Using a Public EC2 Bastion to access your VPC resources through SSH from your local computer? There’s a better, more secure way and that is by leveraging Systems Manager (SSM) Session Manager.

What is a Bastion?

Imagine you have a database running in a private subnet on AWS, and you need to access it from home or your local computer. Since the database isn’t publicly accessible, you need a secure way in. Traditionally, this is done using a bastion host — a jump box that acts as a controlled gateway to your private network. You first connect to the bastion over a public network, and from there, access your AWS resources with restricted permissions.

The bastion is designed to limit entry to only authorized users, typically via SSH or other secure methods — which we’ll explore next.

Why Not use Public Bastions?

To SSH into a public bastion, it must be exposed to the internet. This poses a security risk and unnecessary exposure to your private AWS resources. While you can strengthen security by restricting access with tight Security Group rules — limiting connections to specific IPs — your bastion still remains a potential target.

Additionally, SSH access typically requires a Key Pair, which, if lost, could lock you out entirely. Despite multiple security layers, the fundamental issue remains: an SSH bastion must be publicly accessible, leaving it vulnerable to attacks and access risks.

The Solution: No Public Bastions 🚀

That’s right — your bastion does not need to be public! Instead of exposing it to the internet, you can run it entirely within a private subnet — with no public IP — while still maintaining access using AWS Systems Manager Session Manager.

With SSM Session Manager, you can connect to your bastion securely without:
✅ Requiring an SSH Key Pair
✅ Managing Security Group rules for public access
✅ Worrying about external threats from the public internet and accidental exposures

Below is an architectural diagram illustrating the architecture behind SSM Session Manager and what we will be build:

In this guide, you'll learn how to: ✅ Enable AWS SSM for EC2 instances ✅ Connect without SSH ✅ Troubleshoot common issues

Let’s get started! 🔥

---

Why Use AWS SSM?

🔒 No SSH Keys or Bastion Hosts – Securely connect without managing SSH keys.

🛡 Better Security – No need to open inbound ports.

🔑 IAM-based Access Control – Control access with AWS IAM roles.

📊 Logging & Monitoring – Record session activity in AWS CloudWatch & AWS CloudTrail.

⚡ Run Commands at Scale – Manage multiple instances simultaneously!

---

Step 1: Ensure Prerequisites

Before enabling AWS SSM, ensure you have:

✅ An EC2 instance running Amazon Linux, Ubuntu, or Windows
✅ AWS CLI installed on your local machine
✅ IAM Role with SSM permissions attached to the instance

Attach the IAM Role to EC2

AWS provides a managed policy AmazonSSMManagedInstanceCore to grant necessary permissions.

Steps to Attach IAM Role: 1️⃣ Open AWS IAM Console → Roles → Create Role
2️⃣ Select AWS Service → EC2
3️⃣ Attach policy AmazonSSMManagedInstanceCore
4️⃣ Name the role (e.g., SSM-EC2-Role) and create it
5️⃣ Attach this role to your EC2 instance via EC2 Console → Actions → Security → Modify IAM Role

📌 Tip: Without this role, SSM won’t work!

Reference Screenshot:

---

Step 2: Enable AWS Systems Manager Agent (SSM Agent)

📌 Pre-installed on Amazon Linux & Ubuntu

Check if SSM Agent is Running:

sudo systemctl status amazon-ssm-agent

If Not Installed, Install Manually:

✅ For Amazon Linux & Amazon Linux 2:

sudo yum install -y amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

✅ For Ubuntu:

sudo snap install amazon-ssm-agent --classic
sudo systemctl enable snap.amazon-ssm-agent.amazon-ssm-agent.service
sudo systemctl start snap.amazon-ssm-agent.amazon-ssm-agent.service

✅ For Windows:

Start-Service AmazonSSMAgent

---

Step 3: Connect to EC2 via AWS SSM

🔹 No SSH Keys Needed – Just AWS CLI!

1️⃣ Start an SSM Session:

aws ssm start-session --target <instance-id> --region <region>

Example:

aws ssm start-session --target i-037193af6ba6a2bf8 --region ap-south-1

🎉 You're in! Now execute commands like SSH:

whoami
hostname
ls -lah

2️⃣ Exit the Session:

exit

---

Reference Screenshot:

Step 4: Troubleshooting Common Issues

❌ Issue 1: You must specify a region Error

✅ Fix: Set AWS region manually

aws configure

✅ Or specify region in the command

aws ssm start-session --target <instance-id> --region ap-south-1

❌ Issue 2: Invalid SSH Identification String Error

✅ Fix: Use standard SSM Session instead of AWS-StartSSHSession

aws ssm start-session --target <instance-id>

❌ Issue 3: Permission Denied for Directories

✅ Fix: Switch to root or the correct user

sudo su - ubuntu

✅ Or change directory permissions

sudo chmod 755 /home/ubuntu

---

Conclusion 🎯

By using AWS Systems Manager (SSM), you eliminate security risks associated with SSH while gaining centralized control over EC2 instances. With IAM-based access and CloudWatch logging, your infrastructure is now safer, smarter, and more manageable. ✅

🚀 Next Steps: Use SSM for automation, patching, and monitoring. Stay secure & efficient! 💡