after Enabling SSH over SSM from your local machine

aws ssm start-session --target
with instance name and region and i still get:

An error occurred (403) when calling the StartSession operation: Server authentication failed: Forbidden.

Collapse
 
slidenerd profile image
slidenerd

how ll you do this with CDK? dont want to set all this up manually