Access a bastion host by using Session Manager and Amazon EC2 Instance Connect

What You Can Do With Accessing a Bastion Host With Session Manager Template?

Accessing a bastion host with Session Manager template gives you a secure, no-SSH-needed way to access your AWS bastion hosts using Session Manager and E2C Instance Connect. It keeps your instance safe in private subnets, eliminating the need for public IPs. With support for IAM roles, SSH keys and encrypted endpoints, you get a structured, secure setup for managing remote access, without the usual risks.

Why Is This Template a Game Changer?

Unlike traditional methods that rely on publicly exposed instances, this template:

• Eliminates direct SSH access, thereby reducing the attack surface.

• Uses Session Manager and EC2 Instance Connect for secure browser-based login.

• Integrates IAM policies and multi-factor authentication, ensuring only authorized users gain access.

• Helps maintain compliance and audit readiness with access logs and encryption.

It’s a modern, cloud-native solution tailored to today’s zero-trust security environments.

Who needs this template, and when is the best time to use it? 

The access a bastion host with Session Manager template is ideal for:

• Cloud engineers manage private EC2 instances.

• DevOps teams seeking secure bastion access without public exposure.

• Security teams are enforcing strict access controls and audit logging.

• Organizations handling sensitive workloads that require hard remote access.

Use this template whenever you need secure access to EC2 instances, especially in production environments or when working in private VPCs with no internet gateway.

What Are the Main Components of the Template?

• AWS Cloud – The secure cloud environment for your infrastructure.

• Amazon EC2 (Bastion Host) – The instance acting as your controlled access point.

• IAM Role & IAM Policy Rules – Permissions defining who can access what.

• Session Manager – Allows secure remote access without SSH.

• EC2 Instance Connect – Browser-based connection to the instance.

• SSH Key Pair – For encrypted user authentication.

• SSM Endpoint & EC2 Messages Endpoint – For secure command execution.

• Private Subnet – Keeps the instance isolated from the public internet.

• Access Logs – Monitors for all authentication attempts.

• Multi-Factor Authentication (MFA) – Adds another layer of security.

• Instance Isolation – Prevents unauthorized lateral movement.

How to Get Started With Cloudairy?

1. Log in to your Cloudairy account.
2. Go to the Template Library.
3. Search for “Access a Bastion Host Using Session Manager”.
4. Click to preview the template and view its components.
5. Click "Use Template" to bring it into your workspace.
6. Start configuring IAM roles, SSH keys, and security policies.
7. Collaborate with your security teams and export configurations into AWS.
8. You're now ready for secure, SSH-free access to your bastion host! 

Summary 

This Cloudairy template gives you a smarter, safer way to access your AWS E2C bastion hosts- no SSH, no public IPs, and provides a secure network. With Session Manager and E2C Instance Connect working together, you get seamless access that’s fully private, compliant, and easy to manage. It’s a modern solution built for teams who want to keep things secure while staying future-ready in the clouds.

This guide provides a detailed walkthrough on how to access a bastion host with Session Manager and Amazon EC2 Instance Connect, enabling secure, auditable, and efficient access to private AWS resources without the need to expose SSH ports. Traditional bastion hosts require open inbound ports, which can increase your security risk. By using AWS Systems Manager Session Manager, you can initiate browser-based or CLI-based sessions that are encrypted, logged, and controlled via IAM policies. This method also allows integration with EC2 Instance Connect to provision temporary SSH keys, further reducing credential management complexity.