Secure Remote Administration of AWS EC2 — with SSM

Connecting to a Linux EC2 instance using SSM

Adding SSM and accessing the EC2 through SSM will eliminate the need for SSH and add an extra layer of security. However, in order to do that our steps will look a little different than before. Here’s how we are going to do that.

1. Attach an IAM Role to the EC2 Instance

Instances dont automatically have the ability to connect via SSM, so we have to give them a role that allows it. We do that by navigating to the IAM console and creating a new role.

2. We create a role for ‘AWS Service’ and select ‘EC2’ at the bottom.

3. Choose the correct permissions

When selecting the permissions, we navigate to ‘AmazonSSMManagedInstanceCore’ — which enables the use of AWS Systems Manager

Here is the JSON that will allow for the permissions to update:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": {
                "Service": [
                    "ec2.amazonaws.com"
                ]
            }
        }
    ]
}

4. Name Role, and create

5. Add role to EC2 instance

We navigate to our instance tab, and under security click ‘Modify IAM role’.

6. Select the role, hit ‘update IAM role’

7. Enable HTTPS Traffic

In order to connect, we need to allow outbound HTTPS traffic (port 443) so that the instance can communicate with the SSM service endpoints. We will do that by editing our current security group and add in the necessary permissions.

8. Wait a few minutes for AWS to update, then Connect via Session Manager

9. We are In!

Hopefully this has been helpful for you to see the various ways to securely and remotely connect to AWS managed virtual machines. The cloud is incredible!