Skip to content


Repository files navigation

aws-ssm-ec2-proxy-command Sparkline

Open an SSH connection to your ec2 instances via AWS SSM without the need to open any ssh port in you security groups.

ⓘ Windows users please refere to


Install SSH Proxy Command

  • Move proxy command script to ~/.ssh/
  • Ensure it is executable (chmod +x ~/.ssh/
Setup SSH Config [optional]
  • Add ssh config entry for aws ec2 instances to your ~/.ssh/config. Adjust key file path if needed.
    host i-* mi-*
      IdentityFile ~/.ssh/id_rsa
      ProxyCommand ~/.ssh/ %h %r %p ~/.ssh/
      StrictHostKeyChecking no

Open SSH Connection

  • Ensure AWS CLI environemnt variables are set properly e.g.
    • export AWS_PROFILE=default or AWS_PROFILE=default ssh ... <INSTACEC_USER>@<INSTANCE_ID>
  • If default region does not match instance region you need to provide it
SSH Command with SSH Config Setup


  • e.g. ssh ec2-user@i-1234567890
SSH Command with ProxyCommand CLI Option
  -i "~/.ssh/id_rsa" \
  -o ProxyCommand="~/.ssh/ %h %r %p ~/.ssh/"

Recommended Usage of ec2-instance-connect:SendSSHPublicKey

The advantage from a security perspective is that you don't need to grant ssm:SendCommand to users and there by the permission to execute everything as root. Instead you only grant ec2-instance-connect:SendSSHPublicKey permission to a specific instance user e.g. ec2-user.