As more workloads are being migrated to the cloud, security should always be a top priority. Some organizations fail to consider security and therefore paid the price of having their workloads compromised. For example, an EC2 instance that has its SSH inbound port open to the world, therefore, providing unrestricted access to attackers globally.
Luckily, AWS has a service that allows you to connect to your EC2 instances without opening any inbound port, eliminating this particular security risk, and that is AWS Systems Manager Session Manager.

Session Manager is a fully managed AWS Systems Manager capability. You can use an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
Session Manager also allows you to comply with corporate policies that require controlled access to managed nodes, strict security practices, and fully auditable logs with node access details while providing end users with simple one-click cross-platform access to your managed nodes.
Let’s do a hands-on to understand Session Manager better.
For this hands-on, we will create:
an IAM Role that has the necessary managed policy to allow Session Manager to the EC2 instance.
an EC2 instance without an inbound rule.
Step 1. Creating the IAM Role
In the AWS Management Console, go to IAM > Roles > Create Role.
In the Trusted entity type, choose AWS service
Under Use case, choose EC2
Hit Next to proceed to the next step.In the Permission policies, search for AmazonSSMManagedInstanceCore as this managed policy contains the necessary permission in order for Session Manager to work.
Click the checkbox
Hit NextEnter a Role name
For this example, let’s name it ec2-session-manager-roleScroll down at the bottom then hit Create role
This will create the necessary IAM Role that we will attach to the EC2 instance that will use Session Manager.
Step 2. Creating the EC2 instance that will use Session Manager
Go to the EC2 dashboard
Click Launch instanceUnder Launch an instance
Fill Name and tags
For this instance, let’s name it TD-labs-session-managerIn the Application and OS Images (Amazon Machine image)
To make this simple, we will choose Amazon Linux
This ensures that an SSM Agent is already installed, which is required by the Session ManagerUnder Instance type
Let’s choose t2.micro to stay within the free tier
Under Key pair name, let’s choose Proceed without a key pair for simplicityIn Network settings
Click EditChoose a subnet that has internet access
Enable Auto-assign public IP
Create security group and type a Security group name
For this example, SG-without-inbound-rule
Add a Description
Under Inbound security groups rules, make sure that there are no rules included as Session Manager doesn’t require the inbound rules to connect to the instanceIn Advanced details
Under IAM instance profile,
Choose the IAM Role created in Step 1 named ec2-session-manager-role for this example.Under Summary
Click Launch instance to start provisioning the EC2 instanceWait for the instance state to become from Pending to Running
Make sure the Status check is 2/2 checks passedUnder instance Details
Take note of the Private IP DNS nameNow let’s try to connect via Session Manager
Right-click on the instance
Choose ConnectUnder Connect to instance
Navigate to the Session Manager tab
Click ConnectWe have successfully connected to the EC2 instance even without inbound rules via Session Manager
We can verify that this is the same instance by typing hostname
This will display the same Private IP DNS name that we took note of earlier
By leveraging Session Manager, organizations will have the following benefits:
Centralized access control to managed nodes using IAM policies
No open inbound ports and no need to manage bastion hosts or SSH keys
One-click access to managed nodes from the console and CLI
Connect to both Amazon EC2 instances and managed nodes in hybrid environments and the cloud
Port forwarding
Cross-platform support for Windows, Linux, and macOS
Logging and auditing session activity.