Instance interactive access without the risk

Still relying on port 22 to access your cloud instances? That’s a red flag. Opening inbound SSH ports in security groups might feel like standard practice, but it exposes your infrastructure to brute-force attacks, credential theft, and misconfigured access controls. For teams managing production environments or working under compliance frameworks, that’s a risk you can’t afford.

Traditional SSH doesn’t scale well in cloud-native environments:

• Every open port is an attack surface.

• Managing SSH keys across multiple users and instances is a manual, error-prone process.

• Audit logs? Sparse or nonexistent unless you build it yourself.

• Remote access to instances in private subnets becomes complex and fragile.

If your cloud operations are growing or if security is a board-level concern, then it’s time to rethink how your team connects to EC2 instances.

Enter: AWS Systems Manager Session Manager

A secure, no-SSH-required way to connect to your instances, even if they’re in isolated networks. Session Manager is part of the AWS Systems Manager suite and lets you start terminal sessions to EC2 instances without opening inbound ports or managing SSH keys. It’s agent-based, IAM-integrated, and fully auditable, making it a top choice for teams that prioritize operational security and scalability. Generally, we create Linux instances that allow port 22 to be accessed via SSH.

What is AWS Systems Manager Session Manager?

Session Manager is a capability of AWS Systems Manager that allows you to securely access your EC2 instances via browser or CLI; no SSH, no bastion host, and no open ports required. It’s a fully managed AWS service that provides shell-level access to your instances over a secure channel controlled by IAM and is fully auditable.

Why It Matters:

For companies running production workloads — especially in regulated or high-security environments — Session Manager solves a fundamental challenge:

How It Fits in the AWS Systems Manager Suite

Session Manager integrates tightly with other AWS Systems Manager tools like:

• Parameter Store → securely inject environment variables into sessions

• Inventory & Patch Manager → keep systems consistent and secure

• Automation Documents (SSM Documents) → run scripts at scale with elevated permissions

• CloudWatch + CloudTrail → centralized logging and compliance-friendly audit trails

That means you’re not just replacing SSH — you’re building towards a zero-trust, identity-based access model, native to AWS.

Key Features That Matter

If you’re managing cloud workloads with serious uptime or compliance expectations, Session Manager isn’t just a nice-to-have; it’s a fundamental layer of your access strategy.

Step 1: Attach the Right IAM Role

1. Go to IAM > Roles and create a new role.

2. Select AWS service > EC2.

3. Attach the following policy:

   • AmazonSSMManagedInstanceCore

4. Name your role (e.g., EC2SessionManagerRole) and save.

5. Attach this role to your running EC2 instance.

By using AWS Systems Manager Session Manager instead of SSH, you eliminate the need to open inbound ports even when your team is working from home or remote locations. This crucial security approach supports remote and secure instance access during remote work, as highlighted in our COVID-19 and the Odyssey of Working at Home story. Using AWS Systems Manager Session Manager instead of directly accessing via SSH, we don't need inbound rules to open ports in Security Groups. There are no inbound rules. Normally, we’d require TCP 22 to SSH into this instance.

Step 2: Enable Session Manager Preferences (Optional but Recommended)

1. Navigate to AWS Systems Manager > Session Manager > Preferences

2. Configure:

   • Logging: Enable logging to CloudWatch Logs or S3 for compliance.

   • KMS encryption (if needed): Secure log data at rest.

   • Idle timeout: Auto-end inactive sessions.

Step 3: Start a Session

Via Console:

1. Go to Systems Manager > Session Manager > Start Session

2. Select the instance and click Start session

3. A browser-based terminal opens — you’re in!
   

We strongly recommend using AWS Systems Manager Session Manager to manage instances. Also, it allows MFA, and it provides command history auditing.

Why does Session Manager beat SSH?

Opening port 22 on a server might seem like a necessity, but it’s often the weakest link in your infrastructure. Leaving it open invites brute force attacks, exposes your network to unnecessary scanning, and creates an operational overhead of managing key pairs or bastion hosts. AWS Systems Manager Session Manager removes that risk entirely.

Port 22 Is No Longer Needed

With Session Manager, you can access EC2 instances without opening inbound ports or assigning public IPs. This eliminates the attack surface associated with traditional SSH access. There’s no need to manage security group exceptions, no bastion host, and no VPN. That means no port scanning, no exposed credentials, and significantly fewer opportunities for human error.

Access Controlled Through IAM, Not SSH Keys

Instead of using static SSH keys, Session Manager leverages AWS Identity and Access Management (IAM) to manage access. You can define who can access which instances, for how long, and what they can do once inside — all using IAM roles, policies, and tags.

This removes the need for shared keys or rotating key pairs. It also ensures that access is transparent and traceable. With IAM, you can enforce strict least-privilege principles across your environment without friction.

Built-in MFA and Policy Conditions

Session Manager allows you to enforce Multi-Factor Authentication (MFA) as part of your IAM policies. This means you can require an additional layer of security before any session is initiated — especially useful in regulated industries or high-security environments.

Beyond MFA, you can also apply IAM policy conditions, such as restricting access based on source IP, time of day, or requiring that logs be enabled before a session is granted. These capabilities ensure that your access strategy aligns with broader compliance or risk management frameworks.

Audit Every Session Automatically

Every session initiated through Session Manager is automatically logged. You can track who connected, when, and what commands were executed. These logs can be sent to Amazon S3, CloudWatch Logs, or even forwarded to third-party SIEM solutions for security analysis and compliance auditing.

This level of visibility and traceability makes it much easier to demonstrate adherence to standards like ISO 27001, HIPAA, PCI-DSS, or SOC 2, and to detect anomalies before they become incidents.

Align with Zero Trust Architectures

Session Manager fits seamlessly into a Zero Trust model. Because there’s no need to trust the network or rely on private IPs, every session is explicitly authenticated, authorized, and audited. Access is granted based on who the user is and what they’re allowed to do — not based on where they’re connecting from. This helps modernize your access strategy and enforce strong security controls across hybrid environments.

Final Thoughts

Secure instance access doesn’t have to mean compromise.

AWS Systems Manager Session Manager is more than a replacement for SSH — it's a step forward in securing, auditing, and simplifying your infrastructure operations. By eliminating the need to open port 22, managing SSH keys, or setting up bastion hosts, you're reducing risk and overhead at the same time.

For teams operating in highly regulated industries or simply looking to adopt best practices in cloud security, Session Manager is a no-brainer. It brings IAM-based access control, full session logging, and seamless integration with AWS-native services — all without sacrificing flexibility or speed.

If you’re still using traditional SSH access in production, now is the time to make the switch. And if you need help configuring Session Manager securely across your environment, Teracloud is ready to assist.

Mariano Logarzo

DevOps Engineer

Teracloud

Like what you read? You may also be interested in reading Using SSM Parameter Store. To learn more about cloud computing, visit our blog for first-hand insights from our team. If you need an AWS-certified team to deploy, scale, or provision your IT resources to the cloud seamlessly, send us a message here.