How to Access an EC2 Instance Without Opening Port 22
AWS EC2 instances are commonly accessed through SSH via port 22. However, opening port 22 to the internet can expose your instance to security risks like brute force attacks. Fortunately, there are safer ways to access your EC2 instance without opening port 22.
In this blog, we’ll explore how to securely access your EC2 instance while keeping port 22 closed using Session Manager.
Access Using AWS Systems Manager (SSM) Session Manager
AWS Systems Manager (SSM) is a fully managed service that allows you to manage your EC2 instances without needing SSH access. By using Session Manager, you can securely connect to your instance through the AWS Management Console or AWS CLI.
Prerequisites
IAM Role with AmazonSSMManagedInstanceCore permissions attached to your instance.
Create a role and attach the AmazonSSMManagedInstanceCore policy.
While creating the instance, you can attach it by doing the following
For the existing instances, you can click on “Modify IAM role” and attach the role that you created earlier.
SSM Agent installed on your instance. (For Amazon Linux 2 and Ubuntu, this is pre-installed).
Steps to Use Session Manager
- Attach an IAM Role: Ensure your EC2 instance has an attached IAM role with the
AmazonSSMManagedInstanceCorepolicy. This role allows SSM to manage your instance. - Ensure SSM Agent is Running (optional): If you’re using an older instance or a custom AMI, verify that the SSM Agent is installed and running:
sudo yum install amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agentConnect to the Instance:
- Using the AWS Console: Go to EC2 -> Instances, select your instance, click on Connect, then select the Session Manager tab, and click on Connect.
- Make sure you have SSM installed in your system. Please refer here
- Using AWS CLI: Run the following command to start an SSM session:
aws ssm start-session --target i-xxxxxxxxxxxxxxSession Manager provides a terminal in your browser or terminal, similar to SSH, without requiring any open ports. All connections are made via the AWS API, secured through IAM.
