skip.link.title

AWS Session Manager Step by Step Tutorial

  • You can find the source code for this video in my GitHub Repo.

Prerequisites

Create IAM Role and EC2 Instance

  • Create SSMFullAccess IAM role and attach AmazonSSMFullAccess managed policy to it.
  • Create EC2 instance and attach SSMFullAccess instance profile.
  • Verify that EC2 instance was registered in AWS Session Manager console.

Create CloudWatch Log Group

  • Create ssm-session CloudWatch log group.
  • Update Session Manager settings to use ssm-session log group.

Install AWS Session Manager Plugin.

  • Follow instructions for your OS here.

Create IAM Policy and IAM user

  • Create UserStartSessionPolicy IAM Policy with the following content. Replace <region> and <account-id>.
UserStartSessionPolicy.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:<region>:<account-id>:instance/*"
            ],
            "Condition": {
                "StringLike": {
                    "ssm:resourceTag/service": [
                        "proxy"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ssm:<region>::document/AWS-StartPortForwardingSession"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:TerminateSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:session/${aws:username}-*"
            ]
        }
    ]
}
  • Create SSMAccess IAM group and attach UserStartSessionPolicy policy.
  • Create developer user and put it to SSMAccess group.
  • Run aws configure to create default profile.

SSH to EC2 Instance

  • To ssh to the EC2 instance use the following command, replace <ec2-instace-id>. 

    aws ssm start-session --target <ec2-instace-id>

  • Update EC2 tag labels.

  • Install nginx on EC2 instance. 

    sudo apt -y install nginx
systemctl status nginx

Port Forward from EC2 to localhost

  • To port forward from EC2 instance to localhost use the following command, replace <ec2-instace-id>.
aws ssm start-session \
    --target <ec2-instace-id> \
    --document-name AWS-StartPortForwardingSession \
    --parameters '{"portNumber":["80"], "localPortNumber":["8080"]}'
Clean
  • Delete developer IAM user
  • Delete SSMAccess IAM group
  • Delete UserStartSessionPolicy IAM policy
  • Delete ssm-session CloudWatch log group
  • Delete ssm Security Group
top.title