DEV Community

Cover image for Access an EC2 Instance Using Session Manager (Even Without SSH Keys
Samuel Ajisafe
Samuel Ajisafe

Posted on

Access an EC2 Instance Using Session Manager (Even Without SSH Keys

Sometimes you're dropped into an AWS environment where EC2 instances already exist — maybe from a team handover or an inherited project. But here's the issue:
You don't have the SSH key pair to access the instances. It might have been lost, never shared, or never created in the first place.

Thankfully, there are several ways to regain access:

Common Solutions When SSH Access is Lost

  1. Use EC2 Instance Connect
  2. Use AWS Systems Manager Session Manager
  3. Create an AMI of the instance and launch a new one

While each option has its use case, the most secure, scalable, and production-friendly solution is Option 2 — Session Manager.

Why Session Manager is the Best Option

Over time, I've seen many clients face this exact issue. In most cases, EC2 Instance Connect either doesn't work due to misconfigurations, or it's blocked by security groups and firewalls.

Session Manager, on the other hand, works consistently and securely. Plus, it doesn't require any open ports — a huge win for environments with strict compliance requirements.

Benefits of Session Manager

  • No SSH keys or bastion hosts required
  • No open inbound ports needed
  • Works over AWS Systems Manager Agent (SSM Agent)
  • Supports centralized logging (CloudWatch, S3)
  • Secured via IAM and AWS KMS

First: Check if the Instance is Already Registered

Before doing any configuration, verify whether your instance is already registered with Session Manager.

  1. Go to this link:
    Start a Session in AWS Session Manager

  2. Click "Start session".

  3. If your instance is listed, you can connect directly — no further setup needed.

If no instances appear, follow the steps below to enable access.

Image description

Image description

Step-by-Step: Enable Session Manager on EC2

Step 1: Create an IAM Policy for Session Manager

  1. Go to the IAM Console.
  2. In the sidebar, click "Policies" > "Create Policy".
  3. Select the JSON tab and replace the contents with the following policy (adjust values as needed): 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssmmessages:CreateControlChannel",
        "ssmmessages:CreateDataChannel",
        "ssmmessages:OpenControlChannel",
        "ssmmessages:OpenDataChannel",
        "ssm:UpdateInstanceInformation"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::your-bucket-name/s3-prefix/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetEncryptionConfiguration"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:your-region:your-account-id:key/your-key-id"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode
  1. Click "Next: Tags" (optional).
  2. Click "Next: Review".
  3. Name the policy something like SessionManagerPermissions.
  4. Click "Create Policy".

Image description

Step 2: Create an IAM Role for EC2 Instances

  1. Go to "Roles" > "Create Role" in the IAM console.
  2. Select AWS service as the trusted entity, and choose EC2.
  3. Click "Next".
  4. Attach the SessionManagerPermissions policy you just created.
  5. Name the role something like EC2SessionManagerRole.
  6. Click "Create Role".

Image description

Step 3: Attach the IAM Role to the EC2 Instance

  1. Open the EC2 Console.
  2. Select the instance you want to access.
  3. Choose "Actions > Security > Modify IAM Role".
  4. Select the role you just created (EC2SessionManagerRole).
  5. Click "Update IAM Role".

Image description

Image description

Step 4: Connect via Session Manager

  1. Go to Systems Manager > Session Manager.
  2. Wait a few minutes — the instance should now appear.
  3. Click "Start session" and select your instance.
  4. Click "Connect".

You now have shell access to the EC2 instance — without SSH or open ports.

Image description

Final Notes

  • Ensure the SSM Agent is installed and running. Most Amazon Linux, Ubuntu, and Windows AMIs include it by default.
  • The instance must have internet access (via a NAT Gateway or Internet Gateway) unless you're using VPC endpoints.
  • Session Manager access is auditable, secure, and great for managing access at scale.

Summary

Session Manager is the go-to tool for securely accessing EC2 instances when SSH is not an option. Whether you're dealing with lost keys or just want to manage access more securely and efficiently — this is the approach I recommend and use in production environments.

Let me know in the comments if you’ve used Session Manager or if you ran into any issues while setting it up.

AWSCommunityBuilder #Cloud #AWS #Server #Compute #SystemsManager #EC2 #Passwordless #DevOps

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.