• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). # Working with Session Manager You can use the AWS Systems Manager console, the Amazon Elastic Compute Cloud (Amazon EC2) console, or the AWS Command Line Interface (AWS CLI) to start sessions that connect you to the managed nodes your system administrator has granted you access to using AWS Identity and Access Management (IAM) policies. Depending on your permissions, you can also view information about sessions, resume inactive sessions that haven't timed out, and end sessions. After a session is established, it is not affected by IAM role session duration. For information about limiting session duration with Session Manager, see [Specify an idle session timeout value](session-preferences-timeout.md) and [Specify maximum session duration](session-preferences-max-timeout.md). For more information about sessions, see [What is a session?](session-manager.md#what-is-a-session) **Topics** + [ # Install the Session Manager plugin for the AWS CLI ](session-manager-working-with-install-plugin.md) + [ # Start a session ](session-manager-working-with-sessions-start.md) + [ # End a session ](session-manager-working-with-sessions-end.md) + [ # View session history ](session-manager-working-with-view-history.md) # Install the Session Manager plugin for the AWS CLI To initiate Session Manager sessions with your managed nodes by using the AWS Command Line Interface (AWS CLI), you must install the *Session Manager plugin* on your local machine. You can install the plugin on supported versions of Microsoft Windows Server, macOS, Linux, and Ubuntu Server. **Note** To use the Session Manager plugin, you must have AWS CLI version 1.16.12 or later installed on your local machine. For more information, see [Installing or updating the latest version of the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). **Topics** + [ # Session Manager plugin latest version and release history ](plugin-version-history.md) + [ # Install the Session Manager plugin on Windows ](install-plugin-windows.md) + [ # Install the Session Manager plugin on macOS ](install-plugin-macos-overview.md) + [ # Install the Session Manager plugin on Linux ](install-plugin-linux-overview.md) + [ # Verify the Session Manager plugin installation ](install-plugin-verify.md) + [ # Session Manager plugin on GitHub ](plugin-github.md) + [ # (Optional) Turn on Session Manager plugin logging ](install-plugin-configure-logs.md) # Session Manager plugin latest version and release history Version history Your local machine must be running a supported version of the Session Manager plugin. The current minimum supported version is 1.1.17.0. If you're running an earlier version, your Session Manager operations might not succeed. To see if you have the latest version, run the following command in the AWS CLI. **Note** The command returns results only if the plugin is located in the default installation directory for your operating system type. You can also check the version in the contents of the `VERSION` file in the directory where you have installed the plugin. ``` session-manager-plugin --version ``` The following table lists all releases of the Session Manager plugin and the features and enhancements included with each version. **Important** We recommend you always run the latest version. The latest version includes enhancements that improve the experience of using the plugin. | Version | Release date | Details | | --- | --- | --- | | 1.2.804.0 | April 2, 2026 | **Enhancement**: Bump to aws-sdk-go-v2 package. **Bug fix**: Update windows install script. **Bug fix**: Update default plugin version for local build. | | 1.2.792.0 | March 17, 2026 | **Bug fix**: Add international keyboard support for Windows. | | 1.2.779.0 | February 12, 2026 | **Enhancement**: Update Go version to 1.25 in Dockerfile. **Bug fix**: Add shebang lines to debian packaging scripts. | | 1.2.764.0 | November 19, 2025 | **Enhancement**: Added support for signing OpenDataChannel request. **Bug fix**: Fix checkstyle issues to support newer Go version. | | 1.2.707.0 | February 6, 2025 | **Enhancement**: Upgraded the Go version to 1.23 in the Dockerfile. Updated the version configuration step in the README. | | 1.2.694.0 | November 20, 2024 | **Bug fix**: Rolled back change that added credentials to OpenDataChannel requests. | | 1.2.688.0 | November 6, 2024 | **This version was deprecated on 11/20/2024.** **Enhancements**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/plugin-version-history.html) | | 1.2.677.0 | October 10, 2024 | **Enhancement**: Added support for passing the plugin version with OpenDataChannel requests. | | 1.2.650.0 | July 02, 2024 | **Enhancement**: Upgraded aws-sdk-go to 1.54.10.**Bug fix**: Reformated comments for gofmt check. | | 1.2.633.0 | May 30, 2024 | Enhancement: Updated the Dockerfile to use an Amazon Elastic Container Registry (Amazon ECR) image. | | 1.2.553.0 | January 10, 2024 | Enhancement: Upgraded aws-sdk-go and dependent Golang packages. | | 1.2.536.0 | December 4, 2023 | Enhancement: Added support for passing a [StartSession](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartSession.html) API response as an environment variable to session-manager-plugin. | | 1.2.497.0 | August 1, 2023 | Enhancement: Upgraded Go SDK to v1.44.302. | | 1.2.463.0 | March 15, 2023 | Enhancement: Added Mac with Apple silicon support for Apple Mac (M1) in macOS bundle installer and signed installer. | | 1.2.398.0 | October 14, 2022 | Enhancement: Support golang version 1.17. Update default session-manager-plugin runner for macOS to use python3. Update import path from SSMCLI to session-manager-plugin. | | 1.2.339.0 | June 16, 2022 | Bug fix: Fix idle session timeout for port sessions. | | 1.2.331.0 | May 27, 2022 | Bug fix: Fix port sessions closing prematurely when the local server doesn't connect before timeout. | | 1.2.323.0 | May 19, 2022 | Bug fix: Disable smux keep alive to use idle session timeout feature. | | 