1

Introduction

Traditional methods of accessing cloud servers often rely on SSH keys and open inbound ports. While functional, this approach introduces several security and operational challenges: key management, exposure of the attack surface, and compliance risks.

With Amazon Web Services (AWS), you can eliminate these concerns entirely using Session Manager, a feature of AWS Systems Manager. It allows secure, auditable, and keyless access to your Amazon EC2 instances, without opening port 22 or managing SSH keys.

Why Avoid SSH-Based Access?

Before diving into Session Manager, let’s understand the drawbacks of traditional SSH access:

• Key Management Overhead: Handling, rotating, and securing private keys is complex.
• Open Port (22): Increases exposure to brute-force attacks.
• Audit Limitations: SSH sessions are difficult to monitor and log comprehensively.
• Operational Complexity: Requires bastion hosts or VPNs in secure environments.

Session Manager addresses all of these challenges.

What is AWS Session Manager?

Session Manager is a fully managed capability within AWS Systems Manager that enables you to securely connect to EC2 instances via the AWS console, CLI, or SDK.

Key Features:

• No SSH keys required
• No inbound ports needed
• Fully auditable session logs
• IAM-based access control
• Integration with AWS CloudTrail and CloudWatch

Architecture Overview

Instead of connecting directly via SSH:

1. Your local system connects to AWS APIs.
2. Session Manager establishes a secure channel to the EC2 instance.
3. Communication is routed through the SSM Agent installed on the instance.

This means:

• No direct network exposure
• No need for public IPs or bastion hosts

Prerequisites

To use Session Manager, ensure the following:

1. SSM Agent Installed

Most modern AMIs (like Amazon Linux 2) come pre-installed with the SSM Agent.

2. IAM Role for EC2

Attach an IAM role with the following managed policy:

• AmazonSSMManagedInstanceCore

3. Network Access to SSM Endpoints

Your instance must be able to reach AWS Systems Manager endpoints via:

• Internet Gateway, or
• VPC Endpoints (recommended for private setups)

Step-by-Step Setup

Step 1: Attach IAM Role

• Go to EC2 → Instances
• Select your instance
• Attach an IAM role with AmazonSSMManagedInstanceCore

Step 2: Verify SSM Agent

Run the following command on your instance (if accessible):

sudo systemctl status amazon-ssm-agent

If not running, start it:

sudo systemctl start amazon-ssm-agent

Step 3: Access via Session Manager

Option A: AWS Console

• Navigate to EC2 → Instances
• Select your instance
• Click Connect → Session Manager → Connect

Option B: AWS CLI

aws ssm start-session –target <instance-id>

Security Benefits

No Open Inbound Ports

You can completely remove inbound rules for port 22 in your security group.

IAM-Based Access Control

Access is governed using IAM policies, allowing fine-grained permissions.

Session Logging & Auditing

Session activity can be logged to:

• Amazon CloudWatch Logs
• Amazon S3

This helps with compliance and forensic analysis.

Reduced Attack Surface

No exposed SSH endpoints means fewer entry points for attackers.

Comparison: SSH vs Session Manager

Feature	SSH Access	Session Manager
Key Management	Required	Not required
Open Ports	Yes (port 22)	No
Audit Logging	Limited	Full logging support
Access Control	Key-based	IAM-based
Network Exposure	Public/Private IP	No exposure needed

Best Practices

To maximize security and efficiency:

1. Use VPC Endpoints

Avoid internet exposure by configuring private endpoints for Systems Manager.

2. Enable Session Logging

Send logs to CloudWatch or S3 for auditing and monitoring.

3. Restrict IAM Permissions

Grant least-privilege access using IAM policies.

4. Regularly Update SSM Agent

Keep the agent updated to ensure compatibility and security patches.

Common Pitfalls

• Missing IAM Role: Without the correct role, Session Manager won’t work.
• SSM Agent Not Running: Always verify agent status.
• Network Misconfiguration: Ensure access to SSM endpoints.

When Should You Use Session Manager?

Session Manager is ideal for:

• Highly secure production environments
• Organizations with strict compliance requirements
• Teams looking to eliminate SSH key management
• Private subnets without public IP access

Conclusion

Secure remote access is a cornerstone of cloud infrastructure management. By leveraging Session Manager in Amazon Web Services, you can eliminate traditional SSH risks: no keys, no open ports, and full auditability.

This modern approach not only strengthens your security posture but also simplifies operations. Whether you’re managing a single Amazon EC2 instance or an entire fleet, Session Manager provides a scalable, secure, and efficient solution.