Step 8: (Optional) Allow and control permissions for SSH connections through Session Manager

To allow SSH connections for Session Manager

1. On the managed node to which you want to allow SSH connections, do the following:

   • Ensure that SSH is running on the managed node. (You can close inbound ports on the node.)

   • Ensure that SSM Agent version 2.3.672.0 or later is installed on the managed node.

     For information about installing or updating SSM Agent on a managed node, see the following topics:

     • Manually installing and uninstalling SSM Agent on EC2 instances for Windows Server.

     • Manually installing and uninstalling SSM Agent on EC2 instances for Linux

     • Manually installing and uninstalling SSM Agent on EC2 instances for macOS

     • Install SSM Agent for a hybrid environment (Windows)

     • Install SSM Agent for a hybrid environment (Linux)

     Note

     To use Session Manager with on-premises servers, edge devices, and virtual machines (VMs) that you activated as managed nodes, you must use the advanced-instances tier. For more information about advanced instances, see Configuring instance tiers.

2. On the local machine from which you want to connect to a managed node using SSH, do the following:

   • Ensure that version 1.1.23.0 or later of the Session Manager plugin is installed.

     For information about installing the Session Manager plugin, see Install the Session Manager plugin for the Amazon CLI.

   • Update the SSH configuration file to allow running a proxy command that starts a Session Manager session and transfer all data through the connection.

     Linux and macOS

     Tip

     The SSH configuration file is typically located at ~/.ssh/config.

     Add the following to the configuration file on the local machine.

     # SSH over Session Manager
     host i-* mi-*
         ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

     Windows

     Tip

     The SSH configuration file is typically located at C:\Users\<username>\.ssh\config.

     Add the following to the configuration file on the local machine.

     # SSH over Session Manager
     host i-* mi-*
         ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"

   • Create or verify that you have a Privacy Enhanced Mail certificate (a PEM file), or at minimum a public key, to use when establishing connections to managed nodes. This must be a key that is already associated with the managed node. The permissions of your private key file must be set so that only you can read it. You can use the following command to set the permissions of your private key file so that only you can read it.

     chmod 400 <my-key-pair>.pem

     For example, for an Amazon Elastic Compute Cloud (Amazon EC2) instance, the key pair file you created or selected when you created the instance. (You specify the path to the certificate or key as part of the command to start a session. For information about starting a session using SSH, see Starting a session (SSH).)

To use an IAM policy to allow SSH connections through Session Manager

• Use one of the following options:

  • Option 1: Open the IAM console at https://console.amazonaws.cn/iam/.

    In the navigation pane, choose Policies, and then update the permissions policy for the user or role you want to allow to start SSH connections through Session Manager.

    For example, add the following element to the Quickstart policy you created in Quickstart end user policies for Session Manager. Replace each example resource placeholder with your own information.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ssm:StartSession",
                "Resource": [
                    "arn:aws-cn:ec2:region:account-id:instance/instance-id",
                    "arn:aws-cn:ssm:*:*:document/AWS-StartSSHSession"
                ],
                "Condition": {
                    "BoolIfExists": {
                        "ssm:SessionDocumentAccessCheck": "true"
                    }
                 }
            }
        ]
    }

  • Option 2: Attach an inline policy to a user policy by using the Amazon Web Services Management Console, the Amazon CLI, or the Amazon API.

    Using the method of your choice, attach the policy statement in Option 1 to the policy for an Amazon user, group, or role.

    For information, see Adding and Removing IAM Identity Permissions in the IAM User Guide.

To use an IAM policy to deny SSH connections through Session Manager

• Use one of the following options:

  • Option 1: Open the IAM console at https://console.amazonaws.cn/iam/. In the navigation pane, choose Policies, and then update the permissions policy for the user or role to block from starting Session Manager sessions.

    For example, add the following element to the Quickstart policy you created in Quickstart end user policies for Session Manager.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor1",
                "Effect": "Deny",
                "Action": "ssm:StartSession",
                "Resource": "arn:aws-cn:ssm:*:*:document/AWS-StartSSHSession"
            }
        ],
                "Condition": {
                    "BoolIfExists": {
                        "ssm:SessionDocumentAccessCheck": "true"
                    }
                 }
    }

  • Option 2: Attach an inline policy to a user policy by using the Amazon Web Services Management Console, the Amazon CLI, or the Amazon API.

    Using the method of your choice, attach the policy statement in Option 1 to the policy for an Amazon user, group, or role.

    For information, see Adding and Removing IAM Identity Permissions in the IAM User Guide.