DEV Community

John  Ajera
John Ajera

Posted on

Secure Remote Access to Private EC2 Instances with AWS SSM Session Manager

🚀 AWS Session Manager: Secure Remote Access Without SSH

AWS Systems Manager (SSM) Session Manager enables secure, keyless remote access to EC2 instances without requiring SSH, public IPs, or bastion hosts. This feature simplifies remote instance management using AWS-managed networking and IAM-based authentication.

🔗 Key Benefits of AWS SSM Session Manager

  • No Public IPs Required - Connect to instances inside private subnets.
  • No SSH Key Management - Eliminates the need for manually managing SSH key pairs.
  • IAM-Based Access Control - Grants secure, audited access via AWS IAM permissions.
  • No Need for Bastion Hosts - Reduces infrastructure complexity and security risks.
  • AWS Console & CLI Integration - Connect directly from AWS Console or via aws ssm start-session.
  • Session Logging & Auditing - Tracks user activity for security and compliance.

🛠 Prerequisites

Before using AWS SSM Session Manager, ensure you have:

  • EC2 instance with SSM Agent installed (Amazon Linux 2 has it by default; Amazon Linux 2023 requires installation).
  • IAM Role with AmazonSSMManagedInstanceCore attached.
  • AWS CLI installed (Setup Guide).
  • AWS SSM Session Manager Plugin installed (Installation Guide).
  • Outbound internet access (via NAT Gateway) or AWS PrivateLink for SSM endpoints.

🌐 How AWS SSM Session Manager Works

When a user initiates a session via AWS Console or CLI, AWS Systems Manager establishes a secure, TLS-encrypted session between the user and the instance. The IAM policy attached to the instance role controls permissions and access.

🚀 AWS SSM Session Manager for Private Subnets

AWS Systems Manager Session Manager allows access to instances in private subnets without SSH or public IPs.

🛠 How It Works

  1. Attach an IAM Role with AmazonSSMManagedInstanceCore policy to the instance.
  2. Ensure the instance has SSM Agent installed and running.
  3. Use the AWS CLI or Console to initiate a session.
  4. AWS handles authentication and communication securely.

📚 Terraform Sample Repository

For a working Terraform example demonstrating AWS SSM Session Manager, check out:

👉 GitHub Repository: AWS SSM Session Manager Terraform Demo

📊 IAM Policy Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:StartSession",
        "ssm:TerminateSession",
        "ssm:DescribeSessions",
        "ssm:GetConnectionStatus"
      ],
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

📃 Common Issues & Fixes

❌ Instance Not Found in AWS SSM Session Manager

✅ Ensure the IAM Role includes AmazonSSMManagedInstanceCore.
✅ Verify SSM Agent is installed and running (systemctl status amazon-ssm-agent).
✅ Ensure the instance has outbound internet access or AWS SSM VPC Endpoints configured.

❌ Session Manager Plugin Not Found

✅ Install the AWS Session Manager Plugin:

Debian/Ubuntu

curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb"
sudo dpkg -i session-manager-plugin.deb
Enter fullscreen mode Exit fullscreen mode

Amazon Linux 2 & RHEL 7

sudo yum install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm
Enter fullscreen mode Exit fullscreen mode

Amazon Linux 2023 & RHEL 8/9

sudo dnf install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm
Enter fullscreen mode Exit fullscreen mode

macOS

curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip"
unzip sessionmanager-bundle.zip
sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin
Enter fullscreen mode Exit fullscreen mode

Verify installation:

session-manager-plugin --version
Enter fullscreen mode Exit fullscreen mode

🌟 Summary

AWS Systems Manager Session Manager provides secure, keyless remote access to private EC2 instances, eliminating the need for public IPs, SSH keys, or bastion hosts.

Want to try it out? Implement AWS SSM Session Manager in your Terraform setup today!

👉 GitHub Repository: AWS SSM Session Manager Terraform Demo

Top comments (0)