# Going Bastion-less: Accessing Private EC2 instance with Session Manager
- can be used to access instances within private subnets that allow no ingress from the internet. (You don't require to have an inboud connection from the internet to you env)
- AWS SSM provides the ability to establish a shell on your systems through its native service, or by using it as a tunnel for other protocols, such as Secure Shell (SSH)
- It will log the commands issued during the session, as well as the results. You can save the logs in s3 if you wish.
- Shell access is completely contained within Identity and Access Management (IAM) policies, you won't need to manage SSH keys
- The user does not need to use a bastion host and Public IPs.
- No need to open the ports in the security groups
- You will need to allow SSH inbound rule at your bastion
- You need to open ports on your private EC2 instance in order to connect it to your bastion
- You will need to manage the SSH key credentials of your users:
- You will need to generate an ssh key pair for each user or get a copy of the same SSH key for your users
- Cost: The bastion host also has a cost associated with it as it is a running EC2 instance.
- Named as SSM-Port-Forwarding
- AmazonSSMManagedInstanceCore
- Here we are allowing ports of internet network only. - In public network.
- Install session manager -
https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-debian-and-ubuntu.html - aws configure - aws cli
Session Manager Command: -
aws --profile AWS-LGTICW ssm, start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --
parameters '{"portNumber": ["3389"], "localPortNumber": ["70"]}' --region us-east-1
ssh -o StrictHostKeyChecking=no -i lgticw.pem ec2-user@localhost -p 90
- Use the above commands
ssh -o StrictHostKeyChecking=no -i Lgticw.pem ec2-user@localhost -p 9091
or
ssh -o -i Lgticw.pem ec2-user@localhost -p 9091
