1. Overview and Setup

In today’s world of modern application development and immutable infrastructure deployed as code, there remains a number of reasons why engineers require shell-level access to their instances on occasion. They might need to kill runaway processes, debug problems on a live machine, or fine-tune configurations during development; all while maintaining a strong security profile.

In this session, you will configure AWS Systems Manager Session Manager to provide secure interactive access to your managed instances without the need to expose inbound ports, manage bastion hosts, or manage SSH keys. You will learn how Session Manager works by default and will progressively increase the security posture of your environment by enabling enhanced session encryption, configuring session logging and reducing default permissions.


You have been tasked with replacing the legacy bastion infrastructure at your organization with an alternative interactive shell-level access solution. You have been given a few key requirements and must develop a proof of concept that demonstrates the ability of Session Manager to address each:

  • Secure Access: The solution must communicate over a secure encrypted channel for all control and session data. The solution must not require inbound ports to be authorized (e.g. TCP 22 or TCP 3389).
  • Access Control: Users must be able to authenticate using IAM security principals (e.g. users and roles) and must not be required to leverage host-level authentication methods (e.g. public-key, password, etc.).
  • Auditing: All session activity must be tracked and logged to include all command input and output.
  • Cross-Platform Interactivity: The solution should provide synchronous execution of commands across both Windows and Linux platforms

Environment Setup

Click here if you're not at an AWS event or are using your own account
Click here if you are at an AWS event where the Event Engine is being used

Configure Lab

Install Session Manager CLI Plugin into your Cloud9 session and create a KeyPair

  1. Browse to the AWS Cloud9 Console
  2. Select Open IDE as shown below.

It may take a few seconds to initiate if the Cloud9 instance is not running already, once ready it should present you with a bash prompt in the terminal.

  1. Within the terminal run the following command to download the Session Manager plugin RPM package

     curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm"

    You should see an output as shown below.

  2. Now run the install command:

     sudo yum install -y session-manager-plugin.rpm

    You should an output as shown below.

  1. Create a key pair for SSH access step of the lab:

     aws ec2 create-key-pair --key-name MyKeyPair --query 'KeyMaterial' --output text > MyKeyPair.pem

    You should an output as shown below.

  1. Update the permission on the private key file:

     chmod 400 MyKeyPair.pem

    You should an output as shown below.

Stuck? Watch this

This video has no audio