• Home
  • Disclaimer
  • Contact
  • Archives
  • About
  • Subscribe
  • Support
  • Advertise

Kernel Talks

Unix, Linux, & Cloud!

  • How-to guides
    • Howto
    • Disk management
    • Configurations
    • Troubleshooting
  • OS
    • HPUX
    • Linux
  • Miscellaneous
    • Software & Tools
    • Cloud Services
    • System services
    • Virtualization
  • Certification Preparations
    • AWS Certified Solutions Architect – Associate
    • AWS Certified Solutions Architect – Professional
    • AWS Certified SysOps Administrator – Associate
    • AWS Certified Cloud Practitioner
    • Certified Kubernetes Administrator
    • Hashicorp Certified Terraform Associate
    • Oracle Cloud Infrastructure Foundations 2020 – Associate
  • Tips & Tricks
  • Linux commands
You are here: Home / Cloud Services

Using AWS Systems Manager Session Manager

Published: January 5, 2021 | Modified: January 5, 2021



Learn how to use AWS Systems Manager’s Session Manager feature to access Linux EC2 instances.

Session Manager!

AWS Systems Manager is a service offered by AWS to manage your instances in AWS and on-prem. Session Manager console lets you log into EC2 or on-prem instances using a browser-based shell or AWS CLI. This strikes out the need of managing bastion hosts, open ports in security groups or manage SSH keys. Session manager connects to instances using IAM roles. It also allows you to save fully auditable logs in CloudWatch logs stream or S3 bucket for every session you run.

Without further delay, let’s dive into Session Manager.

Pre-requisite

  • Instance running SSM agent
  • IAM role attached to the instance with proper permissions
  • S3 bucket for saving logs (optional)
  • CloudWatch log group to stream session logs (optional)

Lets go through all the pre-requisites one by one –

SSM agent

AWS Systems Manager Agent, i.e., SSM agent, is the small software installed and configured on instance so that AWS Systems Manager can communicate and execute the tasks on instances remotely. Agent receives requests from AWS systems Manager and executes them on an instance with administrative privileges.

SSM agent is open-sourced on GitHub. It is preinstalled on selected AMIs like Amazon Linux, Ubuntu server 16, 18 & 20, Windows Server 2016 and 2019. The complete list can be found on the Amazon documentation portal.

On the Linux server, you can verify agent installed or not using the below command –

[root@ip-172-31-44-63 ~]# rpm -qa |grep -i ssm-agent
amazon-ssm-agent-3.0.161.0-1.amzn2.x86_64

If not, you can follow the agent installation instructions to install the same. Instructions vary for different platforms and regions.

IAM role for AWS Systems Manager

EC2 instance to be used under AWS systems manager should be attached with the IAM role with AWS Managed policy AmazonSSMManagedInstanceCore attached to it. You can drill down and have a custom policy in place as per the scenario, but this is best to start.

Depending on which below 2 logging options you choose, those extra access rules to be added to the role.

S3 bucket for logs

Create the S3 bucket with standard procedure and keep it ready. You can select it under the session manager’s preferences later. Session logs will be stored in this S3 bucket, which you can refer to for debugging and troubleshooting.

Ensure appropriate access rules in the EC2 instance role to enable writing logs to the S3 bucket.

CloudWatch Log group

You can also upload/stream session logs to the CloudWatch log group. Uploading logs happens at the end of the session while streaming is on the go. Streaming logs are recommended.

Ensure appropriate access rules in the EC2 instance role to enable writing logs to the CloudWatch Log group.

Setting preferences

Once all the above pre-requisite is ready, proceed with setting the preferences for the session manager.

