• Matheus Lozano

How to access EC2 instance via SSH without exposing the SSH

Updated: Jan 21

Leveraging an AWS native feature to secure your EC2 instances and keeping your SSH restricted.

Hide your EC2 SSH from the Internet

Replica: https://medium.com/aws-tips-and-tricks/accessing-ec2-via-ssh-without-exposing-the-ssh-adb9bc2fa7ff?source=friends_link&sk=865662a936c5819105cdd01fb64489aa

$ ssh i-0a1b2c3d4e5f6g7h8i9 $ aws ssm start-session --target i-0a1b2c3d4e5f6g7h8i9

Bastion on AWS Cloud

Among many cool and useful things that AWS has, one of them is the AWS Systems Manager and the possibility of using the AWS SSM as a Bastion and accessing the EC2 via SSH without exposing the port to the internet. Some of the interesting things are:

  • No need to allow SSH via Security Groups, Network ACL, etc

  • Access defined via AWS IAM

  • Access can be based on the EC2 Tag (e.g.: Stage=Prod only SysAdmins / Stage=UAT Sysadmins + Devs)

  • Auditing and logging (You have a history of how is active, who connected, to which node, etc)

  • Fully managed by AWS

  • It’s possible to customize the shell profile

  • Restrict access per IAM user

  • Restrict the commands allowed

  • Many more

How it works

How the AWS Systems Manager as Bastion to access EC2 via SSH

This is what happens when a user runs the AWS CLI/SSM to initiate an SSH session into the EC2 instance.

  1. An IAM User initiates the session

  2. The AWS IAM validates if the user has the privileges/policy

  3. Search for the EC2 instance in the AWS SSM Managed Instances

  4. Initiates the SSH session and uses an AWS SSM Document (AWS-StartSSHSession)


There are only three pre-requirements that are mandatory and one that’s optional. The optional is only needed if you want to use the SSH command instead of the AWS SSM.

  • AWS SSM Agent installed in your EC2 Instance https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html

  • An Instance Profile / IAM Role that allows your EC2 instance to register into the AWS SSM Managed Instances

  • An IAM User with privileges to access the AWS SSM (+Access/Secret keys or IAM Role via assuming role) and the EC2 Instance

  • The EC2 instance needs to have an SSH Key Pair configured (Optional)

Once you meet the pre-requirements, the instance will show up in the AWS SSM Managed Instances and that means you can access the instance. Usually, it’s just after the instance has the status Running (On the EC2 page).

You can check your Managed Instances here: https://console.aws.amazon.com/systems-manager/managed-instances

Note - AMI: Some official AMI already comes with the AWS SSM Agent installed. For example, the Amazon Linux 2 AMI.

Note - IAM Policy: You can use the preexistent policy AmazonSSMManagedInstanceCore, this is a managed policy and has all the permissions needed. All you need is to attach this policy into your IAM Role or create an Instance Profile / IAM Role and attach this policy.

Note - The First Time: If it’s the first time, the instance may take several minutes to show up in the AWS SSM Managed Instances.

How to use

It’s straight forward to connect into the EC2 instance.

SSH into EC2 instance

You can see the active and history sessions. You can also terminate an active session.

Active SSH sessions via AWS console
Active SSH sessions via AWS cli

As you can see, you don’t need to have an inbound rule in the Security Groups (You only need the outbound, because of the internet connection).

AWS Managed EC2 instances on AWS SSM
Security Group for the EC2 instance without SSH expose

Tips and Tricks

It’s not Halloween, but it’s always a good time for some Tips and Tricks.

This trick is handy when it comes to managing many instances. Instead of going to AWS, checking the Instance Id, going to the terminal and then accessing the node, you can just use the second example. This may save a lot of time, maybe critical during a crisis.

You can set this in your local machine/client by adding it into the file ~/.ssh/config

Note: To use this trick, “The EC2 instance needs to have an SSH Key Pair configured”.

Read More

Replacing a Bastion Host with Amazon EC2 Systems Manager | Amazon Web Services

Use an SSH Tunnel Through AWS Systems Manager to Access Your Private VPC Resources

Step 8: (Optional) Enable SSH connections through Session Manager

Task 2: Create users and assign permissions

Step 4: Create an IAM instance profile for Systems Manager Step 5: (Optional) Restrict access to commands in a session

Step 7: (Optional) Disable or enable ssm-user account administrative permissions

Applying managed instance policy best practices | Amazon Web Services

How AWS Systems Manager works with IAM


Recent Posts

See All