1.2.312.0 | March 31, 2022 | Enhancement: Supports more output message payload types. | | 1.2.295.0 | January 12, 2022 | Bug fix: Hung sessions caused by client resending stream data when agent becomes inactive, and incorrect logs for start\$1publication and pause\$1publication messages. | | 1.2.279.0 | October 27, 2021 | Enhancement: Zip packaging for Windows platform. | | 1.2.245.0 | August 19, 2021 | Enhancement: Upgrade aws-sdk-go to latest version (v1.40.17) to support AWS IAM Identity Center. | | 1.2.234.0 | July 26, 2021 | Bug fix: Handle session abruptly terminated scenario in interactive session type. | | 1.2.205.0 | June 10, 2021 | Enhancement: Added support for signed macOS installer. | | 1.2.54.0 | January 29, 2021 | Enhancement: Added support for running sessions in NonInteractiveCommands execution mode. | | 1.2.30.0 | November 24, 2020 | **Enhancement**: (Port forwarding sessions only) Improved overall performance. | | 1.2.7.0 | October 15, 2020 | **Enhancement**: (Port forwarding sessions only) Reduced latency and improved overall performance. | | 1.1.61.0 | April 17, 2020 | **Enhancement**: Added ARM support for Linux and Ubuntu Server. | | 1.1.54.0 | January 6, 2020 | **Bug fix**: Handle race condition scenario of packets being dropped when the Session Manager plugin isn't ready. | | 1.1.50.0 | November 19, 2019 | **Enhancement**: Added support for forwarding a port to a local unix socket. | | 1.1.35.0 | November 7, 2019 | **Enhancement**: (Port forwarding sessions only) Send a TerminateSession command to SSM Agent when the local user presses `Ctrl+C`. | | 1.1.33.0 | September 26, 2019 | Enhancement: (Port forwarding sessions only) Send a disconnect signal to the server when the client drops the TCP connection. | | 1.1.31.0 | September 6, 2019 | Enhancement: Update to keep port forwarding session open until remote server closes the connection. | | 1.1.26.0 | July 30, 2019 | **Enhancement**: Update to limit the rate of data transfer during a session. | | 1.1.23.0 | July 9, 2019 | **Enhancement**: Added support for running SSH sessions using Session Manager. | | 1.1.17.0 | April 4, 2019 | **Enhancement**: Added support for further encryption of session data using AWS Key Management Service (AWS KMS). | | 1.0.37.0 | September 20, 2018 | **Enhancement**: Bug fix for Windows version. | | 1.0.0.0 | September 11, 2018 | Initial release of the Session Manager plugin. | # Install the Session Manager plugin on Windows Install on Windows You can install the Session Manager plugin on Windows Vista or later using the standalone installer. When updates are released, you must repeat the installation process to get the latest version of the Session Manager plugin. **Note** Note the following information. The Session Manager plugin installer needs Administrator rights to install the plugin. For best results, we recommend that you start sessions on Windows clients using Windows PowerShell, version 5 or later. Alternatively, you can use the Command shell in Windows 10. The Session Manager plugin only supports PowerShell and the Command shell. Third-party command line tools might not be compatible with the plugin. **To install the Session Manager plugin using the EXE installer** 1. Download the installer using the following URL. ``` https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe ``` Alternatively, you can download a zipped version of the installer using the following URL. ``` https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPlugin.zip ``` 1. Run the downloaded installer, and follow the on-screen instructions. If you downloaded the zipped version of the installer, you must unzip the installer first. Leave the install location box blank to install the plugin to the default directory. + `%PROGRAMFILES%\Amazon\SessionManagerPlugin\bin\` 1. Verify that the installation was successful. For information, see [Verify the Session Manager plugin installation](install-plugin-verify.md). **Note** If Windows is unable to find the executable, you might need to re-open the command prompt or add the installation directory to your `PATH` environment variable manually. For information, see the troubleshooting topic [Session Manager plugin not automatically added to command line path (Windows)](session-manager-troubleshooting.md#windows-plugin-env-var-not-set). # Install the Session Manager plugin on macOS Install on macOS Choose one of the following topics to install the Session Manager plugin on macOS. **Note** The signed installer is a signed `.pkg` file. The bundled installer uses a `.zip` file. After the file is unzipped, you can install the plugin using the binary. ## Install the Session Manager plugin on macOS with the signed installer This section describes how to install the Session Manager plugin on macOS using the signed installer. **To install the Session Manager plugin using the signed installer (macOS)** 1. Download the signed installer. ------ #### [ x86\$164 ] ``` curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/session-manager-plugin.pkg" -o "session-manager-plugin.pkg" ``` ------ #### [ Mac with Apple silicon ] ``` curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac_arm64/session-manager-plugin.pkg" -o "session-manager-plugin.pkg" ``` ------ 1. Run the install commands. If the command fails, verify that the `/usr/local/bin` folder exists. If it doesn't, create it and run the command again. ``` sudo installer -pkg session-manager-plugin.pkg -target / sudo ln -s /usr/local/sessionmanagerplugin/bin/session-manager-plugin /usr/local/bin/session-manager-plugin ``` 1. Verify that the installation was successful. For information, see [Verify the Session Manager plugin installation](install-plugin-verify.md). ## Install the Session Manager plugin on macOS This section describes how to install the Session Manager plugin on macOS using the bundled installer. **Important** Note the following important information. By default, the installer requires sudo access to run, because the script