Skip to content


AWS SSM documents and SSM session-start command to ssh directly to an instance without using the ssh keys

Assuming you have a role with the necessary permissions, you can list the instances InstanceId and the tags Name if present, within the region you define.


for instance in $(aws ec2 describe-instances | jq -r '.Reservations[].Instances[].InstanceId' ); do
    echo "${instance} : $(aws ec2 describe-instances --instance-ids ${instance} | jq '.Reservations[].Instances[].Tags[] | select(.Key == "Name")|.Value') "

("ping me" if you know how to simplify the above comand with the --query native from aws cli)

Then you can run various AWS Systems Manager documents (SSM document) against a "target" instance(s).

docs here -


If you prefer the AWS CLI, you can list available documents.

aws ssm list-documents

docs here -


docs here -

aws ssm start-session --target i-123456789012


Thank you for you time and happy learning,

Antonio Feijao

AWS SSM command to tunnel proxy network traffic to another remote instance

If you have access to an instance (server, virtual machine) in AWS,

and this instance can access to other applications,

this means you can use this machine to proxy traffic from your local laptop (desktop or server) to the specified host.


Your local laptop needs permission to use the AWS SSM agent - AWS STS role or temporary token.

Your local laptop connects to the instance in AWS and then forward the traffic to the host specified in the command.

If you do not specify the remote host, you will be connected to a local port on your AWS instance.


For example, adjust as needed.

Connect to ${INSTANCE_ID} and tunnel (forward, proxy) traffic to the remote IP


aws ssm start-session \
    --target ${INSTANCE_ID} \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters '{ "host":[""], "portNumber":["443"], "localPortNumber":["8443"] }'


antonio feijao uk

Happy learning,

Antonio Feijao