Session Manager

Secure Browser-Based Shell Access

What is Session Manager?

Session Manager provides secure and auditable instance management without the need for SSH keys, bastion hosts, or open inbound ports.

No SSH Keys: IAM-based access control
No Bastion Hosts: Direct browser-based access
Full Audit: CloudTrail and S3 logging
Port Forwarding: Tunnel to remote applications

Security Features

Encrypted Communication

All sessions encrypted using TLS 1.2

IAM Integration

Fine-grained access control with IAM policies

Session Logging

Store session logs in S3 or CloudWatch

No Inbound Ports

No need to open port 22 or 3389

Browser Access

  • AWS Console interface
  • No client software needed
  • Cross-platform support
  • One-click connection

CLI Access

  • AWS CLI integration
  • Session Manager plugin
  • Script automation
  • Local terminal experience

Port Forwarding

  • Tunnel to remote ports
  • Access RDS, databases
  • Web applications
  • No VPN required

SSH/SCP

  • SSH over Session Manager
  • SCP file transfers
  • SFTP support
  • Native SSH client

Session Manager CLI Examples

Start Session

aws ssm start-session \
  --target i-1234567890abcdef0

Port Forwarding

aws ssm start-session \
  --target i-1234567890abcdef0 \
  --document-name AWS-StartPortForwardingSession \
  --parameters "portNumber=3306,localPortNumber=9090"

Session Preferences

Idle Timeout: 1-60 minutes (default: 20)
Max Duration: Up to 20 hours
Shell Profile: Linux: bash, sh; Windows: PowerShell
Run As: Specify OS user (Linux only)

Logging Options

S3 Logging: Store session output in S3 bucket
CloudWatch Logs: Stream to CloudWatch log group
Encryption: KMS encryption for logs
CloudTrail: API calls automatically logged

IAM Permissions

  • ssm:StartSession
  • ssm:TerminateSession
  • ssm:ResumeSession
  • Tag-based access control

Network

  • Works in private subnets
  • VPC endpoints supported
  • No internet gateway needed
  • PrivateLink integration

Pricing

  • Free for EC2 instances
  • On-premises: $0.00695/month
  • S3/CloudWatch charges apply
  • Data transfer charges

Session Manager vs Traditional SSH

Traditional SSH

  • ❌ Requires SSH keys management
  • ❌ Need bastion hosts for private instances
  • ❌ Open port 22 in security groups
  • ❌ Limited audit capabilities
  • ❌ Key rotation complexity
  • ❌ No centralized access control

Session Manager

  • ✅ No SSH keys required
  • ✅ No bastion hosts needed
  • ✅ No inbound ports required
  • ✅ Full CloudTrail audit logging
  • ✅ IAM-based access control
  • ✅ Centralized session management

Exam Strategy Tip

Remember: Session Manager eliminates the need for SSH keys and bastion hosts. All access is controlled via IAM policies and fully auditable through CloudTrail. Supports port forwarding for accessing remote applications. Works in private subnets without internet gateway.

Back to Fundamentals Next: Run Command