{"id":645,"date":"2025-03-05T05:25:37","date_gmt":"2025-03-05T05:25:37","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=645"},"modified":"2025-03-05T05:25:37","modified_gmt":"2025-03-05T05:25:37","slug":"aws-ssm","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=645","title":{"rendered":"How To Access A Private EC2 Instance Using AWS SSM?"},"content":{"rendered":"

In this blog, you will learn how to use the AWS SSM(Systems Manager<\/strong>)<\/a> session manager to access Private EC2 instances.<\/a><\/p>\n

AWS Systems Manager Session Manager is a feature that allows you to securely connect to your EC2 instances without needing a public subnet, public IP, or SSH access.<\/p>\n

AWS Systems Manager Workflow<\/h2>\n

The following image shows the private EC2 access workflow using the AWS Systems Manager.<\/p>\n

\"The<\/figure>\n

Here is how the session manager works.<\/p>\n

    \n
  1. The user initiates the SSM session from the local machine CLI. The local machine should have AWS CLI<\/strong><\/a> installed with Session Manager Plugin<\/strong>.<\/li>\n
  2. The EC2 instance will have the SSM Agent inside it (most of the instances will have the agent by default, if not, need to install manually)<\/li>\n
  3. The request will go to the AWS Systems Manager service first and inside the VPC (via VPC endpoints). The the SSM communicates with the SSM Agent present inside the instance.<\/li>\n
  4. The EC2 instance sends session data to AWS Systems Manager, which then securely sends it to the local machine. This allows the user to access the EC2 instance without requiring a public IP address or an open SSH port.<\/li>\n<\/ol>\n

    Now, let’s look at how to configure and set up Session Manager with a practical example.<\/p>\n

    Follow the steps below, where we create a VPC from scratch and configure all the necessary network settings, IAM roles, and permissions for Session Manager to work from both the AWS Web Console and a user’s laptop using the AWS CLI.<\/p>\n

    Step 1: Create a VPC with Private Subnets.<\/h2>\n

    Navigate to the VPC console and click Create VPC<\/code> the button to create a new VPC, if you already have a VPC, you can use that as well.<\/p>\n

    \"the<\/figure>\n

    In the VPC creation page, choose the VPC and more<\/code> option, which will help to create the required configurations in a simple manner.<\/p>\n

    Give a name for the VPC and choose the VPC CIDR range, for now I have chosen the range of 10.0.0.0\/16<\/code><\/p>\n

    \"selecting<\/figure>\n

    Choose the required number of availability zones and public and private subnet counts.<\/p>\n

    \n
    \ud83d\udca1<\/div>\n
    Here, you can see the NAT is enabled, but for SSM to work, NAT is not required, you can keep the value as None<\/code>.<\/p>\n

    NAT will help the private network to access the internet without public IP<\/p><\/div>\n<\/div>\n

    \"chossing<\/figure>\n

    You can see the preview diagram on the right side section, which will help to understand the architecture.<\/p>\n

    \"the<\/figure>\n

    The VPC creation will take a few minutes to complete.<\/p>\n

    \"the<\/figure>\n

    We have created two public and private subnets, but we are only going to use the private subnets.<\/p>\n

    \"the<\/figure>\n

    For this demo, I will choose the first private subnet which is situated in the us-west-2a<\/code> region, but you can choose any private subnet.<\/p>\n

    Navigate to the Route tables<\/strong> of the VPC.<\/p>\n

    On the Routes<\/strong> tab, we can see one rule, which only helps to route the traffic internally, and the other is the NAT gateway, which is for accessing internet from private instances.<\/p>\n

    \"the<\/figure>\n

    On the Subnet Associations<\/strong> tab, we can see that the two private subnets are associated.<\/p>\n

    \"describing<\/figure>\n

    Step 2: Create a Private VPC Endpoint<\/h2>\n

    Since we don’t have internet access but want to connect the AWS SSM service securely, we need Private VPC Endpoints<\/strong>.<\/p>\n

    We are creating three endpoints: ssm<\/strong>, ssmmessages,<\/strong> and ec2messages<\/strong>.<\/p>\n

