Securely Connect to EC2 Instances Using Systems Manager (SSM)

AWS Systems Manager (formerly known as SSM) is an AWS service that you can use to view and control your infrastructure on AWS. With AWS Systems Manager, you can perform routine operations, proactively act on events and address security issues on multiple instances at the same time.

Usually, when we connect to EC2 instances using our local machines, we need to grant SSH (port 22) or RDP (port 3389) permissions from our IP address and we also need to provide the key pair.

In this post, I will share the steps on how you can securely connect to your EC2 instances using AWS Systems Manager, even without SSH permission in your EC2’s security group and not using a key pair.

For this, you will need to perform the following:

1. Create an IAM Instance Profile
2. Create and Launch an Amazon EC2 Instance
3. Connect to EC2 using AWS Systems Manager

Steps
Step 1: Create an IAM Instance Profile

1. Open the AWS IAM console, and then choose Roles from the navigation pane
2. Select Create Role
3. For the type of trusted entity, select AWS service
4. For the use case, choose EC2
5. Choose Next: Permissions
6. For the policies to attach, search and select AmazonSSMManagedInstanceCore
7. Choose Next: Tags and add tags as needed
8. Enter a Role name and choose Create Role

Step 2: Create and Launch an Amazon EC2 instance

1. Open the Amazon EC2 console, and then choose Launch instances
2. Select an Amazon Machine Image (AMI). In this example, I will choose an Amazon Linux 2 AMI Note: In order to use AWS Systems Manager, an SSM Agent must be installed on the instance. By default, SSM Agent is preinstalled on instances created from some AMIs, including Amazon Linux 2.

3. Choose an instance type. For this I will choose t2.micro
   

4. Choose Next: Configure Instance Details

5. Configure the instance details. Make sure to choose the IAM role that you created earlier
   

6. Choose Next: Add Storage and modify storage as needed

7. Choose Next: Add Tags and add tags as needed

8. Choose Next: Configure Security Group

9. Choose Create a new security group and remove the default SSH inbound rule
   

10. Choose Review and Launch

11. Choose Launch

12. In the key pair window, select Proceed without a key pair and check the acknowledgement
    

13. Choose Launch Instances

14. Navigate to the launched instance and wait until the Instance state is Running
    

Step 3: Connect to EC2 using AWS Systems Manager

Option A – EC2 Console

1. In the Amazon EC2 console, select the instance and then click on Actions and choose Connect from the dropdown
   

2. Select Session Manager tab and choose Connect
   

3. You are now connected to your EC2 instance using Systems Manager
   

Option B – Systems Manager Console

1. Open the AWS Systems Manager console, and then choose Session Manager under Node Management from the navigation pane
2. Choose Start Session

3. Select your instance from the Target instances list and then choose Start Session
   

4. You are now connected to your EC2 instance using Systems Manager