Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based terminal or via the AWS CLI.
Session Manager has several benefits over using SSH:
The EC2 instance needs access to the internet or a VPC Endpoint for Session Manager to work.
In this Lab, you will learn:
You can proceed to the next step as SSM Agent is pre-installed on Amazon Linux AMIs. For other operating systems, please refer to the AWS documentation for Working with SSM Agent
The AWS managed policy,
AmazonSSMManagedInstanceCore, allows an instance to use AWS Systems Manager service core functionality. This will allow you to connect to the EC2 instance using Systems Manager Session Manager.
SSMIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Create Instance profile resource.
WebServerInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref SSMIAMRole
Attach the role to the instance with
WebServerInstance: Type: AWS::EC2::Instance Properties: IamInstanceProfile: !Ref WebServerInstanceProfile ImageId: !Ref AmiID InstanceType: !FindInMap [EnvironmentToInstanceType, !Ref EnvironmentType, InstanceType] Tags: - Key: Name Value: !Join [ '-', [ !Ref EnvironmentType, Web Server ] ]
You can attach the instance profile to the new Amazon EC2 instances at launch time, or to existing Amazon EC2 instances.
Go to the AWS console and update your stack with a new template.
Open the AWS CloudFormation link in a new tab and log in to your AWS account.
Click on the stack name, for example cfn-workshop-ec2.
In the top right corner click on Update.
In Prepare template, choose Replace current template.
In Template source, choose Upload a template file.
Click on Choose file button and navigate to your workshop directory.
Select the file
04-lab07-SSM-SM.yaml and click Next.
For Amazon Machine Image ID leave the default value in.
For EnvironmentType select the different environment than is listed. For example if you have Dev selected, choose Test and click Next.
For System Manager to work, the instance need to meet following conditions:
- Access to the internet or a VPC Endpoint.
- Role attached with correct permission.
By changing the environment, instance will be stopped and started again. This will help to start
ssm-agent which may have timed-out as the role wasn’t attached in previous lab.
You can leave Configure stack options default, click Next.
On the Review <stack_name> page, scroll down to the bottom and tick I acknowledge that AWS CloudFormation might create IAM resources check box, then click on Update stack.
You can click the refresh button a few times until you see in the status UPDATE_COMPLETE.
Log in to instance using SSM Session Manager and retrieve the AMI ID from instance metadata using
Review the AWS documentation for Instance Metadata and User Data.
Pate the following command inside the instance terminal:
Outside of this workshop you should take additional steps to configure and secure access to SSM Session Manager. See recommendations and documentation link below for further details.
Please refer to the Setting Up AWS Systems Manager documentation.
Congratulations! You have configured Session Manager and now have remote access to your EC2 instance.