Programming

Connecting to an EC2 Instance: A Deep Dive into Session Manager

Introduction When working with Amazon EC2 instances, one of the first things you'll need to do is connect to your instance to manage and configure it. There are several different ways to establish a connection. AWS provides multiple ways to achieve this, each with its own advantages and considerations. One commonly used method is Secure Shell (SSH), which requires key pairs. While many are familiar with SSH via PuTTY or the browser-based EC2 Instance Connect, a more secure and centralized option exists: AWS Systems Manager Session Manager. In this article, I'll break down the different ways to connect to an EC2 instance, why Session Manager is a game-changer, and how to use it effectively. This is based on my hands-on learning, and I'll make sure to explain the reasoning behind each choice so that both beginners and those interested in cloud deployment can see the depth of understanding involved. Different Ways to Connect to an EC2 Instance AWS provides multiple methods to connect to an EC2 instance, and choosing the right one depends on security, ease of use, and the level of management you want. Here are the three primary ways: EC2 Instance Connect (Browser-Based Access) This is the easiest and most direct method. Simply click Connect from the AWS Console, and a browser- based terminal opens. No need for SSH keys or additional configurations. However, it's only available for Amazon Linux and Ubuntu instances. SSH via PuTTY (User-Managed Access) Requires downloading PuTTY and configuring it with a .ppk private key. The key file is generated from the.pem key provided when launching the instance. Requires opening inbound SSH (port 22) in the security group, which can expose the instance to attacks if not managed properly. AWS does not manage PuTTY access—you handle the configurations and security yourself. AWS Systems Manager Session Manager (AWS-Managed Access) A fully AWS-managed solution. No need to open inbound SSH ports, making it more secure. Centralized access control using IAM policies. Does not require you to manage key pairs. Works with instances that have the SSM Agent installed and an IAM role with necessary permissions. What is AWS Session Manager? AWS Session Manager is a feature of AWS Systems Manager (SSM) that enables secure shell access to EC2 instances without requiring an SSH key or opening ports. It leverages IAM roles to grant access and manage permissions. Why Choose Session Manager? Unlike PuTTY, where AWS does not manage the access or security settings, Session Manager offers a hassle-free and secure way to connect to EC2 instances: No need for inbound ports: Eliminates the risk of unauthorized access through SSH. IAM-based access control: You can define who has permission to access which instances. -** Centralized logging**: Session logs can be sent to Amazon S3 or CloudWatch for auditing. Bastion host replacement: Traditionally, to access private EC2 instances, you’d need a Bastion Host (a publicly accessible instance acting as a gateway). Session Manager removes this requirement. Access from anywhere: You don’t need to install additional software like PuTTY—just use the AWS Console or AWS CLI. What is a Bastion Host? A Bastion Host is an EC2 instance used as a secure gateway to access other private instances inside a VPC. While effective, it requires proper security configurations and maintenance, unlike Session Manager, which eliminates the need for it entirely. Steps to Set Up Session Manager for EC2 Create an IAM Role for EC2 Since Session Manager relies on IAM roles, we must create a role that grants EC2 the necessary permissions. Navigate to AWS IAM Console. Select Roles > Create Role.For Session Manager to work, the instance needs an IAM role with SSM permissions. Create a role with the following managed policy attached: AmazonSSMManagedInstanceCore Under Trusted entity type, choose AWS service. Under Use case, select** EC2** and click Next. Attach the policy: AmazonSSMManagedInstanceCore. Click Next, name the role (e.g., SSM_EC2_Access), and create the role. Attach the IAM Role to Your EC2 Instance If you are launching a new instance: In the EC2 launch wizard, under Advanced Details, locate IAM Instance Profile. Select the IAM role (SSM_EC2_Access) created earlier. If the instance is already running: Navigate to EC2 Console > Instances. Select your instance and go to Actions > Security > Modify IAM Role. Select the SSM_EC2_Access role and save changes. Ensure SSM Agent is Installed Amazon Linux and Ubuntu AMIs come with SSM Agent pre-installed. If using another OS, install the agent manually: sudo yum install -y amazon-ssm-agent # Amazon Linux sudo snap install amazon-ssm-agent # Ubuntu For Windows: Start-Service AmazonSSMAgent Connect to the Instance Using Session Manager Once the instance is properly configured: AWS Console → EC2 → Select Instance → Click on "Connect" Select Session Manager →

Apr 21, 2025 - 09:25
 0
Connecting to an EC2 Instance: A Deep Dive into Session Manager

Introduction

When working with Amazon EC2 instances, one of the first things you'll need to do is connect to your instance to manage and configure it. There are several different ways to establish a connection. AWS provides multiple ways to achieve this, each with its own advantages and considerations. One commonly used method is Secure Shell (SSH), which requires key pairs. While many are familiar with SSH via PuTTY or the browser-based EC2 Instance Connect, a more secure and centralized option exists: AWS Systems Manager Session Manager.

In this article, I'll break down the different ways to connect to an EC2 instance, why Session Manager is a game-changer, and how to use it effectively. This is based on my hands-on learning, and I'll make sure to explain the reasoning behind each choice so that both beginners and those interested in cloud deployment can see the depth of understanding involved.

