{"id":17632,"date":"2026-06-23T16:00:00","date_gmt":"2026-06-23T22:00:00","guid":{"rendered":"https:\/\/www.supportpro.com\/blog\/?p=17632"},"modified":"2026-06-23T00:04:25","modified_gmt":"2026-06-23T06:04:25","slug":"how-to-securely-access-amazon-ec2-without-ssh-keys-using-aws-session-manager","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/how-to-securely-access-amazon-ec2-without-ssh-keys-using-aws-session-manager\/","title":{"rendered":"How to Securely Access Amazon EC2 Without SSH Keys Using AWS Session Manager"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\"><strong>Introduction<\/strong><\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Traditional methods of accessing cloud servers often rely on SSH keys and open inbound ports. While functional, this approach introduces several security and operational challenges: key management, exposure of the attack surface, and compliance risks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With Amazon Web Services (AWS), you can eliminate these concerns entirely using <strong>Session Manager<\/strong>, a feature of AWS Systems Manager. It allows secure, auditable, and keyless access to your Amazon EC2 instances, without opening port 22 or managing SSH keys.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why Avoid SSH-Based Access?<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Before diving into Session Manager, let\u2019s understand the drawbacks of traditional SSH access:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Key Management Overhead<\/strong>: Handling, rotating, and securing private keys is complex.<\/li>\n\n\n\n<li><strong>Open Port (22)<\/strong>: Increases exposure to brute-force attacks.<\/li>\n\n\n\n<li><strong>Audit Limitations<\/strong>: SSH sessions are difficult to monitor and log comprehensively.<\/li>\n\n\n\n<li><strong>Operational Complexity<\/strong>: Requires bastion hosts or VPNs in secure environments.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Session Manager addresses all of these challenges.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What is AWS Session Manager?<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Session Manager is a fully managed capability within AWS Systems Manager that enables you to securely connect to EC2 instances via the AWS console, CLI, or SDK.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Key Features:<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No SSH keys required<\/li>\n\n\n\n<li>No inbound ports needed<\/li>\n\n\n\n<li>Fully auditable session logs<\/li>\n\n\n\n<li>IAM-based access control<\/li>\n\n\n\n<li>Integration with AWS CloudTrail and CloudWatch<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Architecture Overview<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Instead of connecting directly via SSH:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Your local system connects to AWS APIs.<\/li>\n\n\n\n<li>Session Manager establishes a secure channel to the EC2 instance.<\/li>\n\n\n\n<li>Communication is routed through the <strong>SSM Agent<\/strong> installed on the instance.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">This means:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No direct network exposure<\/li>\n\n\n\n<li>No need for public IPs or bastion hosts<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Prerequisites<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To use Session Manager, ensure the following:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1. SSM Agent Installed<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Most modern AMIs (like Amazon Linux 2) come pre-installed with the SSM Agent.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. IAM Role for EC2<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Attach an IAM role with the following managed policy:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AmazonSSMManagedInstanceCore<\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. Network Access to SSM Endpoints<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Your instance must be able to reach AWS Systems Manager endpoints via:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Internet Gateway, or<\/li>\n\n\n\n<li>VPC Endpoints (recommended for private setups)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step-by-Step Setup<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 1: Attach IAM Role<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to EC2 \u2192 Instances<\/li>\n\n\n\n<li>Select your instance<\/li>\n\n\n\n<li>Attach an IAM role with <strong>AmazonSSMManagedInstanceCore<\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 2: Verify SSM Agent<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Run the following command on your instance (if accessible):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sudo systemctl status amazon-ssm-agent<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If not running, start it:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sudo systemctl start amazon-ssm-agent<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 3: Access via Session Manager<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Option A: AWS Console<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to EC2 \u2192 Instances<\/li>\n\n\n\n<li>Select your instance<\/li>\n\n\n\n<li>Click <strong>Connect \u2192 Session Manager \u2192 Connect<\/strong><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Option B: AWS CLI<\/strong><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">aws ssm start-session &#8211;target &lt;instance-id&gt;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Security Benefits<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>No Open Inbound Ports<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You can completely remove inbound rules for port 22 in your security group.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>IAM-Based Access Control<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Access is governed using IAM policies, allowing fine-grained permissions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Session Logging &amp; Auditing<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Session activity can be logged to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Amazon CloudWatch Logs<\/li>\n\n\n\n<li>Amazon S3<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This helps with compliance and forensic analysis.