AWS SSM for Shell Access to EC2 – Bastion free & SSH Key free access to EC2 Instances

Access the EC2 instance from AWS web console without using a bastion host or an SSH key.

Is it possible to do it ? Yes, this can be done with a simpler configuration using the AWS System Manager’s Session Manager options. Also, System Manager can access Windows systems CLI.

With this we can avoid the hassle that comes with running something like a ‘bastion hosts’ and the risks that arise when opening up inbound SSH ports on the instances.

How does it help ?

  • Since the SSH port is not opened, SSH brute force attack risks are eliminated completely. Communication between instance and System Manager is through an encrypted tunnel.
  • Bastion host is not required, and user is free from login to multiple systems before accessing the instances.
  • The key sharing can be avoided and access to the instance can be limited using AWS IAM permissions.
  • Session Manager API can provide programatic access and further integration with other services.


1. Session Manager in Action – In order to use Session Manager to access EC2 instances, the instances must be running the latest version (2.3.12 or above) of the SSM Agent

# cd /tmp
# yum install -y
# systemctl start amazon-ssm-agent

2. Prepare an AMI – Create an AMI by installing SSM-Agent( 2.3.12 or above ) in it – Launch EC2 instances from that AMI. If ssm-agent installed properly it should show below logs.

3. Once the AMI is prepared, just launch the EC2 instances from it, The instance role for the instances must reference a policy that allows access to the appropriate services; we can create our own policy or use existing AmazonEC2RoleForSSM role.

AWS Systems Manager setup

  • Login to AWS console → AWS Systems Manager.


  • Click Session Manager and then click “Start Session”.

  • In the next window, select the instance and click “Start Session

  • Once we select the instance and click the start session, The OS console window opens in browser and we are able to execute any command on the instance as below.

Monitor the sessions

  • Session commands and responses can be logged to Amazon CloudWatch and to an S3 bucket or Grafana Dashboard. We can arrange to receive an SNS notification when a new session is started.

  • In AWS Systems Manager and click Preferences. Since we want to log our commands, enter the name of the S3 bucket and  CloudWatch log group.

  • Start the session again by selecting the instance, We are able to see the sessions output in both s3 and cloudwatch logstream(We can export it to grafana dashboard as well)

  • Session output in s3 bucket:

  • Session output in Cloudwatch logstream:


Accessing the EC2 instance is an easy process now. No need of a bastion host or the SSH key(No opening of port 22) . We can do it using AWS session manager with a simple configuration.

Log in with your credentials

Forgot your details?