Different Ways to Connect to an EC2 Instance

AWS provides multiple methods to connect to an EC2 instance, and choosing the right one depends on security, ease of use, and the level of management you want. Here are the three primary ways:

  1. EC2 Instance Connect (Browser-Based Access)

    • This is the easiest and most direct method.
    • Simply click Connect from the AWS Console, and a browser- based terminal opens.
    • No need for SSH keys or additional configurations.
    • However, it's only available for Amazon Linux and Ubuntu instances.

  2. SSH via PuTTY (User-Managed Access)

    • Requires downloading PuTTY and configuring it with a .ppk private key.
    • The key file is generated from the.pem key provided when launching the instance.
    • Requires opening inbound SSH (port 22) in the security group, which can expose the instance to attacks if not managed properly.
    • AWS does not manage PuTTY access—you handle the configurations and security yourself.

  3. AWS Systems Manager Session Manager (AWS-Managed Access)

    • A fully AWS-managed solution.
    • No need to open inbound SSH ports, making it more secure.
    • Centralized access control using IAM policies.
    • Does not require you to manage key pairs.
    • Works with instances that have the SSM Agent installed and an IAM role with necessary permissions.

What is AWS Session Manager?
AWS Session Manager is a feature of AWS Systems Manager (SSM) that enables secure shell access to EC2 instances without requiring an SSH key or opening ports. It leverages IAM roles to grant access and manage permissions.

Why Choose Session Manager?
Unlike PuTTY, where AWS does not manage the access or security settings, Session Manager offers a hassle-free and secure way to connect to EC2 instances:

  • No need for inbound ports: Eliminates the risk of unauthorized access through SSH.
  • IAM-based access control: You can define who has permission to access which instances. -** Centralized logging**: Session logs can be sent to Amazon S3 or CloudWatch for auditing.
  • Bastion host replacement: Traditionally, to access private EC2 instances, you’d need a Bastion Host (a publicly accessible instance acting as a gateway). Session Manager removes this requirement.
  • Access from anywhere: You don’t need to install additional software like PuTTY—just use the AWS Console or AWS CLI.

What is a Bastion Host?
A Bastion Host is an EC2 instance used as a secure gateway to access other private instances inside a VPC. While effective, it requires proper security configurations and maintenance, unlike Session Manager, which eliminates the need for it entirely.

Steps to Set Up Session Manager for EC2

  1. Create an IAM Role for EC2 Since Session Manager relies on IAM roles, we must create a role that grants EC2 the necessary permissions.
  • Navigate to AWS IAM Console.
  • Select Roles > Create Role.For Session Manager to work, the instance needs an IAM role with SSM permissions. Create a role with the following managed policy attached: AmazonSSMManagedInstanceCore
  • Under Trusted entity type, choose AWS service.
  • Under Use case, select** EC2** and click Next.
  • Attach the policy: AmazonSSMManagedInstanceCore.
  • Click Next, name the role (e.g., SSM_EC2_Access), and create the role.

  1. Attach the IAM Role to Your EC2 Instance
    If you are launching a new instance:

    • In the EC2 launch wizard, under Advanced Details, locate IAM Instance Profile.
    • Select the IAM role (SSM_EC2_Access) created earlier.
    • If the instance is already running:
    • Navigate to EC2 Console > Instances.
    • Select your instance and go to Actions > Security > Modify IAM Role.
    • Select the SSM_EC2_Access role and save changes.

  2. Ensure SSM Agent is Installed
    Amazon Linux and Ubuntu AMIs come with SSM Agent pre-installed. If using another OS, install the agent manually:

sudo yum install -y amazon-ssm-agent  # Amazon Linux
sudo snap install amazon-ssm-agent  # Ubuntu

For Windows:

Start-Service AmazonSSMAgent
  1. Connect to the Instance Using Session Manager Once the instance is properly configured:
  • AWS Console → EC2 → Select Instance → Click on "Connect" Select Session Manager → Click "Start session" Or
  • Navigate to AWS Systems Manager > Session Manager.
  • Click Start session.
  • Select the instance and click Start session.
  • You now have shell access to the EC2 instance. Alternatively, use the AWS CLI:aws ssm start-session --target

Troubleshooting
If you cannot connect using Session Manager, check the following:

  • Ensure IAM role is attached to the instance.
  • Confirm AmazonSSMManagedInstanceCore policy is included.
  • Verify SSM Agent is installed and running. ( Ensure the EC2 Instance Has SSM Agent Installed Most Amazon Machine Images (AMIs), including Amazon Linux 2 and Ubuntu, come with the SSM Agent pre-installed. To verify, run:sudo systemctl status amazon-ssm-agent
  • Make sure the instance has internet access or a VPC endpoint for SSM.

Conclusion

Among the different methods of connecting to an EC2 instance, Session Manager stands out as the most secure and managed approach. Unlike PuTTY, where you must handle key configurations and security yourself, AWS manages the entire access process for you. No inbound ports need to be opened, and access is controlled centrally via IAM. If you're looking for a robust and secure way to manage your EC2 instances, Session Manager is the way to go.

This is part of my hands-on cloud learning journey, and I hope it helps anyone navigating the different ways to connect to an EC2 instance. Let me know if you have any questions or if there's anything you'd like me to explore further!

Read More

Tags:

Previous Article

Is there a windows-based CIDR list sorter / condenser - aggregator? [closed]

Next Article

Best Blog Post Formats That Keep Readers Hooked (With Examples)

Related Posts