Menu
Amazon EC2 Systems Manager
User Guide

Setting Up Systems Manager

This section describes tasks and prerequisites for setting up Systems Manager. Use the following table to help you get started.

What do you want to do with Systems Manager? Set up tasks

Test it out / Play with it

  1. Verify permissions and create an instance profile role.

  2. Create a few Amazon EC2 test instances (free tier) from recent Amazon Linux or Windows AMIs.

  3. Test out Systems Manager. Here are some walkthroughs to help you get started.

    Note

    Some of these walkthroughs require additional setup tasks, such as additional permissions, before you can complete them.

Use Systems Manager to manage and configure my existing EC2 instances
Use Systems Manager to manage and configure my servers and VMs in a hybrid environment

Systems Manager Prerequisites

Amazon EC2 Systems Manager includes the following prerequisites.

Requirement Description

Supported Operating System (Windows)

Instances must run a supported version of Windows Server: Windows Server 2003 through Windows Server 2016, including R2 versions.

Supported Operating System (Linux)

Instances must run a supported version of Linux.

64-Bit and 32-Bit Systems

  • Amazon Linux 2014.09, 2014.03 or later

  • Ubuntu Server 16.04 LTS, 14.04 LTS, or 12.04 LTS

  • Red Hat Enterprise Linux (RHEL) 6.5

  • CentOS 6.3 or later

32-Bit Systems Only

  • Raspbian Jessie

  • Raspbian Stretch

64-Bit Systems Only

  • Amazon Linux 2015.09, 2015.03 or later

  • Red Hat Enterprise Linux (RHEL) 7.4

  • CentOS 7.1 or later

  • SUSE Linux Enterprise Server (SLES) 12 or higher

Supported Regions

Systems Manager is available in these regions.

For servers and VMs in your hybrid environment, we recommend that you choose the region closest to your data center or computing environment.

Access to Systems Manager

Systems Manager requires an IAM role for instances that will process commands and a separate role for users executing commands. Both roles require permission policies that enable them to communicate with the Systems Manager API. You can choose to use Systems Manager managed policies or you can create your own roles and specify permissions. For more information, see Configuring Access to Systems Manager.

If you are configuring on-premises servers or VMs that you want to configure using Systems Manager, you must also configure an IAM service role. For more information, see Create an IAM Service Role.

SSM Agent (EC2 Windows instances)

SSM Agent processes Systems Manager requests and configures your machine as specified in the request. The SSM Agent is installed by default on Windows Server 2016 instances and instances created from Windows Server 2003-2012 R2 AMIs published in November 2016 or later.

Windows AMIs published before November 2016 use the EC2Config service to process requests and configure instances.

Unless you have a specific reason for using the EC2Config service or an earlier version of the SSM Agent to process Systems Manager requests, we recommend that you download and install the latest version of the SSM Agent to each of your Amazon EC2 instances or managed instances (servers and VMs in a hybrid environment). For more information, see Installing and Configuring SSM Agent on Windows Instances.

SSM Agent (EC2 Linux instances)

SSM Agent processes Systems Manager requests and configures your machine as specified in the request. You must download and install SSM Agent to your EC2 Linux instances. For more information, see Installing and Configuring SSM Agent on Linux Instances.

The source code for SSM Agent is available on GitHub so that you can adapt the agent to meet your needs. We encourage you to submit pull requests for changes that you would like to have included. However, Amazon Web Services does not currently provide support for running modified copies of this software.

SSM Agent (hybrid environment)

The SSM Agent download and installation process for managed instances in a hybrid environment is different than Amazon EC2 instances. For more information, see Install the SSM Agent on Servers and VMs in Your Windows Hybrid Environment.

Windows PowerShell 3.0 or Later

SSM Agent requires Windows PowerShell 3.0 or later to execute certain SSM Documents on Windows instances (for example, the AWS-ApplyPatchBaseline document). Verify that your Windows instances are running Windows Management Framework 3.0 or later. The framework includes PowerShell. For more information, see Windows Management Framework 3.0.

Internet Access

Verify that your EC2 instances have outbound Internet access. Inbound Internet access is not required.

Configure Monitoring and Notifications (Optional)

You can configure Amazon CloudWatch Events to log status execution changes of the commands you send using Systems Manager. You can also configure Amazon Simple Notification Service (Amazon SNS) to send you notifications about specific command status changes. For more information, see Setting Up Events and Notifications.

Amazon S3 Bucket (Optional)

You can store System Manager output in an Amazon Simple Storage Service (Amazon S3) bucket. Output in the Amazon EC2 console is truncated after 2500 characters. Additionally, you might want to create an Amazon S3 key prefix (a subfolder) to help you organize output. For more information, see Create a Bucket.

For information about Systems Manager limits, see Amazon EC2 Systems Manager Limits. To increase limits, go to AWS Support Center and submit a limit increase request form.

Ec2messages and Undocumented API Calls

If you monitor API calls, you will see calls to the following APIs.

  • ec2messages:AcknowledgeMessage

  • ec2messages:DeleteMessage

  • ec2messages:FailMessage

  • ec2messages:GetEndpoint

  • ec2messages:GetMessages

  • ec2messages:SendReply

  • UpdateInstanceInformation

  • ListInstanceAssociations

  • DescribeInstanceProperties

  • DescribeDocumentParameters

Calls to ec2messages:* APIs are calls to the ec2messages endpoint. Systems Manager uses this endpoint to make calls from the SSM Agent to the Systems Manager service in the cloud. This endpoint is required to send and receive commands.

UpdateInstanceInformation: SSM Agent calls the Systems Manager service in the cloud every five minutes to provide heartbeat information. This call is necessary to maintain a heartbeat with the agent so that the service knows the agent is functioning as expected.

ListInstanceAssociations: The agent calls this API to see if a new Systems Manager State Manager association is available. This API is required for State Manager to function.

DescribeInstanceProperties and DescribeDocumentParameters: Systems Manager calls these APIs to render specific nodes in the Amazon EC2 console. The DescribeInstanceProperties API displays the Managed Instances node in the left navigation. The DescribeDocumentParameters API displays the Documents node in the left navigation.