AWS Systems Manager: Session Manager

Connecting to EC2 instances in private subnet

About

Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI.

Most Secure Way to Connect: Session Manager does not require opening SSH ports, SSH Keys, NAT or Internet Gateway. It is secure and fully auditable: every command run using session manager is logged. Using Session Manager, we can also access instances running in private subnet.

Let us see the pre-requisites that we need to meet to connect to an EC2 instance in a private subnet using Session Manager.

Pre-Requisites

1. Install SSM Agent on EC2 Host: AWS Systems Manager SSM Agent must be installed on the EC2 machine you want to connect to. The agent creates a user account on the EC2 machine, with root or administrator permissions, called ssm-user. Sessions are launched using the administrative credentials of this user account. Run sudo systemctl status amazon-ssm-agent to check if the agent is running. Using SSM agent, AWS Systems Manager can communicate and execute the tasks on instances remotely. The agent receives requests from AWS Systems Manager and executes them on an instance with administrative privileges using the ssm-user account.

2. AWS CLI and Session Manager Plugin: If you use the AWS Command Line Interface (AWS CLI) to start your sessions (instead of using the AWS Systems Manager console or Amazon EC2 console):

   • Version 1.16.12 or later of the AWS CLI must be installed on your local machine.

   • Install session-manager-plugin for AWS CLI on your laptop.

3. IAM Role: By default, AWS Systems Manager doesn't have permission to perform actions on your instances. You can provide permissions either at account level using an IAM role, or at instance level using an instance profile. Create IAM Role with AmazonSSMManagedInstanceCore policy and attach it to the EC2 instance while launching.

4. VPC Endpoints: Create below VPC endpoints (change the region to the one you are using) to enable commmunication between SSM agent (running on EC2) and the Amazon SSM servers: select the VPC, Subnet, Security Group while creating the endpoints.

   ssm.us-east-1.amazonaws.com
   ec2messages.us-east-1.amazonaws.com
   ssmmessages.us-east-1.amazonaws.com
   com.amazonaws.region.s3 --> This is a Gateway Endpoint, "Type:Gateway"

5. Security Group: Create a Security Group with an outbound to allow HTTPS (443) to 0.0.0.0/0

Once these pre-requisites are met, while launching an EC2 instance in a private subnet (with no internet access), select the VPC, private subnet, IAM role, security group we created above.

Using Session Manager

To connect using the AWS web console:

AWS Console → select the EC2 instance → Connect → Session Manager: this will open the connection in a new browser tab. Note: For the first time, it takes 5-15 minutes for Session Manager to setup and for the Connect button to be enabled.

To start a session using AWS CLI:

aws ssm start-session --target instance-id --region region-name

---