AWS Systems Manager Session Manager is a fully managed capability that enables secure, browser-based interactive shell access to EC2 instances, on-premises servers, and virtual machines. It eliminates the need to open inbound ports, manage SSH keys, or maintain bastion hosts, significantly improvin…AWS Systems Manager Session Manager is a fully managed capability that enables secure, browser-based interactive shell access to EC2 instances, on-premises servers, and virtual machines. It eliminates the need to open inbound ports, manage SSH keys, or maintain bastion hosts, significantly improving your security posture.
Key features include:
**Secure Access**: Session Manager uses IAM policies to control which users can access specific instances. All sessions are encrypted using TLS 1.2, and you can enforce encryption using AWS KMS keys for additional security.
**Audit and Logging**: Every session activity can be logged to Amazon S3 or CloudWatch Logs, providing complete audit trails. You can also stream session data to CloudWatch for real-time monitoring.
**No Bastion Hosts Required**: Since Session Manager communicates through the SSM Agent installed on instances, you do not need to manage bastion hosts or jump servers, reducing infrastructure complexity and costs.
**Port Forwarding**: Session Manager supports port forwarding, allowing you to securely tunnel traffic to resources in private subnets, such as RDS databases or internal applications.
**Prerequisites**: Instances must have the SSM Agent installed (pre-installed on many Amazon AMIs), appropriate IAM instance profile with AmazonSSMManagedInstanceCore policy, and network connectivity to Systems Manager endpoints (via internet, NAT gateway, or VPC endpoints).
**Integration with AWS Services**: Session Manager integrates with AWS CloudTrail for API logging, EventBridge for automation triggers, and can be accessed through the AWS Console, CLI, or SDK.
For the SysOps exam, understand how to troubleshoot connectivity issues, configure logging preferences, set up VPC endpoints for private instances, and implement least-privilege IAM policies. Session Manager is essential for maintaining secure, auditable access to your fleet while meeting compliance requirements.
Systems Manager Session Manager - Complete Guide
What is AWS Systems Manager Session Manager?
Session Manager is a fully managed capability of AWS Systems Manager that enables you to manage your Amazon EC2 instances, on-premises servers, and virtual machines through an interactive browser-based shell or through the AWS CLI. It provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
Why is Session Manager Important?
Session Manager is crucial for several reasons:
• Enhanced Security: No need to open inbound SSH (port 22) or RDP (port 3389) ports in security groups • No Bastion Hosts Required: Eliminates the need to maintain and secure bastion hosts or jump servers • No SSH Key Management: Removes the operational overhead of managing and rotating SSH keys • Centralized Access Control: Uses IAM policies to control who can access which instances • Full Audit Trail: All session activity can be logged to CloudWatch Logs and S3 for compliance and auditing • Cross-Platform Support: Works with Linux, macOS, and Windows instances
How Session Manager Works
1. SSM Agent: The target instance must have the SSM Agent installed and running. This agent comes pre-installed on many Amazon Machine Images (AMIs)
2. IAM Instance Profile: The EC2 instance requires an IAM instance profile with the AmazonSSMManagedInstanceCore managed policy attached
3. Outbound Connectivity: The instance needs outbound internet access to Systems Manager endpoints, or you can use VPC endpoints for private connectivity
4. User Permissions: Users need IAM permissions to start sessions, typically through the ssm:StartSession action
5. Session Initiation: When a user starts a session, the request goes through Systems Manager, which authenticates and authorizes the request before establishing a secure connection
Key Features and Capabilities
• Port Forwarding: Tunnel traffic from a local port to a remote port on the instance • Session Logging: Log session data to S3 or CloudWatch Logs for auditing • Session Document: Customize session preferences using Session documents • Run As Support: Specify the OS user to run commands as on Linux instances • Idle Timeout: Configure automatic session termination after periods of inactivity
Prerequisites for Session Manager
• SSM Agent version 2.3.68.0 or later installed on the instance • IAM instance profile with appropriate Systems Manager permissions • Network connectivity to Systems Manager endpoints (via internet or VPC endpoints) • IAM permissions for users to initiate sessions
VPC Endpoints for Private Access
For instances in private subnets, create these VPC endpoints: • com.amazonaws.region.ssm • com.amazonaws.region.ssmmessages • com.amazonaws.region.ec2messages
Exam Tips: Answering Questions on Systems Manager Session Manager
• Security-Focused Scenarios: When a question mentions eliminating bastion hosts, closing SSH/RDP ports, or improving security posture for remote access, Session Manager is likely the answer
• No Inbound Ports: Remember that Session Manager works with NO inbound ports open - this is a key differentiator from traditional SSH/RDP
• Logging and Compliance: Questions about auditing shell access or tracking user commands point to Session Manager with CloudWatch Logs or S3 logging enabled
• Private Subnet Access: For instances in private subnets requiring remote access, look for answers combining Session Manager with VPC endpoints
• IAM Integration: Session Manager uses IAM for authentication - if a question asks about controlling access to specific instances, think IAM policies with resource-level permissions
• SSM Agent Requirement: If troubleshooting connectivity issues, verify SSM Agent is installed, running, and the instance has proper IAM permissions
• Cost Consideration: Session Manager itself is free; costs come from associated services like CloudWatch Logs storage and VPC endpoints
• Hybrid Environments: Session Manager also works with on-premises servers registered as managed instances - useful for hybrid management scenarios
• Common Distractors: Do not confuse Session Manager with Run Command (for executing commands remotely) or Patch Manager (for patching) - Session Manager is specifically for interactive shell access