How do I use Session Manager to control access to my instances?

2 minute read

I want to control access to my instances so that users can start a session with Session Manager, a capability of AWS Systems Manager.

Short description

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use Session Manager to manage Amazon Elastic Compute Cloud (Amazon EC2) instances or on-premises instances. Session Manager connects through a browser-based shell, or through the AWS CLI.

Use Identity and Access Management (IAM) policies to control the users who can use Session Manager to access your instance. The IAM policy also controls the API actions that the users can perform.

Prerequisites:

Resolution

To allow users to connect to Session Manager, use the example JSON document at Example 2: Restrict access to specific managed nodes to create an IAM policy. The IAM policy that grants StartSession access to the IAM user you specify.

Note: The Amazon Resource Name (ARN) in the example policy uses the AWS Region us-east-1 and includes placeholders for the instance ID and account ID. Replace instance ID with your instance's ID number. Replace account ID with your AWS account.

Then, attach the IAM policy to the user that must connect to Session Manager.

Use the AWS CLI to connect to Session Manager

Prerequisite: Install the Session Manager plugin for the AWS CLI.

Run the following start-session command to connect to Session Manager:

aws ssm start-session --target instance-id

Note: Replace instance-id with the instance ID that the user wants to start a session.

Start a session with Amazon EC2

To allow a user to start a session with Amazon EC2 in the AWS Management Console, console, attach the following AWS managed policies to that user:

Related information

Additional sample IAM policies for Session Manager

AWS managed policies for AWS Systems Manager

Start a session

How AWS Systems Manager works with IAM

Systems Manager IAM rolesAWS managed policies for AWS Systems Manager

Topics: Management & Governance
Tags: AWS Systems Manager
Language: English

Relevant content

ssh proxy to connect to EC2 instance using SSM
Joann Babak
asked 2 years ago
Access Denied - Connect to EC2 Instance using Systems Session Manager via AWS CLI
Kamal
asked 2 years ago
Cannot remotely connect to my gamelift instances using ssm session manager
Dino
asked 2 years ago
Error 403 when accessing EC2 instance via Session Manager after power outage
Manthan
asked 2 years ago
Use session tags to propagate tags for resources
Accepted Answer
Vitor
asked 9 months ago
Why can't I use Session Manager to connect to my Amazon EC2 instance?
AWS OFFICIALUpdated 19 days ago
How do I use Session Manager port forwarding without a bastion host to connect to my EC2 instance through RDP?
AWS OFFICIALUpdated 2 months ago
How do I resolve the "remote session was disconnected" error that I receive when I use RDP to connect to an Amazon EC2 Windows instance?
AWS OFFICIALUpdated 6 months ago
Why do I receive the “Plugin with name Standard_Stream not found” error when I use Session Manager to connect to my Amazon EC2 instance?
AWS OFFICIALUpdated 5 months ago
re:Invent 2025 - Lambda Managed Instances: EC2 Power with Serverless Simplicity
EXPERT
Henrique Santana
published 3 months ago