Simple AWS #3: Session Manager
An easier and safer way to SSH into your EC2 instances
Welcome to Simple AWS! A free newsletter that helps you build on AWS without becoming an expert. This is issue #3. Shall we?
AWS Service: Session Manager
tl;dr: Forget the bastion host. Session Manager lets you connect through SSH to an EC2 instance without having SSH keys or open ports. You just set it up, grant permissions to IAM or IAM IC users and they connect with 2 clicks (console) or 1 command (CLI). You can even forward a connection to a database. Or use the SDK in your apps. And there's logs!
Note: Session Manager is not a standalone service, it's "a fully managed AWS Systems Manager capability." That means it's a part of SSM that you can use on its own.
- You can use it for these OSs:
- Make sure you meet the requirements:
- SSM agent installed. Here's how to install it for Linux, Windows and macOS
- HTTPS (port 443) connection to these endpoints (internet access or with a VPC Endpoint):
- To encrypt sessions you'll also need kms.region.amazonaws.com, and to send logs to CloudWatch Logs.region.amazonaws.com or to S3 s3.region.amazonaws.com
- Then here's how to set it up:
- Finally, start a session from the EC2 Console or from the CLI (for a better experience install the CLI plugin)
On issue #1 we talked about Organizations and multi-account. Here we're talking about the AWS CLI. You access multiple accounts with IAM Identity Center (formerly AWS SSO), but the CLI experience is not great.
aws-sso-util makes that experience much better.
Forget the bastion,
Go with Session Manager,
For safe SSH.
I'm adding this section to talk about things like the fact that I'm adding this section (meta-announcement!).
First of all, I wanted to thank you all for subscribing! I hope you've liked the newsletter so far. If there's something that you thought was great, I'd love to know what it is, so I can write more of that. And if there's something you didn't enjoy, I'd like to know as well!
Also, what kinds of services would you like to know more about? I'm torn between support services like Config and core infrastructure services like ECS.
Hit reply! (it was broken, I fixed it now).
Thank you for reading! See ya on the next issue.