π Overview
AWS provides multiple options for secure, keyless remote access to EC2 instances without requiring SSH keys, public IPs, or bastion hosts. The three main solutions are:
- AWS Systems Manager Session Manager (SSM Session Manager)
- EC2 Instance Connect
- EC2 Instance Connect Endpoint
Each method has distinct advantages, limitations, and use cases. This guide compares them to help you choose the best option for your needs.
π Feature Comparison
Feature | SSM Session Manager | EC2 Instance Connect | EC2 Instance Connect Endpoint |
---|---|---|---|
No Public IP Required | β Yes | β No (only works with public IPs) | β Yes |
No SSH Key Management | β Yes | β Yes | β Yes |
IAM-Based Access Control | β Yes | β Yes | β Yes |
Bastion Host Requirement | β Not Needed | β Not Needed | β Not Needed |
AWS Console Access | β Yes | β Yes | β Yes |
AWS CLI Access | β
Yes (aws ssm start-session ) |
β
Yes (aws ec2-instance-connect ssh ) |
β
Yes (aws ec2-instance-connect ssh ) |
Works with Private Subnets | β Yes (VPC Endpoints or NAT required) | β No | β Yes (via EC2 Instance Connect Endpoint) |
Session Logging & Auditing | β Yes (CloudWatch/CloudTrail) | β No | β No |
Supports On-Demand Access | β Yes | β Yes | β Yes |
π AWS Systems Manager Session Manager
Key Benefits
- No Public IPs Required - Works with instances inside private subnets.
- No SSH Key Management - Uses IAM-based authentication.
- Session Logging & Auditing - Logs user activity in CloudTrail.
- AWS Console & CLI Integration - Accessible via AWS Console or CLI.
- Supports VPC Endpoints - No need for outbound internet access when using PrivateLink.
How It Works
- Attach an IAM Role with
AmazonSSMManagedInstanceCore
policy to the instance. - Ensure the instance has SSM Agent installed and running.
- Use
aws ssm start-session
or AWS Console to connect. - AWS handles authentication and communication securely.
π EC2 Instance Connect
Key Benefits
- No SSH Keys Required - AWS injects temporary keys for authentication.
- Simple to Use - Directly accessible from the AWS Console.
- Ideal for Public Instances - Works with EC2 instances that have public IPs.
How It Works
- Select the EC2 instance in the AWS Console.
- Click Connect > EC2 Instance Connect.
- AWS injects a temporary SSH key and logs you in.
Limitations
- Requires Public IP - Cannot connect to instances in private subnets.
- No CLI Support for Private Instances - CLI access only works for instances with public IPs.
π EC2 Instance Connect Endpoint
Key Benefits
- Works with Private Subnets - Enables SSH access without requiring a public IP.
- IAM-Based Access Control - Uses temporary SSH keys.
- No Bastion Hosts Needed - Connects to instances inside a private VPC securely.
- Works with AWS CLI & Console - Provides a seamless connection experience.
How It Works
- Deploy an EC2 Instance Connect Endpoint in the same subnet as the target instance.
- Assign a Security Group to control access.
- Ensure the instance has EC2 Instance Connect Agent installed and running.
- Use the AWS Console or CLI to initiate a session.
π Choosing the Right Solution
Use Case | Recommended Solution |
---|---|
Access private instances | SSM Session Manager or EC2 Instance Connect Endpoint |
Access public instances | EC2 Instance Connect |
Audit session activity | SSM Session Manager |
No outbound internet access | SSM Session Manager with VPC Endpoints |
CLI-based access | SSM Session Manager or EC2 Instance Connect Endpoint |
One-time or temporary access | EC2 Instance Connect |
π Terraform Sample Repository
For a working Terraform example demonstrating all three access methods, check out:
π GitHub Repository: AWS SSM Session Manager Terraform Demo
π GitHub Repository: EC2 Instance Connect Terraform Demo
π GitHub Repository: EC2 Instance Connect Endpoint Terraform Demo
π Summary
- SSM Session Manager - Best for managing private EC2 instances without SSH keys or public IPs, with IAM control and session logging.
- EC2 Instance Connect - Best for ad-hoc connections to public EC2 instances, offering simple browser-based SSH access.
- EC2 Instance Connect Endpoint - Best for secure CLI-based SSH access to private EC2 instances without requiring a bastion host.
Top comments (0)