      \n
    1. SSM VPC Endpoint: <\/strong>Primary endpoint for the communication, which helps send the commands to the SSM.<\/li>\n
    2. SSM Messages VPC Endpoint:<\/strong> This is where you send and receive the communication output between SSM components such as the SSM Agent, Systems Service, etc.<\/li>\n
    3. EC2 Messages VPC Endpoint:<\/strong> Send and receive communication between EC2 and other AWS services.<\/li>\n<\/ol>\n

      To create a VPC Endpoint, go to the VPC dashboard, navigate to the Endpoints, and click Create Endpoint.<\/p>\n

      \"the<\/figure>\n

      In the Endpoint settings, provide an endpoint name and select the AWS services from the Service category.<\/p>\n

      \"providing<\/figure>\n

      In the Services<\/strong> section, select the service name com.amazonaws.us-east-1.ssm<\/code> and select the VPC and the private subnets.<\/p>\n

      \"select<\/figure>\n

      In the Security Group<\/strong>s section, I am choosing the default<\/strong> one of the VPC Security groups.<\/p>\n

      \"selecting<\/figure>\n

      We have to create two more endpoints, same as above, one is SSM Messages.<\/strong><\/p>\n

      \"the<\/figure>\n

      The third endpoint is for the EC2 Messages<\/strong> service.<\/p>\n

      \"the<\/figure>\n

      The endpoint creation will take a few seconds to complete after we see the status as active and more details about it on the Details<\/strong> tab.<\/p>\n

      \"the<\/figure>\n

      Step 3: Default Security Group<\/h2>\n

      When creating a VPC, a Security group will also be created with a rule for internal routing.<\/p>\n

      \"describing<\/figure>\n

      We can see that only one rule is present in the inbound traffic, which is only for internal incoming traffic.<\/p>\n

      \"describing<\/figure>\n

      The outbound rule indicates that the traffic can go from the VPC to anywhere.<\/p>\n

      Step 4: Create an Instance Profile (IAM Role)<\/h2>\n

      We need to create an instance profile for the private EC2 instance<\/strong>.<\/p>\n

      We already have an AWS-managed IAM Policy<\/strong> AmazonSSMManagedInstanceCore<\/code> for the instance profile with the required permissions.<\/p>\n

      \"creating<\/figure>\n

      We are creating an IAM Role with this IAM Policy AmazonSSMManagedInstanceCore<\/code><\/p>\n

      Select the Roles<\/strong> tab in the IAM Dashboard and click Create role<\/strong> to create a new one.<\/p>\n

      \"creating<\/figure>\n

      On the next page,<\/p>\n

      Choose the AWS service under the Trusted entity type. Under use case select EC2.<\/p>\n

      \"selecting<\/figure>\n

      On the next page, we need to select the IAM Policy AmazonSSMManagedInstanceCore<\/code> to attach with the IAM Role.<\/p>\n

      \"selecting<\/figure>\n

      The next step is to provide a name to the Role and ensure the Trust Policy<\/strong> and the IAM Policy<\/strong> that we attach to the Role.<\/p>\n

      \"providing<\/figure>\n

      Now that the required IAM role is ready, we can check the configurations from the IAM console.<\/p>\n

      \"describing<\/figure>\n

      Step 5: Create a Private EC2 instance<\/h2>\n

      We can create a private EC2 instance with the instance profile.<\/p>\n

      \"creating<\/figure>\n

      I am creating an Amazon Linux instance for demo purposes, but you can choose any.<\/p>\n

      The SSM Agent should be present in the instance, but most AWS instances come with it by default.<\/p>\n

      \"providing<\/figure>\n

      Please refer to the official documentation<\/a> to view the list of preinstalled SSM agent AMIs.<\/p>\n

      \"selecting<\/figure>\n

      In the Network settings<\/strong> section, choose the correct VPC, private subnet, and security group.<\/p>\n

      \"selecting<\/figure>\n


      \nIn the Advanced details<\/strong> section, select the IAM Instance Profile that we created earlier.<\/span>
      \n<\/p>\n

