Enable the EC2 to be controlled by Systems Manager
Enabling session manager and accessing EC2 terminal is a safer way than doing it via port 22 and SSH-ing into the machine. For the below, you don't need to enable any incoming ports, however you need (at least) port 443 to be open for outbound traffic.
- Install session manager agent to the EC2 machine. Amazon Linux 2 machines have this default installed, however the version may be old, so it’s still worth updating it.
sudo systemctl status amazon-ssm-agent # check if it's already enabled
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb sudo dpkg -i amazon-ssm-agent.deb # install
sudo systemctl enable amazon-ssm-agent # enable the agent
sudo systemctl status amazon-ssm-agent # check if it's working OK
Alternatively if the above doesn't work, here's the snap installation:
- Add the IAM role to the EC2 machine that’d allow access to session manager:
Make sure you wait a few minutes until the permissions changes.
You may need to restart the session manager agent for this to pick it up instantly.
sudo systemctl restart amazon-ssm-agent
# or
sudo systemctl restart snap.amazon-ssm-agent.amazon-ssm-agent.service
After this, you should see the instance coming up in
AWS Systems Manager ===> Fleet Manager
Enable the users to log into the EC2 terminal
Grant the following permission to the desired user. Remember to replace the placeholder with your EC2 instance ID.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:REGION:ACCOUNT:instance/INSTANCEID"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:userid}-*"
]
}
]
}
At this point your users can now access the terminal of your EC2.
However, you'll notice that the default shell is used. To switch it to bash, go to the following:
AWS Systems Manager => Session Manager and add a linux shell profile: /bin/bash
You'll now be greeted with this: ssm-user@ip-172-31-4-102:/usr/bin$
Guide for users to access terminal
what you need
AWS CLI
AWS user credentials
For of all you need to install AWS CLI:
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html#getting-started-install-instructions
run aws configure
to bring up the interactive setup where you can add your AWS credentials and region.
Alternatively, you can find your credentials
and config
file and just modify it manually.
In Windows it's in c:\Users\username\.aws\ , for other operating systems, you can find it here: https://docs.aws.amazon.com/sdkref/latest/guide/file-location.html
You also need to install the session manager plugin for your PC:
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
Once you've done it, you can access the EC2 terminal by :
aws ssm start-session --target i-01fc8012335d9639b
This gets you into your EC2 machine.