Skip to content

AWS Session Manager Integration

Connect to private AWS resources through AWS Session Manager -- no SSH keys or open inbound ports required. The primary workflow is RDS and internal service access through an SSM-managed EC2 instance. Requires a Premium license.

How It Works

Session Manager uses the SSM Agent on your EC2 instances and IAM for authentication. StormTunnel wraps this into a standard tunnel interface with port forwarding, so tools on your Mac can connect to localhost while traffic reaches private VPC resources.

  • Uses IAM instead of SSH keys
  • All sessions logged in CloudTrail
  • No inbound ports needed on security groups
  • Works well for private RDS, Aurora, Redis, admin panels, and internal APIs reachable from the EC2 instance

Prerequisites

See AWS Configuration for credential setup and IAM requirements.

You also need:

  • An EC2 instance with SSM Agent installed (default on recent AMIs)
  • An IAM instance profile on the EC2 instance with SSM permissions
  • Network access from the EC2 instance to AWS SSM endpoints

Creating a Tunnel

  1. Click + in StormTunnel
  2. Select Tunnel Type: AWS Session Manager
  3. Configure:
    • Region: Your AWS region (e.g., us-east-1)
    • Instance ID: EC2 instance ID
    • Local Port: Port on your Mac
    • Remote Host: Destination (e.g., localhost or a database endpoint)
    • Remote Port: Port on the remote host
  4. Click Save

Usage Examples

Private RDS Access

Forward a private RDS PostgreSQL endpoint through an SSM-managed EC2 instance:

  • Local Port: 5432
  • Remote Host: mydb.abc123xyz.us-east-1.rds.amazonaws.com
  • Remote Port: 5432

Connect with: psql -h localhost -p 5432 -U username

For RDS-specific setup, see Connecting to AWS RDS Databases.

Web Services

Forward an internal web app or admin dashboard port:

  • Local Port: 3000
  • Remote Host: localhost
  • Remote Port: 3000

Access at: http://localhost:3000

Multiple Tunnels

Create separate tunnels to forward different ports on the same instance. Use distinct local ports to avoid conflicts.

Troubleshooting

See Troubleshooting for common errors including "Instance not found", "Access denied", and connection timeouts.