Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use Session Manager to create port forwarding?

2 minute read
0

I want to use Session Manager, a capability of AWS Systems Manager, to create port forwarding.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To use Session Manager to create port forwarding, complete the following steps:

  1. Confirm that Systems Manager manages your Amazon Elastic Compute Cloud (Amazon EC2) instance. For more information, see Managing EC2 instances with Systems Manager and Manually installing and uninstalling AWS Systems Manager Agent on EC2 instances for Linux.

  2. Install the Session Manager plugin for the AWS CLI.

  3. To verify that the port in the target EC2 instance is in listening mode, run the following commands:
    Linux:

    netstat -plant

    macOS:

    lsof -iTCP -sTCP:LISTEN -P -n

    Windows:

    netstat -nb

  4. Configure an AWS Identity and Access Management (IAM) policy that allows users to use port forwarding sessions through Systems Manager. The following IAM policy example allows port forwarding on all EC2 instances in an AWS account:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ec2:*:example-account-id:instance/*",
                "arn:aws:ssm:*::document/AWS-StartPortForwardingSession"
            ]
        }
    ]
}

    Note: Replace the example-account-id with your account ID:

  5. Run the command based on your OS.
    Linux or macOS:

    # aws ssm start-session \ 
 --target example-EC2-instance-ID \ 
 --document-name AWS-StartPortForwardingSession \  
  --parameters '{"portNumber":["80"], "localPortNumber":["example-local-port"]}'

    Note: Replace example-EC2-instance-ID with your EC2 instance ID and example-local-port with your local port.
    Windows:

    # aws ssm start-session  
 --target "example-EC2-instance-ID" --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["80"],"localPortNumber"=["example-local-port"]

    Note: Replace example-EC2-instance-ID with your EC2 instance ID and example-local-port with your local port.

  6. To view the web server content from your instance, in the browser on your local machine, load http://localhost:example-local-port.
    Note: It isn't necessary to open inbound port 80 on your managed EC2 instance in a security group or a network access control list.

Topics
Management & Governance
Tags
AWS Systems Manager
Language
English
AWS OFFICIALUpdated 9 months ago
2 Comments

--document-name AWS-StartPortForwardingSession always gives error as no session policy allows the ssm:StartSession but I can connect it directly without portforwarding...

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied a year ago

Relevant content