EC2 Instance Session Manager Tutorial: Steps to Install and Configure SSM Agent on EC2 Instance

If you have been using an AWS EC2 instance for several months and didn’t keep your PEM key secure, and it is now lost with no way to access your EC2 server, that would be a huge bummer and a significant security risk. When you try to connect to your EC2 instance using SSH from your terminal, and it shows a “Connection Timed Out” error, there could be several reasons. One possibility is that you have installed a UFW firewall on your server and haven’t allowed SSH. You can fix this with a simple command:

sudo ufw allow ssh

In case you lose your PEM key again and have all your security group settings and other settings correct but still can’t figure out how to access your server through SSH, it’s best to enable Session Manager on your EC2 instance. The benefits of SSM agent are as follows:

• Improved Security: With Session Manager, you can connect to your instances without the need for SSH keys or inbound rules in security groups.
• Centralized Access Control: With Session Manager, you can manage access to your instances centrally using AWS Identity and Access Management (IAM) policies. This enables you to grant granular permissions to users and groups, and also to audit who accessed which instances and when.
• Auditability: Session Manager logs all session activity, including the input and output of commands. This enables you to audit the activity of users and also to troubleshoot any issues that may arise.

So, without further ado, let’s get into the steps of enabling SSM on your instance:

1. Launch a new EC2 instance using either the Amazon Linux or Amazon Linux 2 AMI. ( or any Amazon Machine Images (AMI) of your choice).
2. Ensure that the instance has an IAM role attached with the AmazonSSMManagedInstanceCore policy.
3. If the instance you have created does not have a role attached, you can attach one by going to “Actions” -> “Instance Settings” -> “Attach IAM Role”. If that option is not available, you can install the AWS CLI on your local computer, run “aws configure”, and apply the following credentials:

• Access Key: <access key here>
• Secret Key: <secret key here>
• Local region is the region of your VPC.
• Output format is JSON.

1. To retrieve the Access Key and Secret Key from the AWS dashboard, follow these steps:

• Go to the AWS Management Console and log in.
• Navigate to the “Security Credentials” page.
• Under “Access keys,” create a new access key if you do not have one already.

1. Connect the IAM role with the EC2 instance using the following AWS CLI command:

aws ec2 associate-iam-instance-profile — instance-id <instance ID here> — iam-instance-profile Name=<name of role>

Connect to the instance via SSH. Run the following command to install the SSM agent:

sudo snap switch — channel=candidate amazon-ssm-agent 
sudo snap install amazon-ssm-agent — classic 
//to check if it is running:
sudo snap list amazon-ssm-agent 
sudo snap start amazon-ssm-agent 
sudo snap services amazon-ssm-agent

(Refer to the AWS website for a detailed explanation of the commands and for variation of server options.)

— Install SSM Agent on Ubuntu Server.

There you have it! With these initial settings for every new EC2 instance, you make your servers more secure in the future and save yourself the hassle. May you never lose your PEM key in the first place, and happy DevOps!