Support Documents
No data found.

Access EC2 from Session manager and send SSH logs to CloudWatch

Lab Details

  1. This lab walks you through the steps to launch an EC2 instance with SSM role and then connect to the EC2 via AWS Session manager and view the logs in Cloudwatch.

  2. You will practice using an Amazon EC2 with no SSH port and KeyPair.

  3. Duration: 45 minutes

  4. AWS Region: US East (N. Virginia) us-east-1


What is a Session Manager ?

Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS Command Line Interface (AWS CLI).

Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.

Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your managed instances.

Features of AWS Session Manager

  • Support for both Windows Server and Linux instances

  • Console, CLI, and SDK access to Session Manager capabilities

  • IAM access control

  • Logging and auditing capability support

  • Configurable shell profiles

  • Customer key data encryption support

  • AWS PrivateLink support for instances without public IP addresses

  • Tunneling

  • Interactive commands

What is a session ?

A session is a connection made to an instance using Session Manager. 

Sessions are based on a secure bi-directional communication channel between the client (you) and the remote managed instance that streams inputs and outputs for commands. Traffic between a client and a managed instance is encrypted using TLS 1.2, and requests to create the connection are signed using Sigv4. This two-way communication enables interactive bash and PowerShell access to instances. 

You can also use an AWS Key Management Service (AWS KMS) key to further encrypt data beyond the default TLS encryption.

What is an EC2 instance ?

AWS defines it as Elastic Compute Cloud.It’s a virtual environment where “you rent” to have your environment created, without purchasing.

  • Amazon refers to these virtual machines as Instances.

  • Preconfigured templates can be used to launch instances. These templates are referred to as images. Amazon provides these images in the form of AMIs (Amazon Machine Images).

  • Allows you to install custom applications and services.

  • Scaling of infrastructure i.e., up or down is easy based on the demand you face.

  • AWS provides multiple configurations of CPU, memory, storage etc., through which you can pick the flavor that's required for your environment.

  • No limitation on storage. You can pick the storage based on the type of the instance that you are working on.

  • Temporary storage volumes are provided, which are called Instance Store Volumes.  Data stored in this gets deleted once the instance is terminated.

  • Persistent storage volumes are available and are referred to as EBS (Elastic Block Store) volumes.

  • These instances can be placed at multiple locations which are referred to as Regions and Availability Zones (AZ).

  • You can have your Instances distributed across multiple AZs i.e., within a single Region, so that if an instance fails, AWS automatically remaps the address to another AZ.

  • Instances deployed in one AZ can be migrated to another AZ.

  • To manage instances, images, and other EC2 resources, you can optionally assign your own metadata to each resource in the form of tags.

  • A Tag is a label that you assign to an AWS resource.  It contains a key and an optional value, both of which are defined by you.

  • Each AWS account comes with a set of default limits on the resources on a per-Region basis.

  • For any increase in the limit you need to contact AWS.

  • To work with the created instances, we use Key Pairs.

Architecture Diagram

Task Details

  1. Log into AWS Management Console.

  2. Create an IAM Role.

  3. Create a Cloudwatch log group.

  4. Launch an EC2 instance.

  5. Configure Session Manager.

  6. Start and terminate a session in Session Manager.

  7. View the logs in Cloudwatch.

  8. Validation of the lab

  9. Deleting AWS Resources