Generally, any traffic to an EC2 instance will pass through the Security Group attached to the interface of the EC2 instance. However, when an SSH connection to an EC2 instance is established via AWS Session Manager, Security Groups have no impact. How is the traffic reaching the EC2 instance if not via the instance's interface (& Security Group)?
Asked
Active
Viewed 4,023 times
1 Answers
4
To use session manager you need the SSM agent running on your instances. This opens a bi-directional pipe out (this is critical, it does not listen on any ports) to the SSM service. This is then used to piggy pack signals over.
So when you make the ssh connection from your local machine to the instance via session manager, it is tunnelled over this connection.
A little extra information from AWS here: https://forums.aws.amazon.com/thread.jspa?threadID=270976
dpwr
- 2,732
- 1
- 23
- 38
-
1And importantly it happens almost entirely on the backplane. – Jeffrey Hulten Mar 25 '21 at 03:12