installs the plugin to the `/usr/local/sessionmanagerplugin` system directory. If you don't want to install the plugin using sudo, manually update the installer script to install the plugin to a directory that doesn't require sudo access. The bundled installer doesn't support installing to paths that contain spaces. **To install the Session Manager plugin using the bundled installer (macOS)** 1. Download the bundled installer. ------ #### [ x86\$164 ] ``` curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip" ``` ------ #### [ Mac with Apple silicon ] ``` curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac_arm64/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip" ``` ------ 1. Unzip the package. ``` unzip sessionmanager-bundle.zip ``` 1. Run the install command. ``` sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin ``` **Note** The plugin requires Python 3.10 or later. By default, the install script runs under the system default version of Python. If you have installed an alternative version of Python and want to use that to install the Session Manager plugin, run the install script with that version by absolute path to the Python executable. The following is an example. ``` sudo /usr/local/bin/python3.11 sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin ``` The installer installs the Session Manager plugin at `/usr/local/sessionmanagerplugin` and creates the symlink `session-manager-plugin` in the `/usr/local/bin` directory. This eliminates the need to specify the install directory in the user's `$PATH` variable. To see an explanation of the `-i` and `-b` options, use the `-h` option. ``` ./sessionmanager-bundle/install -h ``` 1. Verify that the installation was successful. For information, see [Verify the Session Manager plugin installation](install-plugin-verify.md). **Note** To uninstall the plugin, run the following two commands in the order shown. ``` sudo rm -rf /usr/local/sessionmanagerplugin ``` ``` sudo rm /usr/local/bin/session-manager-plugin ``` # Install the Session Manager plugin on Linux This section includes information about verifying the signature of the Session Manager plugin installer package and installing the plugin on the following Linux distributions: + Amazon Linux 2 + AL2023 + RHEL + Debian Server + Ubuntu Server **Topics** + [ # Verify the signature of the Session Manager plugin ](install-plugin-linux-verify-signature.md) + [ # Install the Session Manager plugin on Amazon Linux 2, Amazon Linux 2023, and Red Hat Enterprise Linux distributions ](install-plugin-linux.md) + [ # Install the Session Manager plugin on Debian Server and Ubuntu Server ](install-plugin-debian-and-ubuntu.md) # Verify the signature of the Session Manager plugin The Session Manager plugin RPM and Debian installer packages for Linux instances are cryptographically signed. You can use a public key to verify that the plugin binary and package is original and unmodified. If the file is altered or damaged, the verification fails. You can verify the signature of the installer package using the GNU Privacy Guard (GPG) tool. The following information is for Session Manager plugin versions 1.2.707.0 or later. Complete the following steps to verify the signature of the Session Manager plugin installer package. **Topics** + [ ## Step 1: Download the Session Manager plugin installer package ](#install-plugin-linux-verify-signature-installer-packages) + [ ## Step 2: Download the associated signature file ](#install-plugin-linux-verify-signature-packages) + [ ## Step 3: Install the GPG tool ](#install-plugin-linux-verify-signature-packages-gpg) + [ ## Step 4: Verify the Session Manager plugin installer package on a Linux server ](#install-plugin-linux-verify-signature-packages) ## Step 1: Download the Session Manager plugin installer package Download the Session Manager plugin installer package you want to verify. **Amazon Linux 2, AL2023, and RHEL RPM packages** ------ #### [ x86\$164 ] ``` curl -o "session-manager-plugin.rpm" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" ``` ------ #### [ ARM64 ] ``` curl -o "session-manager-plugin.rpm" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_arm64/session-manager-plugin.rpm" ``` ------ **Debian Server and Ubuntu Server Deb packages** ------ #### [ x86\$164 ] ``` curl -o "session-manager-plugin.deb" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" ``` ------ #### [ ARM64 ] ``` curl -o "session-manager-plugin.deb" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_arm64/session-manager-plugin.deb" ``` ------ ## Step 2: Download the associated signature file After you download the installer package, download the associated signature file for package verification. To provide an extra layer of protection against unauthorized copying or use of the session-manager-plugin binary file inside the package, we also offer binary signatures, which you can use to validate individual binary files. You can choose to use these binary signatures based on your security needs. **Amazon Linux 2, AL2023, and RHEL signature packages** ------ #### [ x86\$164 ] Package: ``` curl -o "session-manager-plugin.rpm.sig" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm.sig" ``` Binary: ``` curl -o "session-manager-plugin.sig" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.sig" ``` ------ #### [ ARM64 ] Package: ``` curl -o "session-manager-plugin.rpm.sig" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_arm64/session-manager-plugin.rpm.sig" ``` Binary: ``` curl -o "session-manager-plugin.sig" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_arm64/session-manager-plugin.sig" ``` ------ **Debian Server and Ubuntu Server Deb signature packages** ------ #### [ x86\$164 ] Package: ``` curl -o "session-manager-plugin.deb.sig" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb.sig" ``` Binary: ``` curl -o "session-manager-plugin.sig" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.sig" ``` ------ #### [ ARM64 ] Package: ``` curl -o "session-manager-plugin.deb.sig" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_arm64/session-manager-plugin.deb.sig" ``` Binary: ``` curl -o "session-manager-plugin.sig" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_arm64/session-manager-plugin.sig" ``` ------ ## Step 3: Install the GPG tool To verify the signature of the Session Manager plugin, you must have the GNU Privacy Guard (GPG) tool installed on your system. The verification process requires GPG version 2.1 or later. You can check your GPG version by running the following command: ``` gpg --version ``` If your GPG version is older than 2.1, update it before proceeding with the verification process. For most systems, you can update the GPG tool using your package manager. For example, on supported Amazon Linux and RHEL versions, you can use the following commands: ``` sudo yum update sudo yum install gnupg2 ``` On supported Ubuntu Server and Debian Server systems, you can use the following commands: ``` sudo apt-get update sudo apt-get install gnupg2 ``` Ensure you have the required GPG version before continuing with the verification process. ## Step 4: Verify the Session Manager plugin installer package on a Linux server Use the following procedure to verify the Session Manager plugin installer package on a Linux server. **Note** Amazon Linux 2 doesn't support the gpg tool version 2.1 or higher. If the following procedure doesn't work on your Amazon Linux 2 instances, verify the signature on a different platform before installing it on your Amazon Linux 2 instances. 1. Copy the following public key, and save it to a file named session-manager-plugin.gpg. ``` -----BEGIN PGP PUBLIC KEY BLOCK----- mFIEZ5ERQxMIKoZIzj0DAQcCAwQjuZy+IjFoYg57sLTGhF3aZLBaGpzB+gY6j7Ix P7NqbpXyjVj8a+dy79gSd64OEaMxUb7vw/jug+CfRXwVGRMNtIBBV1MgU1NNIFNl c3Npb24gTWFuYWdlciA8c2Vzc2lvbi1tYW5hZ2VyLXBsdWdpbi1zaWduZXJAYW1h em9uLmNvbT4gKEFXUyBTeXN0ZW1zIE1hbmFnZXIgU2Vzc2lvbiBNYW5hZ2VyIFBs dWdpbiBMaW51eCBTaWduZXIgS2V5KYkBAAQQEwgAqAUCZ5ERQ4EcQVdTIFNTTSBT ZXNzaW9uIE1hbmFnZXIgPHNlc3Npb24tbWFuYWdlci1wbHVnaW4tc2lnbmVyQGFt YXpvbi5jb20+IChBV1MgU3lzdGVtcyBNYW5hZ2VyIFNlc3Npb24gTWFuYWdlciBQ bHVnaW4gTGludXggU2lnbmVyIEtleSkWIQR5WWNxJM4JOtUB1HosTUr/b2dX7gIe AwIbAwIVCAAKCRAsTUr/b2dX7rO1AQCa1kig3lQ78W/QHGU76uHx3XAyv0tfpE9U oQBCIwFLSgEA3PDHt3lZ+s6m9JLGJsy+Cp5ZFzpiF6RgluR/2gA861M= =2DQm -----END PGP PUBLIC KEY BLOCK----- ``` 1. Import the public key into your keyring. The returned key value should be `2C4D4AFF6F6757EE`. ``` $ gpg --import session-manager-plugin.gpg gpg: key 2C4D4AFF6F6757EE: public key "AWS SSM Session Manager (AWS Systems Manager Session Manager Plugin Linux Signer Key)" imported gpg: Total number processed: 1 gpg: imported: 1 ``` 1. Run the following command to verify the fingerprint. ``` gpg --fingerprint 2C4D4AFF6F6757EE ``` The fingerprint for the command output should match the following. ``` 7959 6371 24CE 093A D501 D47A 2C4D 4AFF 6F67 57EE ``` ``` pub nistp256 2025-01-22 [SC] 7959 6371 24CE 093A D501 D47A 2C4D 4AFF 6F67 57EE uid [ unknown] AWS SSM Session Manager (AWS Systems Manager Session Manager Plugin Linux Signer Key) ``` If the fingerprint doesn't match, don't install the plugin. Contact AWS Support. 1. Verify the installer package signature. Replace the *signature-filename* and *downloaded-plugin-filename* with the values you specified when downloading the signature file and session-manager-plugin, as listed in the table earlier in this topic. ``` gpg --verify signature-filename downloaded-plugin-filename ``` For example, for the x86\$164 architecture on Amazon Linux 2, the command is as follows: ``` gpg --verify session-manager-plugin.rpm.sig session-manager-plugin.rpm ``` This command returns output similar to the following. ``` gpg: Signature made Mon Feb 3 20:08:32 2025 UTC gpg: using ECDSA key 2C4D4AFF6F6757EE gpg: Good signature from "AWS Systems Manager Session Manager (AWS Systems Manager Session Manager Plugin Linux Signer Key)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7959 6371 24CE 093A D501 D47A 2C4D 4AFF 6F67 57EE ``` If the output includes the phrase `BAD signature`, check whether you performed the procedure correctly. If you continue to get this response, contact AWS Support and don't install the package. The warning message about the trust doesn't mean that the signature isn't valid, only that you haven't verified the public key. A key is trusted only if you or someone who you trust has signed it. If the output includes the phrase `Can't check signature: No public key`, verify you downloaded Session Manager plugin with version 1.2.707.0 or later. # Install the Session Manager plugin on Amazon Linux 2, Amazon Linux 2023, and Red Hat Enterprise Linux distributions Install on Amazon Linux 2, AL2023, and RHEL distros Use the following procedure to install the Session Manager plugin on Amazon Linux 2, Amazon Linux 2023 (AL2023), and RHEL distributions. 1. Download and install the Session Manager plugin RPM package. ------ #### [ x86\$164 ] On Amazon Linux 2 and RHEL 7, run the following command: ``` sudo yum install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm ``` On AL2023 and RHEL 8 and 9, run the following command: ``` sudo dnf install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm ``` ------ #### [ ARM64 ] On Amazon Linux 2 and RHEL 7, run the following command: ``` sudo yum install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_arm64/session-manager-plugin.rpm ``` On AL2023 and RHEL 8 and 9, run the following command: ``` sudo dnf install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_arm64/session-manager-plugin.rpm ``` ------ 1. Verify that the installation was successful. For information, see [Verify the Session Manager plugin installation](install-plugin-verify.md). **Note** If you want to uninstall the plugin, run `sudo yum erase session-manager-plugin -y` # Install the Session Manager plugin on Debian Server and Ubuntu Server Install on Debian Server and Ubuntu Server 1. Download the Session Manager