Go Bastionless – Access private EC2 instances using SSM Session Manager

by Prasad Domala
0 comment

You might already know that we cant access private instances directly unless you have VPN, direct connect or other sorts of network connectivity to your VPC.

We need to have some sort of intermediary instance often called as Bastion Host which will be residing in your public subnet to connect to your private instances

Using SSM Session Manager, we can now connect to our private instances directly without Bastion Hosts.

You don’t need to open any ports, not even ssh port in your security groups to IPs or CIDR blocks. This adds additional layer of security to your EC2 instances.


Local Machine

  • AWS CLI – Version 1.16.12 or higher
  • Session Manager Plugin

EC2 Instance

  • SSM Agent: Version or later
  • IAM Role with managed policy¬†arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore¬† attached to EC2 instance

Session Manager Plugin Binaries

  • https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe
  • https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip
  • https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm
  • https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb

Session Manager plugin installation

unzip sessionmanager-bundle.zip
sudo python3 sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin 

Terraform templates


SSH Config

# File: ~/.ssh/config
Host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'" 

Start session

# using AWS CLI
aws ssm start-session --target i-1234567

# using SSH
ssh -i keypair ec2-user@i-123456778 

You may also like

Leave a Comment