Sometimes you're dropped into an AWS environment where EC2 instances already exist — maybe from a team handover or an inherited project. But here's the issue:
You don't have the SSH key pair to access the instances. It might have been lost, never shared, or never created in the first place.
Thankfully, there are several ways to regain access:
Common Solutions When SSH Access is Lost
- Use EC2 Instance Connect
- Use AWS Systems Manager Session Manager
- Create an AMI of the instance and launch a new one
While each option has its use case, the most secure, scalable, and production-friendly solution is Option 2 — Session Manager.
Why Session Manager is the Best Option
Over time, I've seen many clients face this exact issue. In most cases, EC2 Instance Connect either doesn't work due to misconfigurations, or it's blocked by security groups and firewalls.
Session Manager, on the other hand, works consistently and securely. Plus, it doesn't require any open ports — a huge win for environments with strict compliance requirements.
Benefits of Session Manager
- No SSH keys or bastion hosts required
- No open inbound ports needed
- Works over AWS Systems Manager Agent (SSM Agent)
- Supports centralized logging (CloudWatch, S3)
- Secured via IAM and AWS KMS
First: Check if the Instance is Already Registered
Before doing any configuration, verify whether your instance is already registered with Session Manager.
Go to this link:
Start a Session in AWS Session ManagerClick "Start session".
If your instance is listed, you can connect directly — no further setup needed.
If no instances appear, follow the steps below to enable access.
Step-by-Step: Enable Session Manager on EC2
Step 1: Create an IAM Policy for Session Manager
- Go to the IAM Console.
- In the sidebar, click "Policies" > "Create Policy".
- Select the JSON tab and replace the contents with the following policy (adjust values as needed):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::your-bucket-name/s3-prefix/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:your-region:your-account-id:key/your-key-id"
}
]
}
- Click "Next: Tags" (optional).
- Click "Next: Review".
- Name the policy something like
SessionManagerPermissions
. - Click "Create Policy".
Step 2: Create an IAM Role for EC2 Instances
- Go to "Roles" > "Create Role" in the IAM console.
- Select AWS service as the trusted entity, and choose EC2.
- Click "Next".
- Attach the
SessionManagerPermissions
policy you just created. - Name the role something like
EC2SessionManagerRole
. - Click "Create Role".
Step 3: Attach the IAM Role to the EC2 Instance
- Open the EC2 Console.
- Select the instance you want to access.
- Choose "Actions > Security > Modify IAM Role".
- Select the role you just created (
EC2SessionManagerRole
). - Click "Update IAM Role".
Step 4: Connect via Session Manager
- Go to Systems Manager > Session Manager.
- Wait a few minutes — the instance should now appear.
- Click "Start session" and select your instance.
- Click "Connect".
You now have shell access to the EC2 instance — without SSH or open ports.
Final Notes
- Ensure the SSM Agent is installed and running. Most Amazon Linux, Ubuntu, and Windows AMIs include it by default.
- The instance must have internet access (via a NAT Gateway or Internet Gateway) unless you're using VPC endpoints.
- Session Manager access is auditable, secure, and great for managing access at scale.
Summary
Session Manager is the go-to tool for securely accessing EC2 instances when SSH is not an option. Whether you're dealing with lost keys or just want to manage access more securely and efficiently — this is the approach I recommend and use in production environments.
Let me know in the comments if you’ve used Session Manager or if you ran into any issues while setting it up.
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.