plugin deb package. ------ #### [ x86\$164 ] ``` curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb" ``` ------ #### [ ARM64 ] ``` curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_arm64/session-manager-plugin.deb" -o "session-manager-plugin.deb" ``` ------ 1. Run the install command. ``` sudo dpkg -i session-manager-plugin.deb ``` 1. Verify that the installation was successful. For information, see [Verify the Session Manager plugin installation](install-plugin-verify.md). **Note** If you ever want to uninstall the plugin, run `sudo dpkg -r session-manager-plugin` # Verify the Session Manager plugin installation Run the following commands to verify that the Session Manager plugin installed successfully. ``` session-manager-plugin ``` If the installation was successful, the following message is returned. ``` The Session Manager plugin is installed successfully. Use the AWS CLI to start a session. ``` You can also test the installation by running the [https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html) command in the the [AWS Command Line Interface](https://aws.amazon.com/cli/) (AWS CLI). In the following command, replace *instance-id* with your own information. ``` aws ssm start-session --target instance-id ``` This command will work only if you have installed and configured the AWS CLI, and if your Session Manager administrator has granted you the necessary IAM permissions to access the target managed node using Session Manager. # Session Manager plugin on GitHub The source code for Session Manager plugin is available on [https://github.com/aws/session-manager-plugin](https://github.com/aws/session-manager-plugin) so that you can adapt the plugin to meet your needs. We encourage you to submit [pull requests](https://github.com/aws/session-manager-plugin/blob/mainline/CONTRIBUTING.md) for changes that you would like to have included. However, Amazon Web Services doesn't provide support for running modified copies of this software. # (Optional) Turn on Session Manager plugin logging The Session Manager plugin includes an option to allow logging for sessions that you run. By default, logging is turned off. If you allow logging, the Session Manager plugin creates log files for both application activity (`session-manager-plugin.log`) and errors (`errors.log`) on your local machine. **Topics** + [ ## Turn on logging for the Session Manager plugin (Windows) ](#configure-logs-windows) + [ ## Enable logging for the Session Manager plugin (Linux and macOS) ](#configure-logs-linux) ## Turn on logging for the Session Manager plugin (Windows) 1. Locate the `seelog.xml.template` file for the plugin. The default location is `C:\Program Files\Amazon\SessionManagerPlugin\seelog.xml.template`. 1. Change the name of the file to `seelog.xml`. 1. Open the file and change `minlevel="off"` to `minlevel="info"` or `minlevel="debug"`. **Note** By default, log entries about opening a data channel and reconnecting sessions are recorded at the **INFO** level. Data flow (packets and acknowledgement) entries are recorded at the **DEBUG** level. 1. Change other configuration options you want to modify. Options you can change include: + **Debug level**: You can change the debug level from `formatid="fmtinfo"` to `formatid="fmtdebug"`. + **Log file options**: You can make changes to the log file options, including where the logs are stored, with the exception of the log file names. **Important** Don't change the file names or logging won't work correctly. ``` ``` 1. Save the file. ## Enable logging for the Session Manager plugin (Linux and macOS) 1. Locate the `seelog.xml.template` file for the plugin. The default location is `/usr/local/sessionmanagerplugin/seelog.xml.template`. 1. Change the name of the file to `seelog.xml`. 1. Open the file and change `minlevel="off"` to `minlevel="info"` or `minlevel="debug"`. **Note** By default, log entries about opening data channels and reconnecting sessions are recorded at the **INFO** level. Data flow (packets and acknowledgement) entries are recorded at the **DEBUG** level. 1. Change other configuration options you want to modify. Options you can change include: + **Debug level**: You can change the debug level from `formatid="fmtinfo"` to `outputs formatid="fmtdebug"` + **Log file options**: You can make changes to the log file options, including where the logs are stored, with the exception of the log file names. **Important** Don't change the file names or logging won't work correctly. ``` ``` **Important** If you use the specified default directory for storing logs, you must either run session commands using **sudo** or give the directory where the plugin is installed full read and write permissions. To bypass these restrictions, change the location where logs are stored. 1. Save the file. # Start a session Start a session You can use the AWS Systems Manager console, the Amazon Elastic Compute Cloud (Amazon EC2) console, the AWS Command Line Interface (AWS CLI), or SSH to start a session. **Topics** + [ ## Starting a session (Systems Manager console) ](#start-sys-console) + [ ## Starting a session (Amazon EC2 console) ](#start-ec2-console) + [ ## Starting a session (AWS CLI) ](#sessions-start-cli) + [ ## Starting a session (SSH) ](#sessions-start-ssh) + [ ## Starting a session (port forwarding) ](#sessions-start-port-forwarding) + [ ## Starting a session (port forwarding to remote host) ](#sessions-remote-port-forwarding) + [ ## Starting a session (interactive and noninteractive commands) ](#sessions-start-interactive-commands) ## Starting a session (Systems Manager console) You can use the AWS Systems Manager console to start a session with a managed node in your account. **Note** Before you start a session, make sure that you have completed the setup steps for Session Manager. For information, see [Setting up Session Manager](session-manager-getting-started.md). **To start a session (Systems Manager console)** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Session Manager**. 