Ditch SSH: Securely Connect to EC2 with AWS SSM Session Manager

Introduction

Why move away from SSH?

• Managing SSH keys is a hassle
• Open SSH ports expose security risks
• No built-in logging for SSH sessions

What is AWS Systems Manager (SSM) Session Manager?

• Secure, agent-based access to EC2
• Works over AWS APIs, no open ports required

Note: Enabling SSM does not automatically disable SSH. If you previously used SSH, it will still be available unless explicitly disabled.

Step 1: Create an IAM Role for SSM

Before launching an EC2 instance, create an IAM role with the necessary permissions:

1. Go to the AWS IAM Console → Click Roles → Click Create Role
2. Select AWS Service → Choose EC2 as the trusted entity
3. Attach the policy AmazonSSMManagedInstanceCore
4. Name the role (e.g., EC2SSMRole) and create it

This role will allow your EC2 instance to communicate with AWS Systems Manager.

Step 2: Create an EC2 Instance (For New Instances)

If you don’t have an EC2 instance yet, follow these steps:

1. Go to AWS EC2 Console → Click Launch Instance
2. Choose Amazon Linux 2 (or Ubuntu)
3. In the IAM Role section, select the EC2SSMRole (created in Step 1).
4. Launch the instance

Important: If you select the IAM role during instance creation, the SSM Agent will be preinstalled and no manual installation is required.

If you skipped adding the IAM role, you may need to manually install the SSM Agent (see Step 3).

Step 3: Enable SSM on Existing Instances

Skip this step if you selected the IAM role during instance creation.

If your EC2 instance is already running and does not have the SSM Agent installed, follow these steps:

Attach IAM Role to an Existing Instance

1. Navigate to AWS EC2 Console → Select your instance
2. Click Actions → Security → Modify IAM Role
3. Attach the EC2SSMRole created in Step 1

Manually Install the SSM Agent

For Amazon Linux 2 & RHEL:

sudo yum install -y amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

For Ubuntu:

sudo snap install amazon-ssm-agent --classic
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

Verify installation:

sudo systemctl status amazon-ssm-agent

Step 4: Connect to EC2 via SSM

Option 1: AWS Console

1. Navigate to AWS Systems Manager > Session Manager
2. Select your EC2 instance and click Start Session

Option 2: AWS CLI

Run the following command to start an SSM session:

aws ssm start-session --target <INSTANCE_ID>

Step 5: Disable SSH Access (Highly Recommended)

Important: If you previously used SSH, it remains enabled unless manually disabled.

Using AWS Console

1. Navigate to EC2 > Security Groups in the AWS Console.
2. Select the security group attached to your EC2 instance.
3. In the Inbound rules tab, locate the rule allowing SSH (port 22).
4. Click Edit inbound rules, remove the SSH rule, and save changes.

Using AWS CLI

aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 22 --cidr 0.0.0.0/0

Disable SSH Service on EC2

1. Stop and disable the SSH service:

   sudo systemctl stop sshd
   sudo systemctl disable sshd
   

2. To check that SSH is disabled, run:

   sudo systemctl status sshd
   

Step 6: Enable Logging for Auditing (Optional but Recommended)

• Configure AWS CloudWatch Logs to record all session activity
• Set up an S3 bucket for long-term storage

Conclusion

• No more SSH key management
• Increased security (no open ports)
• Built-in logging and auditing
• Easier access control using IAM policies
• Option to fully disable SSH for enhanced security