FAQs

Q: What is Session Manager?

Session Manager is a fully-managed service that provides you with an interactive browser-based shell and CLI experience. It helps provide secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, and manage SSH keys. Session Manager helps to enable compliance with corporate policies that require controlled access to instances and increase security and auditability of instance access, while also providing the simplicity and cross-platform instance access to end users.

You can learn more about Session Manager on the AWS Systems Manager website.

Q: What are the benefits of using Session Manager?

Session Manager helps to improve your security posture by not requiring you to open inbound ports, or to maintain SSH keys or certificates on your instances. It also centralizes access to instances using AWS Identity and Access Management (IAM). Once you enable Session Manager, you can connect to any Linux or Windows EC2 instance and track each user who started a session on each instance. You can audit which user accessed an instance and when using AWS CloudTrail, and log every command executed on an instance to Amazon S3 or Amazon CloudWatch Logs. Finally, with Session Manager you don’t need up-front investments to operate and maintain bastion hosts.

Q: Who should use Session Manager?

Any AWS customer who wants to improve their security and audit posture, reduce operational overhead by centralizing access control on instances, and reduce inbound instance access will benefit from Session Manager. Information Security experts who want to monitor and track instance access and activity, and close down inbound ports on instances, or enable connecting to instances without a public IP will benefit from Session Manager. Administrators who want to grant and revoke access from a single place and want to provide one solution for Windows and Linux instances to users will benefit as well. Finally, operators can get started quickly by using the browser to click to start a session and then selecting an instance, or use the CLI, without having to provide SSH keys.

Q: How much does Session Manager cost?

Session Manager is available at no additional cost to manage Amazon EC2 instances.

Q: What is AWS Single Sign-On (AWS SSO)?

AWS SSO is an AWS service that makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO allows you to create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source, including Microsoft Active Directory, Okta Universal Directory, and Azure Active Directory (Azure AD).

You can learn more about AWS SSO on the AWS Single Sign-On website.

Q: What are the benefits of AWS SSO?

You can use AWS SSO to quickly and easily assign and manage your employees’ access to multiple AWS accounts, SAML-enabled cloud applications (such as Salesforce, Microsoft 365, and Box), and custom-built in-house applications, all from a central place. Employees can be more productive by signing in with their existing corporate Active Directory credentials or credentials that you configure in AWS SSO to access their applications from their personalized user portal. Now, employees won’t need to remember multiple sets of credentials and access URLs to cloud applications, and new employees can be productive starting on day one. After you’ve added users to the appropriate group in your directory, they will automatically gain access to accounts and applications that are enabled for members of that group. You'll get better visibility into cloud application use because you can monitor and audit sign-in activity centrally from AWS CloudTrail.

Q: What can I do with AWS SSO?

You can use AWS SSO to quickly and easily assign your employees access to AWS accounts managed with AWS Organizations, business cloud applications (such as Salesforce, Microsoft 365, and Box), and custom applications that support Security Assertion Markup Language (SAML) 2.0. Employees can sign in with their existing corporate credentials or credentials they configure in AWS SSO to access their business applications from a single user portal. AWS SSO also allows you to audit users’ access to cloud services by using AWS CloudTrail.

Q: How much does AWS SSO cost?

AWS SSO is offered at no extra charge.

Q: What do I do once I’ve completed this project?

All of the resources in your environment are launched under your account. You can continue to use the resources you’ve created, you can provision additional resources, or you can remove them at any time. You will incur charges for any usage of AWS services.

Q: How can I get in touch with someone to discuss AWS Systems Manager Session Manager or AWS Single Sign-On (AWS SSO)?

Contact us by filling out the form on this page.

Get Started with the Implementation Guide