How to automate Session Manager preferences across your organization
Security Blog
This article explains how to automate AWS Systems Manager Session Manager preferences across multiple AWS accounts and regions using CloudFormation StackSets.
- Session Manager provides secure browser-based or CLI access to EC2 instances without SSH keys or bastion hosts
- Manual configuration across multiple regions and accounts is time-consuming and error-prone
- CloudFormation StackSets enable standardized deployment of Session Manager preferences organization-wide
- Solution supports S3 logging, CloudWatch Logs, session encryption, and session duration controls
- Lambda function automatically updates the SSM-SessionManagerRunShell document with configured preferences
- Includes KMS encryption options for session data and logs at rest
- Requires proper EC2 instance IAM permissions for logging and encryption features
- Validation steps verify encryption, logging, and RunAs user configuration
This approach centralizes Session Manager configuration management, reduces manual effort, ensures compliance consistency, and minimizes human error across enterprise AWS infrastructure.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.