Session Manager Without Open Ports

Session Manager, a capability of AWS Systems Manager (SSM), gives you interactive shell access to EC2 instances and on-premises servers without opening any inbound ports. Understanding precisely how it achieves this is a high-value exam topic, because it underpins modern, bastion-free administration.

The magic starts with the SSM Agent, software preinstalled on most AWS AMIs (Amazon Machine Images). The agent runs on the instance and initiates an outbound connection to the Systems Manager service endpoints. Because the instance reaches out, no inbound rule is ever required, the security group can block all inbound traffic.