This is a quick guide on how to set up sessions manager on your EC2 instance and enable SSH connections through SSM.
Setting up sessions manager on EC2 instance
1. Create IAM instance profile to allow Sessions Manager to connect to your instance (this is not enabled by default)
You can do that either by creating a new IAM role with Session Manager permissions or by adding inline policy permissions to an existing role already attached to our instance.
To create/add instance profile:
- Go to IAM and click on Create role
- Select EC2 as trusted entity.
- Add AmazonSSMManagedInstanceCore policy to your role or AmazonSSMFullAccess if you require to grant all Systems Manager permissions and click next.
Add tags and then click Create role.
To add SSM permissions to an existing role, find the role that is attached to the instance, and then add SSM permissions as an inline policy.
2. Next add newly created role as your instance profile:
- Go to EC2 instances, select the instance you would like to enable SSM on.
- Click on Actions, select Security, and then Modify IAM role
- Next select IAM role we have created in the previous step
3. You can now connect to your instance through Session Manager.
Your can find out more information about EC2 instance profiles and IAM roles for SSM over here.
Enabling SSH over SSM from your local machine
First of all we need to make sure we meet all the prerequisites:
- Have installed latestaws-cliinstalled.
- Install Session Manager pluginon the machine you want to connect to your instance from.
- Make sure your instance has latest SSM agent installed
- Update local .ssh configuration on your machine.
Windows (usually located at: C:\Users\username\.ssh\config
):
# SSH over Session Manager
host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
Mac (usually located at: ~/.ssh/config
):
# SSH over Session Manager
host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
- Add permissions to role/user that you are using to connect to the console.
You can use policy below to allow SSH connections through Sessions Manager.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": [
"arn:aws:ec2:region:987654321098:instance/i-02573cafcfEXAMPLE",
"arn:aws:ssm:*:*:document/AWS-StartSSHSession"
]
}
]
}
Now, after assuming your chosen role/connecting through command line to AWS, you can connect to your instance through SSH over SSM by running this command:
aws ssm start-session --target i-02573cafcfEXAMPLE --region your-chosen-region
.
You can remove any port 22 access in your node's security groups - this will no longer be needed to connect to your instance.
Any further reading about this, make sure to check AWS documentation about this.
Note that you can make sure that your instance has the latest SSM agent installed, by Automating Updates to SSM Agent.
Top comments (2)
I did this tutorial via console its works well
but after Enabling SSH over SSM from your local machine
aws ssm start-session --target
with instance name and region and i still get:
An error occurred (403) when calling the StartSession operation: Server authentication failed: Forbidden.
how ll you do this with CDK? dont want to set all this up manually