Wednesday, April 27, 2022

SSM - Session Manager - System - SSM Port Forwarding, Bastionless

BastionLess VM ,  VM is in private Subnet with private IP with access to NAT gateway

NAT Gateway should have a route to Internet G/W



  1. Verify that SSM Agent is installed on the instance.
  2. Create an AWS Identity and Access Management (IAM) instance profile for Systems Manager. You can create a new role, or add the needed permissions to an existing role.
  3. Attach the IAM role to your private EC2 instance.
  4. Make sure on respective Bastionless VM, you can reach following VPC Endpoints -  curl 


Make sure that you have specified all VPC endpoint for SSM:

  • com.amazonaws.region.ssm: The endpoint for the Systems Manager service.
  • com.amazonaws.region.ec2messages: Systems Manager uses this endpoint to make calls from SSM Agent to the Systems Manager service.
  • com.amazonaws.region.ec2: If you're using Systems Manager to create VSS-enabled snapshots, you need to ensure that you have an endpoint to the EC2 service. Without the EC2 endpoint defined, a call to enumerate attached EBS volumes fails, which causes the Systems Manager command to fail. - com.amazonaws.region.ssmmessages: This endpoint is required only if you are connecting to your instances through a secure data channel using Session Manager. For more information, see AWS Systems Manager Session Manager.

No comments:

Post a Comment

Azure - Pipeline - Add Approver for Stage

https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass