This is just another approach to grant access to instances via Session Manager. The most common way is SSH via a key-pair.
1. Create a Policy
The policy below can be attached to a group. This group of users will then be able to connect to any instance that has the tag “Environment”: “Development”. You can also have another copy that targets instances tagged with “Production”.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SessionManagerConsoleAccess",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceInformation",
"ssm:DescribeSessions",
"ssm:DescribeInstanceProperties"
],
"Resource": "*"
},
{
"Sid": "SessionManagerAllowedInstances",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"ssm:resourceTag/Environment": "Development"
}
}
},
{
"Sid": "SessionManagerTerminalSession",
"Effect": "Allow",
"Action": "ssm:TerminateSession",
"Resource": "arn:aws:ssm:*:*:session/${aws:username}-*"
}
]
}
2. Create EC2 Role
We need to create a role that will be attached to the EC2 instance. I have named mine AmazonSSMRoleForInstances. Then attach the policy AmazonSSMManagedInstanceCore to it and attach the role to the instance(s).
3. Install SSM Agent
We need to install the SSM Agent that will allow us to connect to the instances. The documentation in the link provided explains it all.
4. Testing
In order to test this out you will need to create a new user and add them to the group of users that has the policy above attached. You will create or just add the tag “Environment” : “Development” to an instance. I will be testing on an AMI instance.
The screenshot below shows how you can connect to the instance from the console. This will open up a new tab with a terminal. Kinda cool. You can also use the AWS console to connect to an instance.
This video below will also describe the approach above. Probably in more detail.