1. Choose **Start session**. 1. (Optional) Enter a session description in the **Reason for session** field. 1. For **Target instances**, choose the option button to the left of the managed node that you want to connect to. If the node that you want isn't in the list, or if you select a node and receive a configuration error, see [Managed node not available or not configured for Session Manager](session-manager-troubleshooting.md#session-manager-troubleshooting-instances) for troubleshooting steps. 1. Choose **Start session** to launch the session immediately. -or- Choose **Next** for session options. 1. (Optional) For **Session document**, select the document that you want to run when the session starts. If your document supports runtime parameters, you can enter one or more comma-separated values in each parameter field. 1. Choose **Next**. 1. Choose **Start session**. After the connection is made, you can run bash commands (Linux and macOS) or PowerShell commands (Windows) as you would through any other connection type. **Important** If you want to allow users to specify a document when starting sessions in the Session Manager console, note the following: You must grant users the `ssm:GetDocument` and `ssm:ListDocuments` permissions in their IAM policy. For more information, see [Grant access to custom Session documents in the console](getting-started-restrict-access-examples.md#grant-access-documents-console-example). The console only supports Session documents that have the `sessionType` defined as `Standard_Stream`. For more information, see [Session document schema](session-manager-schema.md). ## Starting a session (Amazon EC2 console) You can use the Amazon Elastic Compute Cloud (Amazon EC2) console to start a session with an instance in your account. **Note** If you receive an error that you aren't authorized to perform one or more Systems Manager actions (`ssm:command-name`, then you must contact your administrator for assistance. Your administrator is the person that provided you with your sign-in credentials. Ask that person to update your policies to allow you to start sessions from the Amazon EC2 console. If you're an administrator, see [Sample IAM policies for Session Manager](getting-started-restrict-access-quickstart.md) for more information. **To start a session (Amazon EC2 console)** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Instances**. 1. Select the instance and choose **Connect**. 1. For **Connection method**, choose **Session Manager**. 1. Choose **Connect**. After the connection is made, you can run bash commands (Linux and macOS) or PowerShell commands (Windows) as you would through any other connection type. ## Starting a session (AWS CLI) Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). Before you start a session, make sure that you have completed the setup steps for Session Manager. For information, see [Setting up Session Manager](session-manager-getting-started.md). To use the AWS CLI to run session commands, the Session Manager plugin must also be installed on your local machine. For information, see [Install the Session Manager plugin for the AWS CLI](session-manager-working-with-install-plugin.md). To start a session using the AWS CLI, run the following command replacing *instance-id* with your own information. ``` aws ssm start-session \ --target instance-id ``` For information about other options you can use with the **start-session** command, see [https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html) in the AWS Systems Manager section of the AWS CLI Command Reference. ## Starting a session (SSH) To start a Session Manager SSH session, version 2.3.672.0 or later of SSM Agent must be installed on the managed node. **SSH connection requirements** Take note of the following requirements and limitations for session connections using SSH through Session Manager: + Your target managed node must be configured to support SSH connections. For more information, see [(Optional) Allow and control permissions for SSH connections through Session Manager](session-manager-getting-started-enable-ssh-connections.md). + You must connect using the managed node account associated with the Privacy Enhanced Mail (PEM) certificate, not the `ssm-user` account that is used for other types of session connections. For example, on EC2 instances for Linux and macOS, the default user is `ec2-user`. For information about identifying the default user for each instance type, see [Get Information About Your Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connection-prereqs.html#connection-prereqs-get-info-about-instance) in the *Amazon EC2 User Guide*. + Logging isn't available for Session Manager sessions that connect through port forwarding or SSH. This is because SSH encrypts all session data within the secure TLS connection established between the AWS CLI and Session Manager endpoints, and Session Manager only serves as a tunnel for SSH connections. **Note** Before you start a session, make sure that you have completed the setup steps for Session Manager. For information, see [Setting up Session Manager](session-manager-getting-started.md). To start a session using SSH, run the following command. Replace each *example resource placeholder* with your own information. ``` ssh -i /path/my-key-pair.pem username@instance-id ``` **Tip** When you start a session using SSH, you can copy local files to the target managed node using the following command format. ``` scp -i /path/my-key-pair.pem /path/ExampleFile.txt username@instance-id:~ ``` For information about other options you can use with the **start-session** command, see [https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html) in the AWS Systems Manager section of the AWS CLI Command Reference. ## Starting a session (port forwarding) To start a Session Manager port forwarding session, version 2.3.672.0 or later of SSM Agent must be installed on the managed node. **Note** Before you start a