Introduction

Amazon Elastic Compute Cloud (Amazon EC2) provides on-demand, scalable computing capacity in the Amazon Web Services (AWS) Cloud. One of the most common ways to access an EC2 instance that was usually used was via SSH from a public IP , but now we can utilize a more secure way to connect to it using a SSM agent which is part of AWS Systems Manager. AWS Systems Manager provides configuration management, which helps you maintain consistent configuration of your Amazon EC2 or on-premises instances.

The article will cover the following major points:

1. Create and configure VPC endpoint for SSM
2. Create IAM Role for EC2 Instance
3. Create IAM user for connecting to EC2 Instance
4. Install & Connect to EC2 instance via AWS CLI from end user terminal

Benefits of Using Sessions Manager 

• Connect to your instance without SSH keys, a bastion host, or opening any inbound ports.
• Sessions are secured using an AWS Key Management Service key.
• You can log session commands and details in an Amazon S3 bucket or CloudWatch Logs log group.

Prerequisites

• You must have an active AWS account. 
• Have root or IAM user access to the AWS Console
• Have an EC2 instance created and running either in a default or custom VPC(Virtual Private Cloud) 
• For custom VPC, you will need to create a new security group, attach the custom VPC and also add an inbound rule to allow HTTPS TCP connection on port 443 via the VPC CIDR.
  • Outbound rule can be default 
  • Security group can be also default if using default VPC as a security group is created by default if this option is chosen during initial creation of EC2 instance
• SSM agent is installed on the instance. Sessions Manager uses a SSM agent which is usually installed in common Amazon Machine Instances (AMI’s). You can refer to the list below:
• https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html
• If not installed then you will need the EC2 Instance connect option via the SSH key pair initially to get the installation done via manual steps. You can refer below:
• https://docs.aws.amazon.com/systems-manager/latest/userguide/manually-install-ssm-agent-linux.html
  • This is ideally not such a common case hence it is not covered in this article. 

Summary of Steps

1. Create an EC2 Instance in default VPC. Use the default security group. 
2. Create a VPC endpoint to connect to Systems Manager 
3. Create an IAM Role 

Addition steps for Custom VPC

1. Create a custom VPC
2. Create a security group to allow an inbound rule to allow HTTPS TCP connection on port 443 via the VPC CIDR and ensure the custom VPC is attached to this security group. 

Detailed Steps 

Check if an EC2 instance is present 

• Go to Search Bar in AWS console and search for EC2> click instance 
• Check the instance you wish to connect to is in running state and status checks have passed. 

• Then select the instance and try to connect using the connect option. You may usually get two types of common errors initially.
  • One whereby its asking you to check the IAM role missing
  • VPC endpoint missing. 
• The connect button will also be hidden initially till you complete the sessions manager setup correctly.

Example : 

• As you noticed we are faced with this error:
  • The SSM Agent was unable to connect to a Systems Manager endpoint to register itself with the service
• We will need to create a VPC endpoint in the relative VPC to connect to the Systems Manager Endpoint. 
• Even if you have configured VPC endpoints you may face below issue if your configuration was not correct.

• Systems manager will try to poll the instance via ping access . Please ensure you have added the correct VPC & security group along with the SSM endpoint format 

Create and configure a VPC endpoint for Systems Manager

• Go to search box and search for VPC

• For the purpose of this blog we are using the default VPC & Security Group. (If you are using a custom VPC, you will need to create a custom security group , or edit the initial one. If you are using private subnets you will have to assign the inbound /outbound rules according and then follow the following steps with custom VPC & Security group) 
• Go to VPC > Endpoints ( select endpoint from left end of the page) 
• Select AWS services under Service Category
• Under Services select SSM endpoint with below format:
  • ssm.region.amazonaws.com >> select this one (region will be same as your region)
  • ec2messages.region.amazonaws.com
  • ssmmessages.region.amazonaws.com
• You can follow the prerequisite below:
• https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html

• For now selecting default VPC & subnet details. If more instances and subnets are added, you will need to just update here accordingly for this VPC.

• Click create endpoint. 

