Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Secure EC2 Instances Connections Leveraging Session Manager

Home » AWS » Secure EC2 Instances Connections Leveraging Session Manager

Secure EC2 Instances Connections Leveraging Session Manager

Last updated on March 20, 2023

As more workloads are being migrated to the cloud, security should always be a top priority. Some organizations fail to consider security and therefore paid the price of having their workloads compromised. For example, an EC2 instance that has its SSH inbound port open to the world, therefore, providing unrestricted access to attackers globally.

Luckily, AWS has a service that allows you to connect to your EC2 instances without opening any inbound port, eliminating this particular security risk, and that is AWS Systems Manager Session Manager.

Secure EC2 Instances Connections Leveraging Session Manager

Session Manager is a fully managed AWS Systems Manager capability. You can use an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.

Session Manager also allows you to comply with corporate policies that require controlled access to managed nodes, strict security practices, and fully auditable logs with node access details while providing end users with simple one-click cross-platform access to your managed nodes.

Let’s do a hands-on to understand Session Manager better.

For this hands-on, we will create:

  1. an IAM Role that has the necessary managed policy to allow Session Manager to the EC2 instance.

  2. Tutorials dojo strip
  3. an EC2 instance without an inbound rule.

Step 1. Creating the IAM Role

  • In the AWS Management Console, go to IAM > Roles > Create Role.
    In the Trusted entity type, choose AWS service
    Under Use case, choose EC2
    Hit Next to proceed to the next step.

    Secure EC2 Instances Connections Leveraging Session Manager
  • In the Permission policies, search for AmazonSSMManagedInstanceCore as this managed policy contains the necessary permission in order for Session Manager to work.
    Click the checkbox
    Hit Next

    Secure EC2 Instances Connections Leveraging Session Manager
  • Enter a Role name
    For this example, let’s name it ec2-session-manager-role

    Secure EC2 Instances Connections Leveraging Session Manager

    Scroll down at the bottom then hit Create role

    Secure EC2 Instances Connections Leveraging Session Manager

    This will create the necessary IAM Role that we will attach to the EC2 instance that will use Session Manager.

    Secure EC2 Instances Connections Leveraging Session Manager

 

Step 2. Creating the EC2 instance that will use Session Manager

  • Go to the EC2 dashboard
    Click Launch instance

    Secure EC2 Instances Connections Leveraging Session Manager
  • Under Launch an instance
    Fill Name and tags
    For this instance, let’s name it TD-labs-session-manager

    Secure EC2 Instances Connections Leveraging Session Manager
  • In the Application and OS Images (Amazon Machine image)
    To make this simple, we will choose Amazon Linux
    This ensures that an SSM Agent is already installed, which is required by the Session Manager

    Secure EC2 Instances Connections Leveraging Session Manager
  • Under Instance type
    Let’s choose t2.micro to stay within the free tier
    Under Key pair name, let’s choose Proceed without a key pair for simplicity

    Secure EC2 Instances Connections Leveraging Session Manager
  • In Network settings
    Click Edit

    Secure EC2 Instances Connections Leveraging Session Manager

    Choose a subnet that has internet access
    Enable Auto-assign public IP
    Create security group and type a Security group name
    For this example, SG-without-inbound-rule
    Add a Description
    Under Inbound security groups rules, make sure that there are no rules included as Session Manager doesn’t require the inbound rules to connect to the instance

    Secure EC2 Instances Connections Leveraging Session Manager
  • In Advanced details
    Under IAM instance profile,
    Choose the IAM Role created in Step 1 named ec2-session-manager-role for this example.

    Secure EC2 Instances Connections Leveraging Session Manager
  • Under Summary
    Click Launch instance to start provisioning the EC2 instance

    Secure EC2 Instances Connections Leveraging Session Manager
  • Wait for the instance state to become from Pending to Running
    Make sure the Status check is 2/2 checks passed

    Secure EC2 Instances Connections Leveraging Session Manager

    Secure EC2 Instances Connections Leveraging Session Manager

  • Under instance Details
    Take note of the Private IP DNS name

    Secure EC2 Instances Connections Leveraging Session Manager
  • Now let’s try to connect via Session Manager
    Right-click on the instance
    Choose Connect

    Secure EC2 Instances Connections Leveraging Session Manager
  • Under Connect to instance
    Navigate to the Session Manager tab
    Click Connect

    Secure EC2 Instances Connections Leveraging Session Manager
  • We have successfully connected to the EC2 instance even without inbound rules via Session Manager
    We can verify that this is the same instance by typing hostname
    This will display the same Private IP DNS name that we took note of earlier
    Secure EC2 Instances Connections Leveraging Session Manager

By leveraging Session Manager, organizations will have the following benefits:

  • Centralized access control to managed nodes using IAM policies

  • No open inbound ports and no need to manage bastion hosts or SSH keys

  • One-click access to managed nodes from the console and CLI

  • Connect to both Amazon EC2 instances and managed nodes in hybrid environments and the cloud

  • Port forwarding

  • Cross-platform support for Windows, Linux, and macOS

  • Logging and auditing session activity.

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Amiel Palacol

Amiel is a Senior DevOps Engineer based in the Philippines. He has solid hands-on experience in Amazon Web Services (AWS) and loves broadening his technical horizons in the cloud. Currently holds 6 AWS Certifications and outside tech, he loves coffee, games and music.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?