Ever wanted to simplify access management to your EC2 instances? AWS Session Manager might be the solution you're looking for.
Why Ditch SSH?
As your infrastructure grows, managing SSH access becomes a pain:
- Creating/deleting users on multiple instances
- Managing SSH keys
- Dual access management (AWS + EC2)
- Complex offboarding processes
The Session Manager Solution
Session Manager combines AWS and EC2 access into one tool. Users only need AWS credentials to access instances. Remove AWS access = remove EC2 access. Simple.
Setup Overview
I followed AWS's official guide but simplified it for practical use.
What You Get
✅ No SSH required - Remove port 22 from security groups
✅ No SSH keys - Zero key management
✅ SSM Agent - Pre-installed on most AMIs
The Code
I created a Terraform module after fixing issues in the AWS sample.
Module: terraform-session-manager
Main Configuration
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5"
}
}
}
provider "aws" {
region = "us-east-1"
profile = "my-profile-name"
}
module "ssm" {
source = "../modules/ssm"
}
output "ssm_profile_name" {
value = module.ssm.ssm-profile-name
}
Region-Specific Setup
Session Manager is region-specific, so you need this for each region:
provider "aws" {
region = "us-east-1"
profile = "my-profile-name"
alias = "useast1"
}
resource "aws_ssm_document" "session_manager_prefs_useast1" {
provider = aws.useast1
name = "SSM-SessionManagerRunShell"
document_type = "Session"
document_format = "JSON"
content = <<DOC
{
"schemaVersion": "1.0",
"description": "SSM document to house preferences for session manager",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "${module.ssm.ssm_s3_bucket_id}",
"s3KeyPrefix": "AWSLogs/ssm_session_logs",
"s3EncryptionEnabled": true,
"cloudWatchLogGroupName": "",
"runAsEnabled": true,
"runAsDefaultUser": "${var.user}",
"shellProfile": {
"windows": "",
"linux": "exec /bin/bash\ncd /home/${var.user}"
},
"idleSessionTimeout": "20"
}
}
DOC
}
Adding More Regions
For additional regions (like us-east-2), just add:
provider "aws" {
region = "us-east-2"
profile = "my-profile-name"
alias = "useast2"
}
resource "aws_ssm_document" "session_manager_prefs_useast2" {
provider = aws.useast2
# ... same document config as above
}
Key Benefits
🔒 Security: Encrypted sessions, centralized access control
⚡ Simplicity: One place to manage all access
📊 Auditing: All sessions logged to S3
🚀 Scalability: Works across unlimited instances
Gotchas
- Internet access required for private instances
- Region-specific configuration needed
- SSM Agent must be running (usually is by default)
Useful Resources
Have you tried Session Manager? What's your preferred way to manage EC2 access? Let me know in the comments!
Found this helpful? I'd appreciate if you follow me for more AWS and infrastructure content! 🚀
Originally published at Cyberpunk Tools Blog.
Top comments (0)