nSights Talks

Connect Amazon EC2 Instances Using Session Manager

Tutorial Highlights & Transcript

00:00 - Connect EC2 using Session Manager
Hello, everyone, the topic that I’m going to present today is basically how you can use Session Manager to connect to your EC2 instance. Let’s get started.

What I’m going to discuss is what it is, the advantage of using it, and how we can differentiate it from regular SSH tunneling. As I said earlier, basic Session Manager is used to connect to your EC2 instance, just like SSH that we use. The key difference between both of them is that using SSH, you need to have a couple of things required like you must have both 22 available. Also, you need to have a key pair value, as well. But in the case of a Session Manager, you don’t need any kind of code to access it. Nor do you need any kind of key pair. The only thing that is required here is some IAM permissions attached to your role, like this one, which is AmazonSSMManagedInstanceCore. That’s all you need in order to connect with it. By doing that, we in a way set up an extra layer of security. As there is no key involved or no ports involved. It makes it more secure.

01:31 - Prerequisites
There are some prerequisites in order to access the Session Manager which is an SSM agent which actually handles everything there. In order for a Session Manager to work and perform this operation, you need to have this already installed on your machine. Also, if you are choosing your local laptop PC, it should be there, as well. AWS provides a certain list of AMIs that we can use in order to pair this SSM agent. It is already pre-installed. These are some of the Amazon Linux images, Ubuntu images, and a couple of Windows servers images. Here, the SMM agent is already pre-installed. In other cases, if you want to use an SSM agent, and you have an EC2 instance already running and you find an SSM agent is not installed there, what you need to do is install that, then you can use this. Otherwise, it’s not possible. It’s going to show you an error like you’re not connected.
02:41 - Demo - Setting up the EC2 Instance
What I’m going to do is a simple demo, where I’m going to use my laptop to start a session and connect my EC2 instance, which is present in a private subnet, and to connect it with an RDS. Moving on to the table. Currently, I have created an EC2 instance and a simple RDS. If I go and open RDS, you can see it’s set for PostgreSQL RDS, which is placed in private subnets. It’s not publicly accessible. In order to access it, we need to go through the EC2 instance, as well. Moving on, if I put the EC2 instance, you can see there is no public IP involved. I only have a private IP here. If I scroll down a bit, you can see that you have no key pair attached here, as well. If I open the role here, the permissions that I mentioned are attached to the EC2 instance. Furthermore, if I go into Security and click on the security group here, you can see that there is no inbound rule here. Outbound is present, but for inbound, there is no port available because we don’t need that.
04:01 - Ways to connect with the EC2 Instance
How can we connect with this instance? There are two ways. First, is the most simple way where we can just click on this connect here. In the second portion, you can see which is referring to it as Session Manager. If I go and simply connect here, it takes a couple of seconds to start the session. We are here in the EC2 instance.

The second way, which I’m using, is going through my terminal. In order to access using this, your AWS credentials are required here, as well. In order to access it, we need some AWS CLI command to start the session you could type “AWS SSM Start Session” and we are going to enter the target. The target is the EC2 instance ID, which we can fetch from here. If I copy it here, and if I paste it here, enter. It’s going to take a couple of seconds to start the SSH session. Let me just give it sudo permissions. This was another way you can access your Session Manager through your terminal SM. You need to have that agent installed on your system, whether you’re using Mac or Windows, you want to have that installed here.

05:39 - Accessing RDS
Moving on, I need to access and correct my RDS, which is this one I showed you earlier. In order to do that, I have created a simple script. If I go and create it. Get RDS, yes. What this file contains is simply a command login command to access my RDS, which is this one, where I’m just skimming its endpoint, its port, and its default user. Let me just execute this command. It’s asking for that RDS password that we just provided here and we can access the RDS. You can perform your basic operations whatever you want into RDS. For instance, I created a table here, and put the name ‘Friday demo.’ Other than that, the major advantage of using this is that it’s very simple as compared to using SSH. You are required to enter your PEM key and also the port, as well. It’s provided an extra layer of security to it, as well. It’s much safer than if I created a Bastion instance, which is part of a public IP, so it’s not exposed to the internet and is way more secure than that.
Jasmeet Singh

Muhammad Sharjeel

DevOps Engineer

nClouds

Muhammad is a DevOps Engineer at nClouds. He has a technical certification in AWS Certified Solutions Architect - Associate.