AWS SSM Instead of SSH to Access EC2 Instances

May 04, 2025

In Amazon Web Services (AWS), the need to manage multiple instances of Amazon Elastic Compute Cloud (EC2) instances effectively has led to the development of various tools to simplify the process. One such tool is the AWS Systems Manager (SSM), which enables users to manage EC2 instances, as well as other AWS resources, using a single interface. One of the most powerful features of SSM is the ability to perform SSH-less login to EC2 machines, which we will explore in this blog.

Simple Systems Manager Setup

To use SSM for SSH-less login, follow the steps below:

Security Group for EC2 Instance: The minimum traffic you need to allow for SSM access to work is to add an Outbound HTTPS (port 443) in the security group for EC2 instance.

Create an IAM Role: To use SSM to log in to EC2 instances, you must first create an IAM role with the required permissions. The role must have the AmazonSSMManagedInstanceCore policy attached to it, which allows SSM to access the EC2 instances.

Install SSM Agent: After creating the IAM role, you need to install the SSM agent on each EC2 instance you want to access using SSM. The SSM agent is pre-installed on Amazon Linux 2 and Amazon Linux AMIs, but you must install it manually on other instances.

Cloudformation Config for instance

  EC2DevIamRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${AWS::StackName}-iam-role
      Description: "SSM IAM EC2 Instance Role."
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - ec2.amazonaws.com
            Action:
             - 'sts:AssumeRole'
      Path: /

  EC2DevInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: !Sub ${AWS::StackName}-instance-profile
      Roles: [!Ref EC2DevIamRole]


  PrivateServerInstance1:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref UbuntuAMIId
      #ImageId: !Ref AMIId
      IamInstanceProfile: !Ref EC2DevInstanceProfile
      InstanceType: !Ref DefaultInstancdType
      KeyName: !Ref KeyName
      SubnetId: !Ref PrivateSubnet1
      SecurityGroupIds:
        - !Ref BaseSecurityGroup
      UserData:
        Fn::Base64:
          !Sub |
             #!/bin/bash -xe
             hostnamectl set-hostname privsvr01
             apt update
             apt upgrade
             apt install -y wget
             mkdir /tmp/ssm
             cd /tmp/ssm
             wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
             dpkg -i amazon-ssm-agent.deb
             systemctl enable amazon-ssm-agent
             systemctl start amazon-ssm-agent
      Tags:
      - Key: Name
        Value: !Join [".", [privsvr01, !Ref paramUniqueName,!Ref DomainName]]
      - Key: environment
        Value: !Ref paramUniqueName

Note: For rpm based distribution, use the appropriate package

Install SSM Session Manager Plugin: After installing the agent, you need to install and configure the plugin locally

Ubuntu/Debian

curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb"
sudo dpkg -i session-manager-plugin.deb

RHEL Distros

sudo dnf install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm

Test Connection

Test SSM Connection

aws ssm start-session --target i-05a0e2db2412424b7

References

• SSM Agent Install
• SSM Plugin Install