By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How can I use Session Manager to control access to my instances?

3 minute read
0

I want to control access to my instances so that certain users can start a Session Manager, a capability of AWS Systems Manager session.

Short description

Use Session Manager to manage your Amazon Elastic Compute Cloud (Amazon EC2) instance or on-premises instance. Session Manager connects through a browser-based shell, or through the AWS Command Line Interface (AWS CLI).

Use Identity and Access Management (IAM) policies to control the users that can use Session Manager to access the instance. The IAM policy also controls the API actions that the users can perform.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Prerequisites:

Resolution

To allow users to connect to Session Manager, first create an IAM policy that grants StartSession access to the IAM user. Then, attach the IAM policy to the IAM user.

Complete the following steps:

  1. Open the IAM console.
  2. In the navigation pane, under Access management, choose Policies.
  3. Choose Create policy, and then choose the JSON tab.
  4. Copy the Restrict access to specific managed nodes sample JSON document, and then enter the policy to the JSON tab in the console.
    Important: The resource ARN in the example policy uses the us-east-2 AWS Region, and includes placeholders for the instance ID and account ID. Replace these values with your own.
  5. Choose Next.
  6. On the Review and create page, enter the following information:
    For Policy name, enter a name for your policy.
    (Optional) For Description, enter a description for the policy.
  7. Choose Create policy.
  8. Attach the IAM policy to the user.

Users that have access can run the following command to initiate the start-session API call:

aws ssm start-session --target instance-id

Note: Replace instance-id with the instance ID that the user wants to start a session for.

To allow users to use the Amazon EC2 console to start a session, attach the following AWS managed policies to the user:

  • AmazonSSMReadOnlyAccess
  • AmazonEC2ReadOnlyAccess

Related information

Additional sample IAM policies for Session Manager

Start a session

Create IAM policies (console)

How AWS Systems Manager works with IAM

AWS Systems Manager managed policies

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago