|Summary||How to use AWS SSM Session Manager for accessing Ubuntu instances without using a SSH connection|
|Author||Carlos Bravo firstname.lastname@example.org|
AWS Systems Manager, or SSM, is AWS’ main tool for visibility and management of the EC2 infrastructure. It works across different server types (e.g. Linux of different distros, Windows) and it lets the user see and take action, from inventory and file management, to automated actions such as patching, installing components or even running more complex automated workflows. SSM allows to manage the entire fleet without having to manually log in and run ad-hoc commands.
Every instance of Ubuntu server and Ubuntu Pro server comes with the AWS Systems Manager (SSM) agent installed. To enable it, it is only necessary to attach an IAM role that will allow the agent to interact with SSM.
In this how-to, we are going to see how to use AWS SSM Session Manager to log in into your instance without having to open SSH connections, avoiding opening ports, maintaining a KeyPair file or deploying bastion hosts for accessing your servers.
What you’ll learn
- How to create the role needed for enabling SSM in your Ubuntu instance
- What is a managed instance in SSM
- How to log in into your server without using SSH
What you’ll need
- An AWS account
- Basic understanding of AWS: EC2, IAM Roles
- A security group with outbound access to port 443
Create an IAM Role for allowing the agent to interact with SSM
As every Ubuntu server comes with SSM agent pre-installed, the first step is to enable it by allowing it to connect to SSM’s API, through attaching a role to the instance(s).
We will start opening the IAM console and selecting the create role option. If you have already created this role (or you have the one created by the SSM wizard), you can skip this step.
Select EC2 from the Common use cases, since we want to allow EC2 to access SSM
In the list of policies to attach to this role, we need to search for the SSM policy document called “Managed Instance Core” and attach it as shown below:
Let’s save it and remember to attach it into your instances either running or at creation.
Create an EC2 instance and allow SSM to manage it.
In this step we are going to create an Ubuntu Pro 20.04 EC2 instance and attach the IAM role we created in the previous step to allow SSM to manage it.
Let’s go to the EC2 web console and launch a new instance. We will be asked for AMI, which for this example, I selected Marketplace AMIs and searched for Ubuntu Pro. From there I deployed Ubuntu Pro 20.04 LTS.
Next screen will be for selecting the instance type. Pick the one you need or the
t2.micro since its convenient free tier for testing purposes.
In the third step of the configuration screen, we can attach the previously created role. I’m leaving all the rest parameters with the default values, just for simplicity of this demonstration.
In the case of already created instances, we just need to attach the SSM role to them by selecting each instance from the EC2 instance list, and clicking on the actions button, and then selecting security and Modify IAM role
ⓘ Note: if you need to attach this role to several instances, the recommended way is to do it programmatically using AWS CLI, which is out of the scope of this demonstration.
There is nothing special needed on the security group. Just add the ports needed for your application to work (e.g. 80 and 443 for http and https respectively). You won’t need key pairs for managing this instance.
If everything went well, go to the Systems Manager console, click on “fleet manager” and you should see your instance listed. If it doesn’t appear immediately, just wait a few minutes.
If the instance is still not showing up, please check that the role was created correctly and repeat the steps for attaching it to the instance. As an example, I had one instance running from a while that didn’t appear immediately after attaching the role. Rebooting it solved the issue, but waiting longer or restarting the agent would have been “less drastic”.
Use session manager to access your instance
In this step, we are going to connect to our instance using session manager. More technically, we are not connecting to it as in an SSH session, since we are creating a “session” that interacts with the machine’s SSM agent who executes our commands locally on the machine.
In the Systems Manager console, under fleet management, select the instance you would like to connect to, and click on the Node actions button.
You will see all the available options. We will click on Start terminal session as shown below.
You should get a new window with a shell. For the purpose of this demonstration, I’m running the
UA status command to see my subscription and entitlements status of my Ubuntu Pro instance.
Bonus: Browse the instance filesystem
Another very useful feature we get once enabled SSM, is that it is possible to browse the instance’s filesystem and manage files directly from the web console without using additional clients for SFTP or opening SSH ports.
To do so, in the same list of the managed instances page, click on the Node actions button and select View filesystem. This will take us to the filesystem screen as shown below:
That’s all Folks!
I hope you have enjoyed this tutorial. Enabling SSM for managing instances not only brings more benefits in security and operations, but it will also enable us to manage large fleets of instances all at once (patching, installing new packages, auditing and so on).