I will help and guide you to tackle the everyday AWS tasks that you will encounter at your workplace as an AWS Cloud Engineer. Do follow this blogging site and look for new knowledge every week.
Today we will learn to connect AWS EC2 Instance using Session Manager.
Session Manager is a part of the AWS Systems Manager service. Session Manager allows a secure connection to AWS EC2 without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
Let’s explore and make AWS learning easy for all!
Upon signing in to the AWS account, launch an AWS EC2 Linux or Windows instance. Here, I have launched a Linux instance under free-tier eligibility.
Tick mark checkbox of the EC2 instance that you want to connect. Click on the ‘Connect’ button on the top right corner of the EC2 dashboard.
AWS offers the following 4 options to connect to EC2 instances as below.
- EC2 Instance Connect
- Session Manager
- SSH client
- EC2 Serial Console
This tutorial will use the session manager option to connect to our EC2 instance. This is the session manager tab you will see when connecting to your EC2 instance. You can understand, we required a few prerequisites to use the session manager. The top 3 common reasons for not connecting to your intended EC2 instance are as follows.
- SSM Agent isn’t installed on the instance. You can install the agent on both Windows instances and Linux instances.
- The required IAM instance profile isn’t attached to the instance. You can attach a profile using AWS Systems Manager Quick Setup.
- The Session Manager setup is incomplete.
If you have launched your EC2 instance using the new Amazon AMI image then the SSM Agent is already installed. Many times the most common reason for this is that the IAM instance profile is not attached to the intended EC2 instance. Let us define an IAM instance profile – it is a process to assign an IAM role to your intended EC2 instance.
Let’s check the first reason. I used Amazon Linux 2 AMI while launching the EC2 instance. As per AWS documentation, the AWS Systems Manager agent (SSM agent) is pre-installed for this AMI type. So I will cross-verify this using the following command.
sudo systemctl status amazon-ssm-agent
Select your EC2 instance and click on “Connect’.
Select the first tab ‘EC2 Instance Connect’ and click on the ‘Connect’ button.
Run the above command to verify the SSM agent installation.
Yes, the SSM agent is installed. Now exit the window with the ‘exit’ command.
So we are good with the first reason.
Let’s tackle the second reason. Let us create an IAM role for our EC2 instance. As we want to access the EC2 via AWS sessions manager, we will use the AWS managed policy called ‘AmazonSSMManagedInstanceCore’. Go to the IAM console and click on ‘Create role’.
In the ‘Add permissions’ page select the AWS managed policy ‘AmazonSSMManagedInstanceCore’ as below.
Give a meaningful name to the IAM role, review and hit the ‘Create’ button.
The newly created IAM role will be listed in the ‘Roles’ dashboard.
Now let us attach this role to our EC2 instance.
Go to EC2 console and select your EC2 instance. Go to ‘Actions’ → ‘Security’ → ‘Modify IAM role’.
It takes around 5-7 minutes to attach the IAM role. So wait for a couple of minutes and refresh the instance. Now select your EC2 instance and try connecting via Session Manager.
This time you should be able to see the ‘Connect’ button in the Session Manager tab.
Go ahead and hit the ‘Connect’ button. You will be connected to your EC2 instance without a key pair or SSH connection.
This is how the connection looks like via the session manager.
Now try removing the SSH port from the security port and connect via session manager this time. You should be able to connect.
So, folks, this is how we connect our EC2 instance via session manager.
Check out these blog posts to learn What is the Difference between Public IP and Private IP address?