How do I troubleshoot issues with AWS Systems Manager Session Manager?

5 分的閱讀內容
1

When I try to use AWS Systems Manager Session Manager, my session fails.

Resolution

The steps to troubleshoot Session Manager issues vary depending on the reason for the session failure.

When a session fails because your Amazon Elastic Compute Cloud (Amazon EC2) instance isn't available as a managed instance, troubleshoot your managed instance availability.

When a session fails and your EC2 instance is available as a managed instance, troubleshoot Session Manager to resolve these issues:

  • Session Manager doesn't have permission to start a session.
  • Session Manager doesn't have permission to change session preferences.
  • A managed node isn't available or isn't configured for Session Manager.
  • Session Manager plugins aren't added to the command line path (Windows).
  • The system sends a TargetNotConnected error.
  • Session Manager displays a blank screen when you start a session.

When a session fails and displays one of the following error messages, apply the appropriate troubleshooting guidance.

"Your session has been terminated for the following reasons: ----------ERROR------- Encountered error while initiating handshake. Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: The ciphertext refers to a AWS KMS key that does not exist, does not exist in this region, or you are not allowed to access. status code: 400, request id: xxxxxxxxxxxx"

You receive this error when the users and EC2 instances in your account don't have the required AWS Key Management Service (AWS KMS) key permissions. To resolve this error, turn on AWS KMS encryption for your session data, and then follow these steps:

1.    Grant the required KMS key permissions to the users who start sessions and the instances that the sessions connect to. Then, configure AWS Identity and Access Management (IAM) to provide the users and instances with permissions to use the KMS key with Session Manager:

Note: Starting with AWS Systems Manager Agent (SSM Agent) version 3.2.582.0, Default Host Management Configuration automatically manages EC2 instances without an IAM instance profile. The instances must use Instance Metadata Service Version 2 (IMDSv2).

"Your session has been terminated for the following reasons: Couldn't start the session because we are unable to validate encryption on Amazon S3 bucket. Error: AccessDenied: Access Denied status code: 403"

You receive this error when you choose Allow only encrypted S3 buckets for S3 logging in your Session Manager preferences. Follow one of these procedures to resolve the error:

"Your session has been terminated for the following reasons: We couldn't start the session because encryption is not set up on the selected CloudWatch Logs log group. Either encrypt the log group or choose an option to enable logging without encryption."

You receive this error when you choose Allow only encrypted CloudWatch log groups for CloudWatch logging in your Session Manager preferences. Follow one of these procedures to resolve the error:

Related information

How do I attach or replace an instance profile on an Amazon EC2 instance?

Logging session activity

Setting up Session Manager

AWS 官方
AWS 官方已更新 1 年前
2 評論

I'm practicing Cloud Quest. I cleared Allow only encrypted S3 buckets and Allow only encrypted CloudWatch log groups but Session Manager is terminated. Why?

回答 3 個月前

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
管理員
回答 3 個月前