Accessing EC2 Instances with AWS SSM

Photo by Kaffeebart

Indrek Ots
by Indrek Ots
2 min read


  • articles


  • aws
  • ec2
  • ssh

The traditional way of accessing servers is to use SSH. This, however, comes with configuration overhead. First of all, the server has to be accessible over the network. You need to carve out a path for SSH to work. This can bring extra challenges, especially in an environment where you want to keep the server in a private network. Secondly, you’re faced with the overhead of managing SSH keys. This post will show you how to use AWS Systems Mananger (SSM) to start a remote session to an EC2 instance, eliminating the need to configure SSH.

IAM Instance Profile

To be able to start an SSM session to an EC2 instance, Systems Manger needs to have access to your instances. We can do that with IAM roles.

  1. Go to the IAM Console and create a new Role
  2. For the trusted entity type, select “AWS service” and select EC2 for the use case
  3. When configuring permissions, select the AWS managed “AmazonSSMManagedInstanceCore” policy
  4. Finally, give the role a name, say, “SSMAccess”

Create AWS EC2 Instance

When you launch a new EC2 instance, don’t forget attach the SSMAccess IAM instance profile.

Keep in mind that the EC2 instance needs to have the SSM agent installed. It's preinstalled on some Amazon Machine Images (AMIs) provided by AWS.

And that’s it. The newly launched EC2 instance should be accessible once it’s fired up. However, if you wish to access an EC2 instance that doesn’t have a public IP or doesn’t have a route to the Internet Gateway, additional configuration is required.

Configure Access to Private EC2 Instances

We need to create VPC endpoints to be able to access private EC2 instances via SSM.

  1. Go to the VPC console and select Endpoints
  2. Create a new Endpoint and give it a name
  3. Select AWS services from the service category
  4. Select the com.amazonaws.[region].ssm service
  5. Select your VPC and associate the endpoint with the subnets you’re using
  6. In security groups, you need to select a security group that allows outbound HTTPS (port 443) traffic to Systems Manager endpoints. Create one if it doesn’t already exist. Keep in mind that this is the same security group that should be associated with the EC2 instance.
  7. Finally, create the endpoint
  8. Repeat the steps to create another endpoint, but this time select the com.amazonaws.[region].ec2messages service
  9. Repeat the steps again to create an additional endpoint, but this time select the com.amazonaws.[region].ssmmessages service

Start Session via awscli

awscli can be used to start a session with the EC2 instance. Before you do so, make sure you have installed the Session Manager plugin for AWS CLI. Once that’s done, you should be good to go.

aws ssm start-session --target <ec2-instance-id>

If everything is configured correctly, you should have a newly established terinal session to your EC2 instance.

Alternatively, you can also start a session using the AWS EC2 console. Select the EC2 instance and click the “Connect” option. Select “Session Manager” and click “Connect” again. This will open a terminal session in your browser.