session, make sure that you have completed the setup steps for Session Manager. For information, see [Setting up Session Manager](session-manager-getting-started.md). To use the AWS CLI to run session commands, you must install the Session Manager plugin on your local machine. For information, see [Install the Session Manager plugin for the AWS CLI](session-manager-working-with-install-plugin.md). Depending on your operating system and command line tool, the placement of quotation marks can differ and escape characters might be required. To start a port forwarding session, run the following command from the CLI. Replace each *example resource placeholder* with your own information. ------ #### [ Linux & macOS ] ``` aws ssm start-session \ --target instance-id \ --document-name AWS-StartPortForwardingSession \ --parameters '{"portNumber":["80"], "localPortNumber":["56789"]}' ``` ------ #### [ Windows ] ``` aws ssm start-session ^ --target instance-id ^ --document-name AWS-StartPortForwardingSession ^ --parameters portNumber="3389",localPortNumber="56789" ``` ------ `portNumber` is the remote port on the managed node where you want the session traffic to be redirected. For example, you might specify port `3389` for connecting to a Windows node using the Remote Desktop Protocol (RDP). If you don't specify the `portNumber` parameter, Session Manager uses `80` as the default value. `localPortNumber` is the port on your local computer where traffic starts, such as `56789`. This value is what you enter when connecting to a managed node using a client. For example, **localhost:56789**. For information about other options you can use with the **start-session** command, see [https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html) in the AWS Systems Manager section of the AWS CLI Command Reference. For more information about port forwarding sessions, see [Port Forwarding Using AWS Systems Manager Session Manager](https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/) in the *AWS News Blog*. ## Starting a session (port forwarding to remote host) To start a Session Manager port forwarding session to a remote host, version 3.1.1374.0 or later of SSM Agent must be installed on the managed node. The remote host isn't required to be managed by Systems Manager. **Note** Before you start a session, make sure that you have completed the setup steps for Session Manager. For information, see [Setting up Session Manager](session-manager-getting-started.md). To use the AWS CLI to run session commands, you must install the Session Manager plugin on your local machine. For information, see [Install the Session Manager plugin for the AWS CLI](session-manager-working-with-install-plugin.md). Depending on your operating system and command line tool, the placement of quotation marks can differ and escape characters might be required. To start a port forwarding session, run the following command from the AWS CLI. Replace each *example resource placeholder* with your own information. ------ #### [ Linux & macOS ] ``` aws ssm start-session \ --target instance-id \ --document-name AWS-StartPortForwardingSessionToRemoteHost \ --parameters '{"host":["mydb.example.us-east-2.rds.amazonaws.com"],"portNumber":["3306"], "localPortNumber":["3306"]}' ``` ------ #### [ Windows ] ``` aws ssm start-session ^ --target instance-id ^ --document-name AWS-StartPortForwardingSessionToRemoteHost ^ --parameters host="mydb.example.us-east-2.rds.amazonaws.com",portNumber="3306",localPortNumber="3306" ``` ------ The `host` value represents the hostname or IP address of the remote host that you want to connect to. General connectivity and name resolution requirements between the managed node and the remote host still apply. `portNumber` is the remote port on the managed node where you want the session traffic to be redirected. For example, you might specify port `3389` for connecting to a Windows node using the Remote Desktop Protocol (RDP). If you don't specify the `portNumber` parameter, Session Manager uses `80` as the default value. `localPortNumber` is the port on your local computer where traffic starts, such as `56789`. This value is what you enter when connecting to a managed node using a client. For example, **localhost:56789**. For information about other options you can use with the **start-session** command, see [https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html) in the AWS Systems Manager section of the AWS CLI Command Reference. ### Starting a session with an Amazon ECS task Session Manager supports starting a port forwarding session with a task inside an Amazon Elastic Container Service (Amazon ECS) cluster. To do so, enable ECS Exec. For more information, see [Monitor Amazon Elastic Container Service containers with ECS Exec](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html) in the *Amazon Elastic Container Service Developer Guide*. You must also update the task role in IAM to include the following permissions: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*" } ] } ``` ------ To start a port forwarding session with an Amazon ECS task, run the following command from the AWS CLI. Replace each *example resource placeholder* with your own information. **Note** Remove the < and > symbols from the `target` parameter. These symbols are provided for reader clarification only. ------ #### [ Linux & macOS ] ``` aws ssm start-session \ --target ecs:__ \ --document-name AWS-StartPortForwardingSessionToRemoteHost \ --parameters '{"host":["URL"],"portNumber":["port_number"], "localPortNumber":["port_number"]}' ``` ------ #### [ Windows ] ``` aws ssm start-session ^ --target ecs:__ ^ --document-name AWS-StartPortForwardingSessionToRemoteHost ^ --parameters host="URL",portNumber="port_number",localPortNumber="port_number" ``` ------ ## Starting a session (interactive and noninteractive commands) Before you start a session, make sure that you have completed the setup steps for Session Manager. For information, see [Setting up