Systems Manager Session Manager: What It Is and When to Use It

Definition

AWS Systems Manager Session Manager is a fully managed service that provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. It allows you to manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, on-premises servers, and virtual machines (VMs) through an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI).

How It Works

Session Manager relies on the AWS Systems Manager Agent (SSM Agent) installed on your managed nodes (EC2 instances, on-premises servers, or VMs). The SSM Agent initiates a secure outbound connection to the Systems Manager service in the AWS cloud. Once this connection is established, authorized users can start a session to the node through the AWS Management Console, AWS CLI, or SDKs.

All traffic between the user and the node is tunneled through this secure connection and encrypted using TLS 1.2. This architecture eliminates the need for open inbound ports (like port 22 for SSH or 3389 for RDP) on your instances, significantly improving your security posture. Access is controlled entirely through AWS Identity and Access Management (IAM) policies, providing granular control over which users can access which nodes. All session activity can be logged to Amazon S3 and Amazon CloudWatch Logs for auditing and compliance purposes.

Key Features and Limits

  • No Open Inbound Ports: Enhances security by eliminating the need to open ports for SSH or RDP, reducing the risk of brute-force attacks.
  • Centralized Access Control: Utilizes IAM policies to grant and revoke access to your instances, providing a single point of control.
  • Cross-Platform Support: Works with Windows, Linux, and macOS.
  • Auditing and Logging: Session history is retained for 30 days, and you can configure logging of all session activity, including commands and their outputs, to Amazon S3 and Amazon CloudWatch Logs.
  • Port Forwarding: Allows you to securely tunnel traffic from a local port on your client to a remote port on your instance, enabling access to web servers, databases, or other services running on the instance without direct network exposure.
  • Interactive Shell and CLI Access: Provides a browser-based shell in the AWS Management Console and also supports access through the AWS CLI.
  • Support for On-Premises Instances: Can be used to manage on-premises servers and VMs in addition to EC2 instances, though this may require the advanced on-premises instance tier.
  • Service Quotas: The history of each command is available for up to 30 days. For other limits, it's recommended to consult the official AWS documentation as they can change.

Common Use Cases

  • Securely Accessing Instances in Private Subnets: Session Manager is ideal for managing instances that do not have public IP addresses and are located in private subnets, as it doesn't require a bastion host or a NAT Gateway for access.
  • Improving Security Posture: For organizations looking to reduce their attack surface, Session Manager provides a more secure alternative to traditional SSH and RDP access by eliminating open inbound ports.
  • Auditing and Compliance: When strict auditing of user access and commands is required for compliance reasons, Session Manager's logging capabilities provide a detailed record of all session activity.
  • Simplified Access Management: Instead of managing individual SSH keys for numerous users and instances, Session Manager centralizes access control through IAM, simplifying the process of granting and revoking permissions.
  • Remote Port Forwarding: Securely accessing a web application or database running on a private EC2 instance from your local machine for development or troubleshooting purposes.

Pricing Model

There is no additional charge for using Session Manager to access Amazon EC2 instances. However, you may incur costs for the following:

  • Advanced On-Premises Instances: Using Session Manager to interactively access on-premises instances requires the advanced on-premises instance tier, which is priced on a pay-as-you-go basis.
  • Data Transfer: Standard AWS data transfer charges will apply for data transferred out from your instances.
  • VPC Endpoints: If you use VPC endpoints for Session Manager to connect to instances in private subnets without internet access, you will be charged for the VPC endpoints.
  • Logging: You will incur standard charges for storing and processing session logs in Amazon S3 and Amazon CloudWatch Logs.

For detailed pricing information, refer to the AWS Systems Manager Pricing page.

Pros and Cons

Pros:

  • Enhanced Security: Eliminates the need for open inbound ports and bastion hosts, significantly reducing the attack surface.
  • Centralized and Granular Access Control: Leverages IAM for fine-grained permissions, making it easier to manage user access at scale.
  • Improved Auditability: Provides comprehensive logging of all session activity for security analysis and compliance.
  • Simplified Operations: No need to manage SSH keys or bastion hosts, streamlining the operational overhead of instance management.
  • Cross-Platform Consistency: Offers a unified way to access both Linux and Windows instances.

Cons:

  • Requires SSM Agent: The SSM Agent must be installed and properly configured on all managed nodes.
  • IAM Configuration: Requires a proper understanding and setup of IAM roles and policies, which can be complex for beginners.
  • Potential for Slower CLI Experience: Some users may find the interactive shell experience to be slightly slower than a direct SSH connection.
  • Dependency on AWS Services: It is an AWS-specific solution and only works for instances managed by AWS Systems Manager.

Comparison with Alternatives

| Feature | Systems Manager Session Manager | SSH (Secure Shell) | RDP (Remote Desktop Protocol) | | :--- | :--- | :--- | :--- | | Access Method | Interactive shell via browser or AWS CLI | Command-line interface | Graphical user interface | | Security | No open inbound ports required; IAM-based access control | Requires open inbound port 22; key-based or password authentication | Requires open inbound port 3389; password-based authentication | | Auditing | Integrated with AWS CloudTrail, Amazon S3, and Amazon CloudWatch Logs | Manual logging configuration required | Manual logging configuration required | | Use Case | Secure, auditable access to AWS and on-premises instances | Remote command-line access to Linux/Unix-based systems | Remote graphical access to Windows-based systems | | Management | Centralized through AWS Systems Manager and IAM | Decentralized key management | Decentralized credential management |

Exam Relevance

Systems Manager Session Manager is a key topic in several AWS certification exams, particularly those focused on security, operations, and solutions architecture. For exams like the AWS Certified SysOps Administrator - Associate, AWS Certified Solutions Architect - Associate, and AWS Certified Security - Specialty, you should understand:

  • The security benefits of using Session Manager over traditional methods like SSH and RDP.
  • How Session Manager improves security posture by eliminating the need for open inbound ports and bastion hosts.
  • The role of the SSM Agent and the necessary IAM permissions for Session Manager to function.
  • How to configure session logging for auditing and compliance.
  • Common use cases, such as accessing instances in private subnets.

Frequently Asked Questions

Q: Do I need a bastion host to use Session Manager?

A: No, Session Manager eliminates the need for bastion hosts. It provides secure access to your instances without requiring you to manage additional infrastructure.

Q: Can I use Session Manager to access instances in a private VPC without internet access?

A: Yes, you can use AWS PrivateLink to create a VPC endpoint for Systems Manager. This allows the SSM Agent on your instances to communicate with the Systems Manager service without needing a route to the public internet.

Q: How can I control which users have access to which instances with Session Manager?

A: Access to instances via Session Manager is controlled using AWS Identity and Access Management (IAM) policies. You can create granular policies that specify which IAM users or roles can start sessions on which specific instances.


This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 6/19/2026 / Updated: 6/19/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Monitoring