Skip to main content

Use Systems Manager Session Manager

AWS Systems Manager Session Manager allows you to manage your EC2 instances and on-premises servers using a browser-based shell or the AWS CLI. To use Systems Manager Session Manager for EC2 instances with Stax, you need to configure an IAM Instance Profile. The profile grants the instance access to write to the Systems Manager Session Manager logging S3 bucket.

If using Stax Networks, you need to perform additional steps and should follow this guide instead: Use Systems Manager Session Manager with Stax Networks.

Before You Begin

  • Estimated time to complete: 15 minutes

Why do I need to do this?

When you use AWS Systems Manager Session Manager, it requires access to trigger messages to the Systems Manager control plane, and also to write logs to an S3 bucket. This access requires an appropriately configured IAM Instance Profile.

Configure the IAM Instance Profile

Your instance(s) will need an IAM Instance Profile assigned that permits the Systems Manager activities that are required. The easiest way to do this is to apply the AmazonSSMManagedInstanceCore managed policy to your Instance Profile. Additionally, you'll require a policy or in-line policy that grants the instance access to write to the Stax Session Manager logging bucket:

{
   "Effect": "Allow",
   "Action": [
       "s3:PutObject",
       "s3:PutObjectAcl",
       "s3:PutObjectTagging",
       "s3:GetEncryptionConfiguration",
       "s3:GetBucketLocation"
   ],
   "Resource": [
       "arn:aws:s3:::<SMSM_BUCKET_NAME>",
       "arn:aws:s3:::<SMSM_BUCKET_NAME>/*"
   ]
}

In the JSON policy syntax above, replace the <SMSM_BUCKET_NAME> placeholder with your AWS Systems Manager Session Manager S3 bucket. This bucket resides in your logging account and will have a name similar to stax-session-manager-25d515d9-92d3-4ce7-8519-9c305490b5c0.

S3 Bucket Encryption

Systems Manager delivers logs to a Stax-managed S3 bucket in your Logging account. These buckets are encrypted with the default SSE-S3 mechanism (AES-256).

In the event that your session logs are not being delivered to the configured S3 bucket, it could be due to an incompatible Stax Policy applied to the account in which the EC2 instance is running.

A Stax Policy such as the following would prevent logs from being delivered:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Deny",
           "Action": "s3:PutObject",
           "Resource": "*",
           "Condition": {
               "StringNotEquals": {
                   "s3:x-amz-server-side-encryption": "AES256"
               }
           }
       },
       {
           "Effect": "Deny",
           "Action": "s3:PutObject",
           "Resource": "*",
           "Condition": {
               "Null": {
                   "s3:x-amz-server-side-encryption": true
               }
           }
       }
   ]
}

There is a known issue with the Systems Manager agent that causes this to occur. To work around this issue, the faulting statements in the Policy must be removed from the source account.

All Stax-managed logging buckets have default encryption enabled, which means that log files placed into the bucket will be encrypted regardless.