Connecting to Managed Instances Using SSM Session Manager

1 hour
  • 7 Learning Objectives

About this Hands-on Lab

AWS SSM Session Manager is an excellent feature to connect to and manage all your hybrid infrastructure remotely without having to use SSH for Linux or RDP for Windows instances. It provides the added bonus of security, as you don’t need SSH/RDP ports open and access control to who can establish shell sessions using IAM policies. It also allows for logging and auditing of all activity during a shell session via Session Manager. In this hands-on lab, we’ll configure an on-premises instance from scratch and access it using Session Manager as well as an EC2 instance within AWS.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Log in to the On-Premises VM and Install SSM Agent
  1. Log in to the on-premises VM via SSH using the credentials provided:

    ssh cloud_user<ON_PREMISES_VM_IP>
  2. Once you log in as cloud_user, there should be a file named ssm_commands.txt. This file should have a list of commands for setting up SSM Agent and registering it with SSM. For now, we’ll only install SSM Agent and enable it for starting up on boot:

    sudo yum -y install
Log in to the Main SSM Command Node and Create a Hybrid Activation
  1. In a new terminal, log in to the main SSM node spun up for you by the lab:

    ssh cloud_user@<SSM_MAIN_NODE_IP>

    Once you log in as cloud_user, there should be a file named create_hybrid_activation.txt, which has commands for creating a hybrid activation, as well as some commands we’ll use later.

  2. Create a hybrid activation:

    aws ssm create-activation --default-instance-name MyOnPremInstance --iam-role SSMServiceRoleForActivation --registration-limit 1
  3. The command above will return an ActivationID and an ActivationCode. Copy them into a file to use in the next step.

Register the On-Premises VM with SSM and Restart SSM Agent
  1. On the CLI of the on-premises VM, register with SSM (using the ActivationCode and ActivationId from the previous step/task):

    sudo amazon-ssm-agent -register -code "<ActivationCode>" -id "<ActivationId>" -region us-east-1

    You should see logs confirming successful registration of your on-premises VM with SSM.

  2. Restart SSM Agent:

    sudo systemctl restart amazon-ssm-agent

Note: If for any reason the activation command fails, double-check your ActivationID and ActivationCode, as well as internet connectivity of your on-premises VM outbound port 443/HTTPS. Look in /var/log/amazon/ssm/amazon-ssm-agent.log for further troubleshooting hints.

Find the On-Premises VM’s Instance ID and Log In to the Instance

Log back in to the SSM Main node as cloud_user and issue the following commands to find the newly registered on-premises VM’s instance ID (which should start with mi) and log in to its shell using SSM API.

  1. Find the on-premises registered VM’s instance ID using the SSM API:

    aws ssm describe-instance-information

    In the output, you should only see one instance with the name MyOnPremInstance. Copy its InstanceId for the next command.

  2. Log in to the shell of the on-premises managed SSM instance using the Session Manager session API:

    aws ssm start-session --target <ON_PREMISES_INSTANCE_ID>

    You’re now logged in without using SSH.

Connect to an SSM Managed Instance via the SSM Console
  1. Log in to the AWS Management Console with the credentials provided.
  2. Navigate to EC2 and verify you see the EC2 instance named SSM-Setup-Via-GUI.
    • This instance already has SSM Agent installed.
Create an IAM Role for EC2 Instance with SSM Policy
  1. Navigate to IAM.
  2. Go into Roles.
  3. Create a role and choose the AWS service EC2.
  4. Head to Permissions, type "SSM" in the policy search bar, and select the policy AmazonEC2RoleforSSM.
  5. Click Next, leave the tags as their default, and give your IAM role a name (e.g., "MyGUISSMRoleForEC2").
  6. In the EC2 console, select the SSM-Setup-Via-GUI instance, go into its instance settings, and select Attach/Replace IAM Role.
  7. In the dropdown, select the MyGUISSMRoleForEC2 you just created and click Apply.
  8. Reboot the EC2 instance SSM-Setup-Via-GUI.
Start a Session Manager Session with the Newly Created Instance
  1. Navigate to the Systems Manager console and select Session Manager in the left-hand menu.
  2. Click Start session. You might already see the on-premises instance we set up earlier in the lab. Wait a couple minutes for your newly configured SSM-Setup-Via-GUI instance to show up.
  3. Once it does, select it, and click Start session. It should log you in to a browser-based shell session with your instance.

Additional Resources

You are the team lead for a global e-commerce company that manages hundreds of machines around the world. Your team manages administration of all the AWS EC2 instances and VMs in your private data centers as well.

Up until this point, you've managed SSH and RDP access credentials for all systems, which has become hectic at this scale. You are now looking at providing access to all your hybrid infrastructure from within a single access point. AWS Systems Manager's Session Manager feature seems like a good candidate for reducing your overhead and keeping your organization from having to maintain SSH/public keys. Plus, it offers the bonus of not worrying about inbound SSH and RDP ports being monitored. You are testing Session Manager for all these scenarios.

Note: Both the advanced-tier SSM managed instances and Session Manager plugin are pre-configured for you as part of this lab. But if you'd like to learn more:

  • Here is some information about advanced-tier instances, which includes charges and is required in order to access your on-premises SSM managed instances using Session Manager.

  • The Session Manager plugin must be installed for establishing a shell session with managed instances using Session Manager CLI commands. Instructions for installing the plugin are here.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?