How to set up Session manager with existing Linux EC2s

·

3 min read

How to set up Session manager with existing Linux EC2s

Enable the EC2 to be controlled by Systems Manager

Enabling session manager and accessing EC2 terminal is a safer way than doing it via port 22 and SSH-ing into the machine. For the below, you don't need to enable any incoming ports, however you need (at least) port 443 to be open for outbound traffic.

  1. Install session manager agent to the EC2 machine. Amazon Linux 2 machines have this default installed, however the version may be old, so it’s still worth updating it.
sudo systemctl status amazon-ssm-agent # check if it's already enabled 
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb sudo dpkg -i amazon-ssm-agent.deb # install 
sudo systemctl enable amazon-ssm-agent # enable the agent 
sudo systemctl status amazon-ssm-agent # check if it's working OK

Alternatively if the above doesn't work, here's the snap installation:

Install SSM Agent on Ubuntu Server 22.04 LTS, 20.10 STR & 20.04, 18.04, and 16.04 LTS 64-bit (Snap) - AWS Systems Manager

  1. Add the IAM role to the EC2 machine that’d allow access to session manager:

AmazonSSMManagedInstanceCore

Make sure you wait a few minutes until the permissions changes.
You may need to restart the session manager agent for this to pick it up instantly.

sudo systemctl restart amazon-ssm-agent
# or 
sudo systemctl restart snap.amazon-ssm-agent.amazon-ssm-agent.service

After this, you should see the instance coming up in
AWS Systems Manager ===> Fleet Manager

Enable the users to log into the EC2 terminal

Grant the following permission to the desired user. Remember to replace the placeholder with your EC2 instance ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:REGION:ACCOUNT:instance/INSTANCEID"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeSessions",
                "ssm:GetConnectionStatus",
                "ssm:DescribeInstanceProperties",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:session/${aws:userid}-*"
            ]
        }
    ]
}

At this point your users can now access the terminal of your EC2.

However, you'll notice that the default shell is used. To switch it to bash, go to the following:

AWS Systems Manager => Session Manager and add a linux shell profile: /bin/bash

You'll now be greeted with this: ssm-user@ip-172-31-4-102:/usr/bin$

Guide for users to access terminal

what you need

  1. AWS CLI

  2. AWS user credentials

For of all you need to install AWS CLI:
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html#getting-started-install-instructions

run aws configure to bring up the interactive setup where you can add your AWS credentials and region.

Alternatively, you can find your credentials and config file and just modify it manually.
In Windows it's in c:\Users\username\.aws\ , for other operating systems, you can find it here: https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html

You also need to install the session manager plugin for your PC:
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

Once you've done it, you can access the EC2 terminal by :

aws ssm start-session --target i-01fc8012335d9639b

This gets you into your EC2 machine.