Connect to EC2 via AWS Session Manager and without SSH inbound rule

  • Open EC2 Dashboard
  • Select target EC2 instance in list
  • Right click on EC2 instance and select “Instance Settings -> Attach/Replace IAM Role” as shown in figure.
  • In IAM console, click on “Create Role
  • In next step, select “AWS Service” for type of trusted entity and “EC2” for Choose use case.
  • Click on “Next:Permissions” button in bottom right of page
  • In Filter Policies search box, enter “AmazonSSMManagedInstanceCore” and select the policy by ticking CheckBox.
  • Follow the wizard and on last page enter the Role name (e.g. SessionManager-Test) and save the changes.
  • Now, go back to “Instance settings -> Attach/Replace IAM Role” page and refresh the dropdown
  • We should see our new role listed as shown in below Figure
  • Now go to “System Manager” service from “Services” search bar in AWS Console
  • On left side pane, select “Session Manager”, it will show list of open sessions if any
  • Click on “Start Session” to start new session
  • The page shall display all EC2 instance with valid IAM roles applied. Note that it might take few minutes to apply IAM role we did in last step so keep refreshing this window.
  • Once EC2 is listed, select it and click on “Start Session
  • A new SSH session will be started in new window with user “ssm-user
  • You can switch to other user via command sudo su <username> .
  • The “Session History” provides audit details about who started session and at what time which is not possible with SSH inbound rule. Thus giving more security and authorisation details.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store