You might already know that we cant access private instances directly unless you have VPN, direct connect or other sorts of network connectivity to your VPC.
We need to have some sort of intermediary instance often called as Bastion Host which will be residing in your public subnet to connect to your private instances
Using SSM Session Manager, we can now connect to our private instances directly without Bastion Hosts.
You don’t need to open any ports, not even ssh port in your security groups to IPs or CIDR blocks. This adds additional layer of security to your EC2 instances.
- AWS CLI – Version 1.16.12 or higher
- Session Manager Plugin
- SSM Agent: Version 188.8.131.52 or later
- IAM Role with managed policy
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCoreattached to EC2 instance
Session Manager Plugin Binaries
Session Manager plugin installation
unzip sessionmanager-bundle.zip sudo python3 sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin
# File: ~/.ssh/config Host i-* mi-* ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
# using AWS CLI aws ssm start-session --target i-1234567 # using SSH ssh -i keypair ec2-user@i-123456778