• Repeat the same steps for the 2nd endpoint for ec2 messages. 
• Once it is done please proceed to AWS Systems Manager to check if the EC2 Instance has been registered. (If EC2 Instance is not created in the VPC – you will have to create one, for this blog I have already created one.
• Search box > AWS Systems Manager > Fleet Manager 
• You should be able to see the following:

• Above means the instance is now registered. 
• Go back to EC2 Service and respective instance 
• Before we were getting an error , now we will try to connect to the EC2 instance again and we will see that the error is gone.
• After creating you will not see the previous errors:

• However, you may see another error related to IAM 

Or below:

Your session has been terminated for the following reasons:  ----------ERROR------- Setting up data channel with id root-xxxxxx  failed: failed to create websocket for datachannel with error: CreateDataChannel failed with no output or error: createDataChannel request failed: failed to sign the request: failed to retrieve instance profile role credentials. Err: EC2RoleRequestError: no EC2 instance role found caused by: EC2MetadataError: failed to make EC2Metadata request <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>404 - Not Found</title> </head> <body> <h1>404 - Not Found</h1> </body> </html> status code: 404, request id:

For the above we will need to create an IAM role for SSM agents and apply relevant policy. 

IAM Role Setup for EC2 SSM Agent

By default, AWS Systems Manager doesn’t have permission to perform actions on your instances. You can provide instance permissions at the account level using an AWS Identity and Access Management (IAM) role, or at the instance level using an instance profile

Please follow the steps below:

• Go to IAM from the search box. 
• On the left hand side under Access Management Click Roles
• Click Create Role
• Since we are creating for specific AWS Service , select AWS Service and choose use case as EC2.
• By default now we have  an option for Systems Manager Use case for EC2:
  • EC2 Role for AWS Systems Manager (Select as follows)
  • It will automatically assign this policy : AmazonSSMManagedInstanceCore
  • Alternatively you can assign it yourself manually.

• Then click Create Role 

• Then we need to attach the IAM Role to EC2 Instance. 
• Go back to the ec2 instance.
• Select the respective EC2 instance 
• Click Action >Security > Modify IAM Role 
• It may take a minimum 5-10 mins for this to be updated . Please pause for a while and recheck again . 

• Then attach the newly created IAM role for SSM

• Once above is done you can select the instance and click connect. You should be directed to below page on the browser

• Finally you are connected. 

Connecting to EC2 instance via Desktop terminal using AWS CLI without SSH

We can also connect to EC2 instances directly from our desktop/pc or mac or Linux terminal without using SSH. We can simply use AWS CLI for this purpose. 

Summary:

1. Create a policy for IAM user for logging into ec2 instance 
2. Create an IAM user and attach the policy 
3. Create a access credential for the IAM user
4. Install AWS Cli on respective computer version e.g windows, macos , or linux 
5. Access EC2 instance directly from end user terminal 

Please follow the detailed steps as follows:

• Search Box > IAM >Policies
• Create a policy for IAM User
• Create Policy 
• Install AWS CLI on your windows PC if you are windows user. This article will cover windows example but for any other like mac os or linux you can refer to the link below:
  • msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi
  • Run the command prompt using admin privileges if needed. 
  • Run this command : 
  • msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

• You can verify if aws cli has been installed using following command
  • aws  – – version
  • Below confirms if cli has been installed.

• C:\>aws configure
• AWS Access Key ID [None]: “Enter Access key”
• AWS Secret Access Key [None]: “Enter Secret”
• Default region name [None]: “Enter Region or it will be picked by default”
• Default output format [None]:
• C:\>
• Verify access via this command : aws sts get-caller-identity

Install Session Manager plugin on cli

• Reference : https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

• Run below command to confirm if session manager is available :
  • session-manager-plugin – reference – https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-verify.html
  • If you face below error : 

• Use this reference to resolve the session manager plugin path issue: 
• https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-troubleshooting.html#plugin-not-found
• Once fixed, you should have the command working as below

• Now you can try connecting to ec2 instance from AWS CLI using below command 
• aws ssm start-session –target <Add instance id>

•  You are successfully connected to an ec2 instance via AWS CLI using ssm without the need to have ssh also using an IAM user. 

Additional Errors:

The SSM Agent was unable to connect to a Systems Manager endpoint to register itself with the service.

Conclusion

In conclusion, this guide demonstrates how to securely connect to an Amazon EC2 instance using AWS Systems Manager without relying on SSH or public IPs. By configuring an IAM role and VPC endpoint, users can manage EC2 instances via AWS CLI and Systems Manager, ensuring a safer, more streamlined process. This setup eliminates the need for open ports or SSH keys, making cloud management both efficient and secure.