How can I control access to my instances using Session Manager?

Last updated: 2021-03-17

I want to control access to my instances so that certain users can start a Session Manager session for the instances that I specify. How can I do that?

Short description

You can manage your Amazon Elastic Compute Cloud (Amazon EC2) instance or on-premises instance using AWS Systems Manager Session Manager. Session Manager connects through a browser-based shell, or through the AWS Command Line Interface (AWS CLI).

You can use Identity and Access Management (IAM) policies to control the users that can access the instance using Session Manager. The IAM policy also controls the API actions that the users can perform.



To allow users to connect to Session Manager, first create an IAM policy that grants StartSession access to the IAM user. Then, attach the IAM policy to the IAM user.

Follow these steps to create and attach an IAM policy that allows an IAM user to start a Session Manager session using the AWS CLI. The following example policy restricts the ability to start a session to specific instances.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

1.    Open the IAM console, and then choose Policies from the left navigation pane.

2.    Choose Create policy, and then choose the JSON tab.

3.    Copy the Restrict access to specific instances sample JSON document, and then paste the policy to the JSON tab in the console.

Important: The resource ARN in the example policy uses the us-east-2 AWS Region, and includes placeholders for the instance ID and account ID. Be sure to replace these values with your own.

4.    Choose Next: Tags.

5.    Choose Next: Review.

6.    For Name, enter a policy name.

7.    (Optional) For Description, enter a description.

8.    Choose Create policy to save the policy.

9.     Attach the IAM policy to the user that you want to allow to access to the instance using Session Manager.

Users that are granted access can now initiate the start-session API call using the following AWS CLI command:

Note: The user must replace instance-id with the instance ID that they want to start a session for.

aws ssm start-session --target instance-id

To allow users to start a session using the Amazon EC2 console, you must also attach the following AWS managed policies to the user:

  • AmazonSSMReadOnlyAccess
  • AmazonEC2ReadOnlyAccess