I'm struggling with configuring AWS Session Manager to access my EC2 instance which is set up as a bastion host in a private subnet. I've created a custom IAM role with the necessary policies ("AmazonS3FullAccess" and "AmazonSSMManagedInstanceCore") and attached it to the EC2. However, I can only successfully connect to it when it's in a public subnet or configured in a way that is not ideal for security. I'm unsure how to make it work in the private subnet setup. Any detailed guidance would be greatly appreciated!
3 Answers
First off, make sure your EC2 instance is properly using the role you setup for SSM. You can check this by running a command like "aws sts get-caller-identity" on the instance to confirm the correct role is active. Also, have you looked at the SSM agent's logs? They can provide valuable insights into any issues. Finally, verify that your EC2 has internet access, as it'll need to contact SSM API endpoints unless you're using VPC endpoints for SSM.
If you're sticking to a private subnet, creating SSM VPC endpoints is key. You’ll need to set up VPC endpoints for both com.amazonaws.[your-region].ssm and com.amazonaws.[your-region].ssmmessages. Make sure your EC2 instance's security group allows egress to port 443 for these endpoints, and the endpoints' security groups should allow ingress from your EC2's security group. This way, your instance can communicate internally without needing public access.
Did you set up the three required VPC endpoints? You need SSM, SSM.messages, and EC2.messages. Also, confirm that the security group has port 443 allowed. If unsure, try checking the documentation on creating these VPC endpoints for Systems Manager—it can really help clarify things.
Thanks for the tip! I’m actually watching a relevant video again for more clarity. Appreciate your help!