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Reduced Attack Surface<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">No exposed SSH endpoints means fewer entry points for attackers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Comparison: SSH vs Session Manager<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><div class=\"pcrstb-wrap\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Feature<\/strong><\/td><td><strong>SSH Access<\/strong><\/td><td><strong>Session Manager<\/strong><\/td><\/tr><tr><td>Key Management<\/td><td>Required<\/td><td>Not required<\/td><\/tr><tr><td>Open Ports<\/td><td>Yes (port 22)<\/td><td>No<\/td><\/tr><tr><td>Audit Logging<\/td><td>Limited<\/td><td>Full logging support<\/td><\/tr><tr><td>Access Control<\/td><td>Key-based<\/td><td>IAM-based<\/td><\/tr><tr><td>Network Exposure<\/td><td>Public\/Private IP<\/td><td>No exposure needed<\/td><\/tr><\/tbody><\/table><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Best Practices<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To maximize security and efficiency:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. <strong>Use VPC Endpoints<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Avoid internet exposure by configuring private endpoints for Systems Manager.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. <strong>Enable Session Logging<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Send logs to CloudWatch or S3 for auditing and monitoring.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. <strong>Restrict IAM Permissions<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Grant least-privilege access using IAM policies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. <strong>Regularly Update SSM Agent<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Keep the agent updated to ensure compatibility and security patches.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Common Pitfalls<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Missing IAM Role<\/strong>: Without the correct role, Session Manager won\u2019t work.<\/li>\n\n\n\n<li><strong>SSM Agent Not Running<\/strong>: Always verify agent status.<\/li>\n\n\n\n<li><strong>Network Misconfiguration<\/strong>: Ensure access to SSM endpoints.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>When Should You Use Session Manager?<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Session Manager is ideal for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Highly secure production environments<\/li>\n\n\n\n<li>Organizations with strict compliance requirements<\/li>\n\n\n\n<li>Teams looking to eliminate SSH key management<\/li>\n\n\n\n<li>Private subnets without public IP access<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Secure remote access is a cornerstone of cloud infrastructure management. By leveraging Session Manager in <a href=\"https:\/\/www.supportpro.com\/blog\/build-highly-available-web-application-aws-gcp-azure\/\" title=\"\">Amazon Web Services<\/a>, you can eliminate traditional SSH risks: no keys, no open ports, and full auditability.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This modern approach not only strengthens your security posture but also simplifies operations. Whether you&#8217;re managing a single Amazon EC2 instance or an entire fleet, Session Manager provides a scalable, secure, and efficient solution.<\/p>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right is-stacked-on-mobile is-vertically-aligned-center has-white-background-color has-background\"><div class=\"wp-block-media-text__content\">\n<p class=\"has-large-font-size wp-block-paragraph\">Facing issues? <\/p>\n\n\n\n<p class=\"has-large-font-size wp-block-paragraph\">Our technical support<br>engineers can solve it. <\/p>\n\n\n\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper\" id=\"hs-cta-wrapper-3350a795-db50-482f-9911-301930d1b1be\"><span class=\"hs-cta-node hs-cta-3350a795-db50-482f-9911-301930d1b1be\" id=\"hs-cta-3350a795-db50-482f-9911-301930d1b1be\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/2725694\/3350a795-db50-482f-9911-301930d1b1be\" ><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-3350a795-db50-482f-9911-301930d1b1be\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/2725694\/3350a795-db50-482f-9911-301930d1b1be.png\"  alt=\"Contact Us today!\"\/><\/a><\/span><script charset=\"utf-8\" src=\"https:\/\/js.hscta.net\/cta\/current.js\"><\/script><script type=\"text\/javascript\"> hbspt.cta.load(2725694, '3350a795-db50-482f-9911-301930d1b1be', {\"useNewLoader\":\"true\",\"region\":\"na1\"}); <\/script><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div><figure class=\"wp-block-media-text__media\"><img fetchpriority=\"high\" decoding=\"async\" width=\"904\" height=\"931\" src=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png\" alt=\"guy server checkup\" class=\"wp-image-12943 size-full\" srcset=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png 904w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-291x300.png 291w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-768x791.png 768w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-585x602.png 585w\" sizes=\"(max-width: 904px) 100vw, 904px\" \/><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Traditional methods of accessing cloud servers often rely on SSH keys and open inbound ports. While functional, this approach introduces several security and operational challenges: key management, exposure of&hellip;<\/p>\n","protected":false},"author":39,"featured_media":17633,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[69],"tags":[],"class_list":["post-17632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/17632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/comments?post=17632"}],"version-history":[{"count":1,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/17632\/revisions"}],"predecessor-version":[{"id":17634,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/17632\/revisions\/17634"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/media\/17633"}],"wp:attachment":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/media?parent=17632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/categories?post=17632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/tags?post=17632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}