Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Amazon Releases a New Session Manager in AWS Systems Manager

Amazon Releases a New Session Manager in AWS Systems Manager

This item in japanese

Amazon have released Session Manager, a fully managed AWS Systems Manager capability that enables users to manage Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. AWS Systems Manager is a service that provides a unified user interface so that users can view operational data from multiple AWS services and automate operational tasks across AWS resources.

In the past, Amazon has already provided a secure option for shell-level access to EC2 instances with the AWS Systems Manager Run Command – allowing users to create command documents and run them on any desired set of EC2 instances, including Linux and Windows. Moreover, these commands run asynchronously and the output is captured for review. Now with the new Session Manager in AWS System Manager, IT administrators will have a browser-based UI and CLI for this functionality.

According to the release announcement, the new browser-based Session Manager will provide the following capabilities:

  • Secure Access – No need to manually set up user accounts, passwords or SSH keys on the instances and IT Administrators don’t have to open any inbound ports.
  • Access Control – IT Administrators can use IAM policies and users to control access to their instances and don’t need to distribute SSH keys.
  • Auditability – Commands and responses can be logged to Amazon CloudWatch and an S3 bucket.
  • Interactivity – Commands are executed synchronously in a full interactive bash (Linux) or PowerShell (Windows) environment.
  • Programming and Scripting – In addition to the console access, IT Administrators can also initiate sessions from the command line (aws ssm ...) or via the Session Manager APIs.

Access to EC2 instances with the new Session Manager requires an SSM agent on the instances, and the agent's version must be version 2.3.12 or above. Furthermore, the agent must be able to connect to Session Manager’s public endpoint or through a PrivateLink connection in the case of no Internet access or public available IP address.

For security purposes, the instance role on each instance must reference a policy to allow access to the appropriate services. With these prerequisites in place, an IT administrator can specify preferences for the session to an instance – for instance, to write the session output to an S3 bucket, and sending the output to CloudWatch Logs. Subsequently, the IT administrator can start a session in an instance.


Once a session starts, the IT administrator can issue commands in a session and examine log streams (each stream represents one session) in CloudWatch later. 

The reaction to Amazon releasing the Session Manager seems promising. On a thread, people responded positively and the same accounts for a twitter feed on the Session Manager.

The Session Manager is available in all AWS regions (including AWS GovCloud) at no extra charge. Furthermore, Amazon is planning additional features for the Session Manager, such as an SSH client and access to on-premise instances. More details on the Session Manager are available in the AWS Documentation.

Rate this Article