What is the difference between EC2 Instance Connect and Session Manager SSH connections?


It looks like there are two distinct ways that I can SSH from my local laptop into into my instances without manually managing keys:

  • Session Manager: You can enable users in your AWS account to use the AWS CLI to establish Secure Shell (SSH) connections to instances using Session Manager. Users who connect using SSH can also copy files between their local machines and managed instances using Secure Copy Protocol (SCP). You can use this functionality to connect to instances without opening inbound ports or maintaining bastion hosts.
  • EC2 Instance Connect: Amazon EC2 Instance Connect provides a simple and secure way to connect to your instances using Secure Shell (SSH). You can use Instance Connect to connect to your Linux instances using a browser-based client, the Amazon EC2 Instance Connect CLI, or the SSH client of your choice. When you connect to an instance using EC2 Instance Connect, the Instance Connect API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds.

What are the differences between these options? It sounds like EC2 Instance Connect is fairly simple and Session Manager potentially does a lot more. How does Session Manager actually work? Does it actually open a direct SSH connection between my machine and the EC2 instance, or is the connection being proxied via some EC2 service?

asked 4 years ago8474 views
2 Answers
Accepted Answer

There many nuanced differences between these services but the basic idea is that EC2 Instance Connect allows for a convenient and secure native SSH connection using short-lived keys while Session Manager permits an SSH connection tunneled over a proxy connection.

The session manager agent establishes a reverse connection to the service so it is not necessary to, for example, open port 22 on the host. EC2 Instance Connect requires the host security group to permit ssh traffic inbound.

A few other things of note: EC2 Instance Connect supports only Linux EC2 hosts while Session Manager supports Windows and Linux hosts both EC2 Instances and On-prem.

Hope that helps.

answered 4 years ago
  • If I understand well, using EC2 instance connect is better than traditional SSH, integrate with legacy access method but it's worse than Session Manager. With Session Manager, we don't need to open port 22 and much simpler configuration. Why don't we just use Session Manager?


The simple answer to this is that after deploying your EC2 instance you want to connect to it ans use it the same way you would use a computer in front of you. Now coming down to the question. 1.)SSH connect -It basically allows you to control a remote machine , all using the command line

  • you can configure all the required parameters necessary for doing SSH using the free tool putty 2.) EC2 Instance connect
  • Connect to EC2 instance within your browser
  • No need to use the key file that you have downloaded
  • The best part is that the temporary key is uploaded onto EC2 instance by AWS Hope that helps!
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions