Configure Your SSH Client to Connect to Your EC2 Instances via AWS Systems Manager Session Manager
Table of Contents
We here at QloudX manage hundreds of Amazon EC2 instances for our clients. One of the routine activities you will end up doing several times a day when working with EC2 instances, is connecting to a terminal on your instances.
For security reasons, none of our security groups have the SSH port open, and most of the instances are in private subnets anyway.
AWS Systems Manager Session Manager is a great way to connect to your instances, especially in such restricted environments.
Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs). You can use either an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.— AWS Systems Manager User Guide
Still Need SSH?
Session Manage is great, but what if you have a real need to use SSH? In our case, we wanted to run Ansible playbooks on several private instances at once & since Ansible tries SSH connection to the instances, it would be great if we could somehow use the machine’s local SSH client with SSM.
The alternative would be to open up the SSH port on security groups & connect to them using SSH private keys via either a bastion host (jump box) or a VPN connectivity to the VPCs. All this is too cumbersome & difficult to maintain at scale. There has to be a better, simpler way! 🤔
SSH Over SSM!
As it turns out, it’s fairly easy to configure the SSH command on your terminal to use SSM behind the scenes! Once configured, everyone using SSH from this machine would use SSM automatically, including Ansible, Terraform, Packer, etc.
~/.ssh/config to proxy all your SSH commands to a script we provide:
# SSH over SSM host * ProxyCommand bash -c "~/.ssh/ssm.sh %h"
Now in the
~/.ssh/ssm.sh file, use the AWS CLI to establish an SSM session to the instance:
#!/usr/bin/env bash host=$(aws ec2 describe-instances \ --filter Name=private-ip-address,Values="$1" \ --query 'Reservations.Instances.[InstanceId]' \ --output text) aws ssm start-session \ --target "$host" \ --document-name AWS-StartSSHSession \ --parameters 'portNumber=22'
You can now SSH to the instance using:
Since we’re using AWS CLI in the background:
- Ensure you have AWS credentials in your environment, either from
~/.aws/credentialsor as exported Bash environment variables
aws ssm start-sessionCLI command requires that you install the Session Manager plugin for AWS CLI, as described here
This article describes a simple way to SSH to your EC2 instances without opening ports in your firewall or compromising the security of your instances.
About the Author ✍🏻
Harish KM is a Principal DevOps Engineer at QloudX & a top-ranked AWS Ambassador since 2020. 👨🏻💻
With over a decade of industry experience as everything from a full-stack engineer to a cloud architect, Harish has built many world-class solutions for clients around the world! 👷🏻♂️
With over 20 certifications in cloud (AWS, Azure, GCP), containers (Kubernetes, Docker) & DevOps (Terraform, Ansible, Jenkins), Harish is an expert in a multitude of technologies. 📚
These days, his focus is on the fascinating world of DevOps & how it can transform the way we do things! 🚀
Great article, thanks