EC2 Instance Connect and Session Manager

EC2 Instance Connect (EIC) and AWS Systems Manager Session Manager are two distinct services that provide secure, auditable access to EC2 instances without requiring long-lived SSH keys or managing bastion hosts. Both are part of AWS's shift toward identity-based access, but they work differently.

EC2 Instance Connect allows you to connect to an instance using a one-time SSH key that is pushed to the instance for 60 seconds. You initiate the connection from the AWS Management Console, AWS CLI, or SSH client, and AWS temporarily injects a public key into the instance's ~/.ssh/authorized_keys file for the specified IAM user. You then use the corresponding private key (which you never see) to authenticate via SSH. The key is automatically removed after 60 seconds or when the connection closes.

Session Manager, part of AWS Systems Manager, provides a browser-based or CLI-based interactive shell (or RDP session) without needing SSH keys, a public IP, or an open inbound port. The SSM Agent on the instance establishes an outbound connection to the Systems Manager service over HTTPS (port 443). When you start a session, the service creates a secure, encrypted tunnel between your client and the instance. All commands run through the session are logged to Amazon CloudWatch Logs or S3.

EC2 Instance Connect Flow: 1. The user calls the SendSSHPublicKey API (or uses the console which calls this API). The request is authorized by IAM. 2. AWS generates an ephemeral RSA key pair. The public key is sent to the instance metadata service (IMDS) endpoint: http://169.254.169.254/latest/meta-data/public-keys/0/. 3. The ec2-instance-connect service (a daemon on the instance, pre-installed on Amazon Linux 2/2023 and Ubuntu 20.04+) polls the IMDS endpoint every 1 second. When it detects a new key, it appends it to the ~/.ssh/authorized_keys file of the IAM user's corresponding OS user (e.g., ec2-user for Amazon Linux). 4. The public key is valid for 60 seconds. After that, it is removed from IMDS and the authorized_keys file. 5. The user's SSH client uses the private key (provided by AWS or generated locally) to authenticate. The SSH connection must be initiated within 60 seconds. 6. Once connected, the session is a normal SSH session. The key persists for the duration of the connection (if the connection outlasts 60 seconds, the key is already removed, but the established session remains).

Session Manager Flow: 1. The SSM Agent (version 2.3.68.0 or later) on the instance maintains a persistent outbound WebSocket connection to the Systems Manager service endpoint (e.g., ssm.<region>.amazonaws.com). This connection uses TLS on port 443. 2. The user initiates a session via the AWS Management Console, AWS CLI (aws ssm start-session), or the Session Manager plugin. The request is authorized by IAM. 3. Systems Manager sends a message to the agent over the existing WebSocket connection, instructing it to start a shell (or RDP) and create a new WebSocket stream for the session. 4. The agent opens a pseudo-terminal (PTY) and connects it to the shell. All input/output is encrypted and tunneled through the Systems Manager service to the user's client. 5. The session is recorded. You can enable session logging to CloudWatch Logs or S3. You can also run shell scripts via aws ssm send-command without interactive access. 6. The agent does not require inbound ports—only outbound HTTPS to the Systems Manager endpoints. The instance does not need a public IP or a NAT gateway.

EC2 Instance Connect: - IAM permissions: ec2-instance-connect:SendSSHPublicKey required. Also ec2:DescribeInstances for the console. - Key validity: 60 seconds. The key is removed from IMDS and authorized_keys after this time. - Supported OS: Amazon Linux 2, Amazon Linux 2023, Ubuntu 16.04+, and others with the ec2-instance-connect package installed. - Private key: For CLI, you can generate your own key pair and send the public key via ssh-keygen -t rsa -f mykey then aws ec2-instance-connect send-ssh-public-key. For console, AWS generates the key pair and provides the private key for download (one-time view). - Port: Only SSH (port 22) is supported. No RDP support. - Instance must have: A public IP or be reachable via SSH from the client (e.g., via VPC peering, VPN, or Direct Connect). The SSH daemon must be running.