  • Login to session manager console
  • Click on Configure Preferences button on the right side introduction page.
  • Configure settings as per your requirement –
General Preferences
  • General Preferences
    • Idle session timeout: Duration for which session can be idle before ending. (Range 0-60 mins)
    • KMS encryption: For encrypted communication from EC2 to the user’s machine.
    • Specify Operating System user for sessions: Launch sessions with other OS accounts than the default ssm-user account.
CloudWatch logging
  • CloudWatch logging
    • Enable/Disable
    • Choose logging options:
      • Stream session logs: Recommended. Logs will be streamed to the CloudWatch log group throughout the session.
      • Upload session logs: Logs will be uploaded to the CloudWatch log group at the end of the session.
    • Enforce encryption: Encryption for added security.
    • CloudWatch log group: Select the pre-created log group.
S3 logging
  • S3 logging
    • Enable/disable.
    • Enforce encryption: Make sure only encrypted S3 bucket can be selected for delivery.
    • Choose S3 bucket: Select pre-created S3 bucket for session log delivery.
    • S3 Key prefix: For creating a hierarchical structure within the S3 bucket.
Shell profiles
  • Linux shell profile
    • Add environmental variables, commands to be executed once a session starts. I added one variable for the test here.

Click Save button to save the preferences.

Running Linux EC2 session

  • Login to Session manager dashboard
  • Click on the Start session button.
  • You should be presented with a list of EC2 instances on which the session can be started.
Start a new session
  • Select the appropriate instance and click on the Start session button
  • You may see the below message. In that case, it’s best to update the agent
The SSM Agent version installed on this instance doesn't support streaming logs to CloudWatch. Either update the SSM Agent to the latest version, or disable the streaming logs option in your preferences.

Server session should be started in new window.

Linux EC2 session in browser!

There are few things you can verify here –

  • The variable we defined in the Linux shell profile is exported at the start of the session.
  • the session will be started with user ssm-user
  • ssm-user has passwordless sudo access to the root account.

On logging front, there should be logs created in S3 and CloudWatch.

Session manager logs in S3

You can view the contents of this log file. It contains all the session output as-is. Commands entered, and their outputs are shown during the session.

Session logs from S3

If you look closely, its using Linux tool script to log a session output!

Also, new logs can be found in CloudWatch.

Session manager logs in CloudWatch
Log events in log stream under CloudWatch

On opening each log event in the log stream, you can see each command entered in the session and output it returned.

Log event details

Here the sessionData key shows the command and its output from the session!

Once you are done working, you can use either exit shell as you normally use exit or cntl+D, or click the Terminate button in the web browser shell window.

⇠ Previous article
Creating first AWS Lambda function
Next article ⇢
Amazon ECS Capacity Providers Overview

Related stuff:

  • The Container configurations in Amazon ECS
  • Amazon ECS Capacity Providers Overview
  • How to create an Amazon SQS queue and test with Amazon SNS?
  • AWS cloud terminology
  • AWS VPC Creation along with screenshots
  • Configuring Visual Studio Code for Terraform to work with AWS
  • Configuring and running Tasks in Amazon ECS
  • Exploring CloudFormation Git Sync!
  • How to transfer the domain to Route 53
  • How to create atomic counter in AWS DynamoDB with AWS CLI
  • How to release the Elastic IP in AWS
  • How to assign Elastic IP to EC2 Linux instance

Filed Under: Cloud Services Tagged With: AWS EC2 web browser login, AWS session manager, check session manager logs, Save session manager output

If you like my tutorials and if they helped you in any way, then

  • Consider buying me a cup of coffee via paypal!
  • Subscribe to our newsletter here!
  • Like KernelTalks Facebook page.
  • Follow us on Twitter.
  • Add our RSS feed to your feed reader.

Share Your Comments & Feedback: Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get fresh content from KernelTalks

  • Email
  • Facebook
  • RSS
  • Twitter

Get Linux & Unix stuff right into your mailbox. Subscribe now!

* indicates required

This work is licensed under a CC-BY-NC license · Privacy Policy
© Copyright 2016-2023 KernelTalks · All Rights Reserved.
The content is copyrighted to Shrikant Lavhate & can not be reproduced either online or offline without prior permission.