      \"in<\/figure>\n

      Wait until the instance state is running.<\/p>\n

      \"describing<\/figure>\n

      Step: AWS Systems Manager to access the Instance<\/h2>\n

      After the EC2 instance creation is completed, it can be seen in the AWS Systems Manager<\/strong> dashboard under the Fleet Manager<\/strong> section.<\/p>\n

      \"systems<\/figure>\n

      We can get more detailed information if we click the Node ID.<\/p>\n

      \"connecting<\/figure>\n

      To connect the instance via SSM, we can use the Start terminal section from the Node actions or the Session Manager section of the EC2 instance<\/p>\n

      \"connecting<\/figure>\n

      Now, we can access the instance without accessing the subnet from the internet.<\/p>\n

      \"The<\/figure>\n

      We haven’t provided a key or even SSH access to this instance, so no other methods will work to connect with this private instance.<\/p>\n

      \"ec2<\/figure>\n


      \nWe can see no public IP warning message in the EC2 Instance Connect method<\/span>
      \n<\/p>\n

      \"ssh<\/figure>\n

      In the SSH client<\/strong> connect method, we can see the warning of the no key association.<\/p>\n

      How do we configure the SSM on the existing EC2 Instance?<\/h2>\n

      If you already have a private EC2 instance but the instance profile was not attached when you created it, we can also attach the instance profile after the deployment.<\/p>\n

      I have created another Private EC2 instance with no instance profile.<\/p>\n

      \"list<\/figure>\n

      If we check the Session Manager section, we can’t able to connect the instance using the SSM.<\/p>\n

      \"session<\/figure>\n

      We need to attach the instance profile with this existing Private EC2 instance.<\/p>\n

      To attach the IAM Instance Profile to an existing cluster, in the instance dashboard, select Security<\/strong> in the Actions<\/strong> tab and select Modify IAM role<\/strong>.<\/p>\n

      \"modifying<\/figure>\n

      On the next page, select the Instance Profile we have already created and click the Update IAM role<\/strong> button.<\/p>\n

      \"instance<\/figure>\n

      The associated Instance Profile will take a few minutes to update with the EC2 instance.<\/p>\n

      After that, if you check the Session Manager tab of the connection dashboard, you will see the connect button.<\/p>\n

      \"connecting<\/figure>\n

      How to access the EC2 instance using AWS SSM from the local machine?<\/h2>\n

      To access the instance from the local machine, need to install the SSM client.<\/p>\n

      For Mac,<\/p>\n

      brew install session-manager-plugin<\/code><\/pre>\n
      Once the installation is completed, we can connect the instance from the local machine via CLI.<\/p>\n
      aws ssm start-session --target <INSTANCE_ID> --region <REGION><\/code><\/pre>\n
      We can perform port forwarding if you have installed something in the private instance and want to access its dashboard from the local machine.<\/p>\n
      For example, I have installed Prometheus<\/a> in a private EC2 instance, and need to access the dashboard from the local machine.<\/p>\n
      To see the dashboard from the local machine by port forwarding, use the following command.<\/p>\n
      aws ssm start-session --target <INSTANCE_ID> --region <REGION> --document-name AWS-StartPortForwardingSession --parameters '{\"portNumber\":[\"9090\"],\"localPortNumber\":[\"9090\"]}'<\/code><\/pre>\n
      The port number will be changed depending on the deployment inside the server.<\/p>\n
      \"the<\/figure>\n
      To access the dashboard, open any browser from the local machine, and paste the URL http:\/\/localhost:9090<\/code><\/p>\n
      \"the<\/figure>\n
      Conclusion<\/h2>\n
      We have explored only one use case of the AWS Systems Manager, but we can do various things that make it possible to use it as a secure configuration manager for the EC2 instances and for operation, application, and change management.<\/p>\n
      Check all the options the SSM provides and utilize them for your needs.<\/p>\n
      \n
      Ngu\u1ed3n:<\/strong> How To Access A Private EC2 Instance Using AWS SSM? \u2014 DevOpsCube<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
      Source: https:\/\/devopscube.com\/aws-ssm\/<\/p>\n","protected":false},"author":1,"featured_media":646,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-645","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=645"}],"version-history":[{"count":0,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/645\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/media\/646"}],"wp:attachment":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=645"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}