How to login to EC2 instances without SSH

02 Feb, 2019
Xebia Background Header Wave

In previous posts, we showed you how to deploy a private key pair to allow you to login to an
EC2 instance. Since september 2018, the AWS Session Manager supports logging into any instance, directly from the command line without SSH. In this
blog we will show you how to configure this using CloudFormation.
To login to an EC2 instance using the AWS Session manager, you need to do three things:
* Install the AWS SSM agent
* Grant session manager permissions
* Enable audit logging

install the AWS SSM agent

We are lazy and use an Amazon Linux based instance, which has the agent already installed.For other
AMIs, please consult the documentation.
In CloudFormation, we add the instance:

    Type: 'AWS::SSM::Parameter::Value<aws::EC2::Image::Id>'
    Default: '/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2'

    Type: 'AWS::EC2::Instance'
      ImageId: !Ref 'AmiId'
      IamInstanceProfile: !Ref 'IamInstanceProfile'

grant session manager permissions

The agent needs the following permissions to enable the session manager:

- Effect: Allow
    - ssmmessages:CreateControlChannel
    - ssmmessages:CreateDataChannel
    - ssmmessages:OpenControlChannel
    - ssmmessages:OpenDataChannel
  Resource: '*'
- Effect: Allow
    - s3:GetEncryptionConfiguration
  Resource: '*'

To keep things small and simple, we associate the AmazonEC2RoleforSSM role with the instance profile, which
includes the above permissions:

  Type: AWS::IAM::Role
    - Effect: Allow
        - sts:AssumeRole
    Path: /
      - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM

Enable audit logging

AWS Session Manager allows you to store the session logs on either S3, CloudWatch or both.
To enable audit logging you need to create an SSM Document named SSM-SessionManagerRunShell:

    Type: Custom::SSMDocument
      Name: SSM-SessionManagerRunShell
      DocumentType: Session
      Content: !Sub >
        { "schemaVersion": "1.0",
          "content": "Session Manager Preferences",
          "sessionType": "Standard_Stream",
          "inputs": {
            "s3BucketName": "${SessionLogBucket}",
            "s3KeyPrefix": "",
            "s3EncryptionEnabled": false,
            "cloudWatchLogGroupName": "${SessionLogGroup}",
            "cloudWatchEncryptionEnabled": false

Note that we had to create a custom CloudFormation provider to create the document, as the standard
CloudFormation resource does not allow you to specify the document name.

starting a session

Once deployed you can login to your instance by typing:

$ aws ssm start-session --target <instance-id>


The complete CloudFormation template can be found on github. To
test, type:

$ git clone
$ cd blog-login-to-ec2-instances-without-ssh
$ make
create demo in default VPC vpc-12313137, subnets subnet-privatea,subnet-privateb,subnet-privatec using security group sg-default.
    "StackId": "arn:aws:cloudformation:eu-central-1:111111111111:stack/ec2-session-manager/207b6890-26dc-11e9-b214-021298c8e4cc"

    "aws ssm start-session --target i-0c25d8bf100a5d1da", 
    "aws logs get-log-events --log-group-name ec2-session-manager-SessionLogGroup-L9G8VSLL6XCK --log-stream-name $SESSION_ID", 
    "aws s3 cp s3://ec2-session-manager-sessionlogbucket-q8c1pz8q6u6g/$SESSION_ID.log -"

copy the outputed start-session command:

$ aws ssm start-session --target i-12311231123132

Starting session with SessionId: mvanholsteijn-0d9ce5dd2172522f7

sh-4.2$  sudo tail /var/log/amazon/ssm/*.log

You can explicit grant or deny users to start a session, through the action ssm:StartSession.

view session log

To view the session log from s3, type:

aws s3 cp s3://ec2-session-manager-sessionlogbucket-q8c1pz8q6u6g/$SESSION_ID.log -

It will take a few minutes after closing the session, for the log to appear.


The AWS Session Manager simplifies logging into any of your EC2 instance which has the
SSM agent installed, without SSH. It saves complicating your
infrastructure with user- and ssh key management. Once support for tunneling is available,
we can say goodbye to the concept of a bastion host.
If you still want to login using SSH, we recommend the blog on how to deploy a private key pair.

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts