Remotely execute commands on an EC2 instance with AWS Systems Manager

How to run commands on EC2 without opening SSH?

Remotely Run Commands on an EC2 Instance with AWS Systems Manager A method Safe, Scalable And without the need to open an SSH port to run commands on EC2 instances. This guide provides a step-by-step implementation, prerequisites, sample AWS CLI commands, IAM configuration, and practical security tips for site administrators, DevOps, and network engineers.

Prerequisites and overall architecture

To be able to remotely execute commands on EC2, three main components are required:

• SSM Agent is installed and running on EC2.
• EC2 has an IAM instance profile that has the minimum policies required to register and communicate with Systems Manager (AmazonSSMManagedInstanceCore).
• Network connectivity to SSM services (via the internet or VPC endpoints for SSM/EC2Messages/SSM-SessionManager).

Architecture: User or script from AWS console or AWS CLI/SDK command Run Command Or start-session Calls → Systems Manager sends the message to the SSM Agent on EC2 → Agent executes the command and returns the output to CloudWatch/S3 or the result of the call.

A note about network access

If EC2 is on a private subnet without NAT, use VPC endpoints For com.amazonaws. .ssm, ec2messages, ssmmessages and s3 Use.

Setting up the necessary IAM Role and policy

Create an IAM Role for EC2 and attach the AWS managed policy:

Trust policy (trust entity for EC2):

{
  "Version":"2012-10-17",
  "Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]
}

Attach managed policy: AmazonSSMManagedInstanceCore

aws iam create-role --role-name SSMInstanceRole --assume-role-policy-document file://trust-policy.json
aws iam attach-role-policy --role-name SSMInstanceRole --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

This policy includes the permissions required to register and send logs to SSM. To store outputs in S3 or use KMS for encryption, you must also add permissions to write to that S3 bucket and use the KMS key.

Then convert this role to an Instance Profile and connect it to EC2.

Installing and checking SSM Agent on common Linux distributions

For Amazon Linux 2:

sudo yum install -y amazon-ssm-agent
sudo systemctl enable --now amazon-ssm-agent

For Ubuntu (example with Debian package download):

REGION=us-east-1
wget https://s3.${REGION}.amazonaws.com/amazon-ssm-${REGION}/latest/debian_amd64/amazon-ssm-agent.deb
sudo dpkg -i amazon-ssm-agent.deb
sudo systemctl enable --now amazon-ssm-agent

Check the status:

sudo systemctl status amazon-ssm-agent
sudo tail -n 200 /var/log/amazon/ssm/amazon-ssm-agent.log

Executing commands with Run Command (aws cli example)

Quick way to run a shell command on one or more EC2 instances:

Example: Running apt update and upgrade on an instance:

aws ssm send-command \
  --instance-ids "i-0123456789abcdef0" \
  --document-name "AWS-RunShellScript" \
  --parameters commands=["sudo apt-get update -y","sudo apt-get upgrade -y"] \
  --comment "Update packages" \
  --region us-east-1

To target by tag (e.g. all web servers with the tag Role=web):

aws ssm send-command \
  --targets Key=tag:Role,Values=web \
  --document-name "AWS-RunShellScript" \
  --parameters commands=["/opt/deploy/deploy.sh"] \
  --region eu-central-1

Get the output of a command:

1) With the output of send-command, you get a CommandId.

2)

aws ssm get-command-invocation --command-id <COMMAND_ID> --instance-id i-0123456789abcdef0

If the output is sent to S3, set the send-command parameters to --output-s3-bucket-name and --output-s3-key-prefix Specify.

Practical tips for running large scripts

• Upload the scripts to S3 and in Run Command just wget + Run.
• For recurring scripts from State Manager Use.
• Use SSM managed parameters and documents (Automation documents) for complete automation.

Using Session Manager for Interactive Access and Port Forwarding

Session Manager allows for an interactive shell without SSH and can also perform port forwarding.

Starting an interactive session:

aws ssm start-session --target i-0123456789abcdef0

Requires installation for interactive use in the console or via AWS CLI session-manager-plugin You have it on the client.

Example of port forwarding for database access:

aws ssm start-session \
  --target i-0123456789abcdef0 \
  --document-name AWS-StartPortForwardingSession \
  --parameters '{"portNumber":["3306"],"localPortNumber":["3307"]}'

Then you can go to localhost:3307 Connect and traffic is tunneled through SSM without opening port 3306 to the internet.

Manage outputs and logs (CloudWatch / S3)

In Session Manager Preferences, enable CloudWatch logs or S3 logging to save all sessions.

For Run Command, you can redirect output to S3 or enable CloudWatch Output:

--cloud-watch-output-config '{"CloudWatchOutputEnabled":true}'

Practical scenarios and examples

Performing a mass update on dozens of EC2 instances across multiple regions:

• Use targeting with Tag or Resource Group.
• Use SSM Maintenance Windows or Patch Manager for scheduling and coordination.

Use for GPU and rendering servers:

For GPU servers deployed in multiple locations (e.g. across our 85+ locations or AWS regions), use Run Command to install NVIDIA drivers, CUDA, and dependent packages. Example:

aws ssm send-command --instance-ids "i-..." --document-name "AWS-RunShellScript" --parameters commands=["sudo apt-get install -y nvidia-driver-470","sudo reboot"]

Quick setup of a trading VPS with minimal latency:

• Instead of opening SSH/22, use Session Manager and Port Forwarding to securely access the trading server.
• Choosing the right location (closest data center with a direct path to the broker) and using CDN/BGP/Private Network can reduce ping; we have more than 85+ locations We serve these needs all over the world.

Security tips and best practices

Never open the SSH port publicly.SSM acts as a low-risk alternative.

• From least privilege Use IAM roles and users. Only allow execution of specific documents or access to parameters.
• Enable Session Manager logging and send outputs to S3 with KMS encryption or CloudWatch.
• For Parameter Store of type SecureString And use a dedicated KMS key.
• Session Manager limitations: You can set schedules and IAM policies to run only during a time frame or with MFA.
• For sensitive environments, leverage VPC endpoints for SSM and strong network ACLs and security groups.

Common errors and troubleshooting

• Instance not managed / Not registered: Verify that SSM Agent is installed and running and the correct IAM role is attached.
• Connection timed out: Check network routing, VPC endpoints, or Internet access/NAT.
• Permission denied when sending output to S3: The IAM role must have write access to that bucket.
• start-session gives an error: Ensure session-manager-plugin is installed on the client and Session Manager is enabled in the console.

Summary and how to use our services

Remotely Run Commands on an EC2 Instance with AWS Systems Manager is a secure and convenient way to remotely manage EC2s, run scripts, patch, and access without SSH.

This solution fits well with the needs of:

• Graphics server (GPU) for AI and rendering,
• VPS for trading with low ping requirements,
• Game servers and infrastructure with high SLA,

It can be combined. If you need to manage a combination of AWS EC2 and our international servers (85+ locations), we offer:

• For latency-sensitive workloads, choose our nearest location.
• Use BGP/CDN and dedicated links (if needed).
• Use SSM + Automation documents to manage and automate between our On-prem / AWS / VPS environments and keep logs centralized in CloudWatch/S3.

Suggested steps to get started

To view our Cloud Server, GPU Cloud, and VPS plans for trading or for technical advice on choosing the best location and secure implementation with AWS Systems Manager, review the plans or contact our support team to design a custom, secure architecture for your project.

Frequently Asked Questions