Session Manager](session-manager-getting-started.md). To use the AWS CLI to run session commands, the Session Manager plugin must also be installed on your local machine. For information, see [Install the Session Manager plugin for the AWS CLI](session-manager-working-with-install-plugin.md). To start an interactive command session, run the following command. Replace each *example resource placeholder* with your own information. ------ #### [ Linux & macOS ] ``` aws ssm start-session \ --target instance-id \ --document-name CustomCommandSessionDocument \ --parameters '{"logpath":["/var/log/amazon/ssm/amazon-ssm-agent.log"]}' ``` ------ #### [ Windows ] ``` aws ssm start-session ^ --target instance-id ^ --document-name CustomCommandSessionDocument ^ --parameters logpath="/var/log/amazon/ssm/amazon-ssm-agent.log" ``` ------ For information about other options you can use with the **start-session** command, see [https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html) in the AWS Systems Manager section of the AWS CLI Command Reference. **More info** + [Use port forwarding in AWS Systems Manager Session Manager to connect to remote hosts](https://aws.amazon.com/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/) + [Amazon EC2 instance port forwarding with AWS Systems Manager](https://aws.amazon.com/blogs/mt/amazon-ec2-instance-port-forwarding-with-aws-systems-manager/) + [Manage AWS Managed Microsoft AD resources with Session Manager port forwarding](https://aws.amazon.com/blogs/mt/manage-aws-managed-microsoft-ad-resources-with-session-manager-port-forwarding/) + [Port Forwarding Using AWS Systems Manager Session Manager](https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/) on the *AWS News Blog*. # End a session End a session You can end a session that you started in your account using the AWS Systems Manager console or the AWS Command Line Interface (AWS CLI). When you choose the **Terminate** button for a session in the console or call the [TerminateSession](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_TerminateSession.html) API action by using the AWS CLI, Session Manager permanently ends the session and closes the data connection between the Session Manager client and SSM Agent on the managed node. You can't resume a terminated session. If there is no user activity in an open session for 20 minutes, the idle state triggers a timeout. Session Manager doesn't call `TerminateSession`, but it does close the underlying channel. You can't resume a session closed because of idle timeout. We recommend always explicitly terminating a session by using the `terminate-session` command, when using the AWS CLI, or the **Terminate** button when using the console. (**Terminate** buttons are located on both the session window and main Session Manager console page.) If you only close a browser or command window, the session remains listed as **Active** in the console for 30 days. When you don't explicitly terminate a session, or when a session times out, any processes that were running on the managed node at the time will continue to run. **Topics** + [ ## Ending a session (console) ](#stop-sys-console) + [ ## Ending a session (AWS CLI) ](#stop-cli) ## Ending a session (console) You can use the AWS Systems Manager console to end a session in your account. **To end a session (console)** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Session Manager**. 1. For **Sessions**, choose the option button to the left of the session you want to end. 1. Choose **Terminate**. ## Ending a session (AWS CLI) To end a session using the AWS CLI, run the following command. Replace *session-id* with your own information. ``` aws ssm terminate-session \ --session-id session-id ``` For more information about the **terminate-session** command, see [https://docs.aws.amazon.com/cli/latest/reference/ssm/terminate-session.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/terminate-session.html) in the AWS Systems Manager section of the AWS CLI Command Reference. # View session history You can use the AWS Systems Manager console or the AWS Command Line Interface (AWS CLI) to view information about sessions in your account. In the console, you can view session details such as the following: + The ID of the session + Which user connected to a managed node through a session + The ID of the managed node + When the session began and ended + The status of the session + The location specified for storing session logs (if turned on) Using the AWS CLI, you can view a list of sessions in your account, but not the additional details that are available in the console. For information about logging session history information, see [Enabling and disabling session logging](session-manager-logging.md). **Topics** + [ ## Viewing session history (console) ](#view-console) + [ ## Viewing session history (AWS CLI) ](#view-history-cli) ## Viewing session history (console) You can use the AWS Systems Manager console to view details about the sessions in your account. **To view session history (console)** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Session Manager**. 1. Choose the **Session history** tab. -or- If the Session Manager home page opens first, choose **Configure Preferences** and then choose the **Session history** tab. ## Viewing session history (AWS CLI) To view a list of sessions in your account using the AWS CLI, run the following command. ``` aws ssm describe-sessions \ --state History ``` **Note** This command returns only results for connections to targets initiated using Session Manager. It doesn't list connections made through other means, such as Remote Desktop Protocol (RDP) or the Secure Shell Protocol (SSH). For information about other options you can use with the **describe-sessions** command, see [https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-sessions.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-sessions.html) in the AWS Systems Manager section of the AWS CLI Command Reference.