Session Manager: - SSM Agent version: Minimum 2.3.68.0. For RDP, version 3.0.654.0 or later. - Outbound endpoints: ssm.<region>.amazonaws.com, ssmmessages.<region>.amazonaws.com, and ec2messages.<region>.amazonaws.com. These must be reachable via HTTPS (port 443). - IAM permissions: ssm:StartSession, ssm:TerminateSession, ssm:ResumeSession. Also ssmmessages:CreateControlChannel, ssmmessages:CreateDataChannel, ssmmessages:OpenControlChannel, ssmmessages:OpenDataChannel (these are managed by AWS when using the default session manager policy). - Instance profile: The instance must have an IAM role that includes the AmazonSSMManagedInstanceCore policy (or equivalent). - VPC endpoints: To avoid internet access, you can create VPC endpoints for Systems Manager (com.amazonaws.<region>.ssm, com.amazonaws.<region>.ssmmessages, com.amazonaws.<region>.ec2messages). - Logging: Session logs can be streamed to CloudWatch Logs or S3. You can also encrypt logs with KMS. - Port forwarding: Session Manager supports port forwarding (aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["80"],"localPortNumber":["8080"]}'). This allows you to access applications on the instance without opening inbound ports. - Idle timeout: The default idle timeout for a session is 20 minutes. If no input is received, the session terminates. This can be configured in the session preference. - Run as: You can specify an OS user when starting a session (e.g., aws ssm start-session --target <instance-id> --document-name AWS-StartInteractiveCommand --parameters '{"command": ["sudo su - root"]}').

EC2 Instance Connect Setup: 1. Verify the instance has ec2-instance-connect installed:

# Amazon Linux 2/2023: pre-installed
# Ubuntu:
sudo apt-get update
sudo apt-get install ec2-instance-connect

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2-instance-connect:SendSSHPublicKey",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}

ssh-keygen -t rsa -f /tmp/mykey -N ""
aws ec2-instance-connect send-ssh-public-key \
    --instance-id i-1234567890abcdef0 \
    --availability-zone us-east-1a \
    --instance-os-user ec2-user \
    --ssh-public-key file:///tmp/mykey.pub
ssh -i /tmp/mykey ec2-user@<public-ip-or-dns>

Session Manager Setup: 1. Attach IAM role to instance with AmazonSSMManagedInstanceCore policy. 2. Install SSM Agent (if not pre-installed):

# Amazon Linux 2: pre-installed
# Ubuntu:
sudo snap install amazon-ssm-agent --classic
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

sudo systemctl status amazon-ssm-agent

aws ssm start-session --target i-1234567890abcdef0

Both EIC and Session Manager integrate with AWS Identity and Access Management (IAM) for authentication and authorization. EIC relies on SSH key exchange, but the key is ephemeral and tied to the IAM user. Session Manager eliminates SSH keys entirely and uses IAM policies to control who can start sessions and what actions they can perform.

Both can be used with AWS CloudTrail for auditing. EIC logs the SendSSHPublicKey API call. Session Manager logs session starts, stops, and the commands run (if logging is enabled).

Session Manager can also be used with AWS Config to enforce that instances use Session Manager instead of SSH (via a custom rule).

EIC does not work with instances in a private subnet unless you have a bastion host or VPN. Session Manager works natively in private subnets if VPC endpoints are configured.

Both are alternatives to traditional bastion hosts. Session Manager is generally preferred for its security and auditability, but EIC is simpler for existing SSH workflows.

The exam often tests the prerequisites for each service. For EIC, a common trap is assuming the instance needs a public IP. Actually, EIC requires network connectivity for SSH (so a public IP or reachability via VPN/VPC peering). For Session Manager, a common trap is forgetting the instance needs outbound internet access or VPC endpoints. Another trap is that Session Manager does not support RDP by default—it requires the Session Manager plugin and the AWS-StartPortForwardingSession document or a dedicated RDP session document.

Also, remember that EIC pushes a public key, not a password. The private key is never stored on the instance. The key is valid for 60 seconds—if you take longer to SSH, you must request a new key.

Finally, Session Manager sessions can be terminated by an administrator via aws ssm terminate-session. The idle timeout is 20 minutes by default, but can be configured in session preferences.