Amazon EC2 Systems Manager
User Guide

Setting Up Systems Manager

To get started with Amazon EC2 Systems Manager, verify prerequisites, configure AWS Identity and Access Management (IAM) roles, and install the SSM Agent on managed instances.

Systems Manager Prerequisites

Amazon EC2 Systems Manager includes the following prerequisites.

Requirement Description

Supported Operating System (Windows)

Instances must run a supported version of Windows Server: Windows Server 2003 through Windows Server 2016, including R2 versions.

Supported Operating System (Linux)

Instances must run a supported version of Linux.

64-Bit and 32-Bit Systems

  • Amazon Linux 2014.09, 2014.03 or later

  • Ubuntu Server 16.04 LTS, 14.04 LTS, or 12.04 LTS

  • Red Hat Enterprise Linux (RHEL) 6.5 or later

  • CentOS 6.3 or later

64-Bit Systems Only

  • Amazon Linux 2015.09, 2015.03 or later

  • Red Hat Enterprise Linux (RHEL) 7.x or later

  • CentOS 7.1 or later

  • SUSE Linux Enterprise Server (SLES) 12 or higher

Supported Regions

Systems Manager is available in these regions.

For servers and VMs in your hybrid environment, we recommend that you choose the region closest to your data center or computing environment.

Roles for Systems Manager

Systems Manager requires an IAM role for instances that will process commands and a separate role for users executing commands. Both roles require permission policies that enable them to communicate with the Systems Manager API. You can choose to use Systems Manager managed policies or you can create your own roles and specify permissions. For more information, see Configuring Security Roles for Systems Manager.

If you are configuring on-premises servers or VMs that you want to configure using Systems Manager, you must also configure an IAM service role. For more information, see Create an IAM Service Role.

SSM Agent (EC2 Linux instances)

SSM Agent processes Systems Manager requests and configures your machine as specified in the request. You must download and install SSM Agent to your EC2 Linux instances. For more information, see Installing SSM Agent on Linux.

The source code for SSM Agent is available on GitHub so that you can adapt the agent to meet your needs. We encourage you to submit pull requests for changes that you would like to have included. However, Amazon Web Services does not currently provide support for running modified copies of this software.

SSM Agent (EC2 Windows instances)

SSM Agent processes Systems Manager requests and configures your machine as specified in the request. The SSM Agent is installed by default on Windows Server 2016 instances and instances created from Windows Server 2003-2012 R2 AMIs published in November 2016 or later.

Windows AMIs published before November 2016 use the EC2Config service to process requests and configure instances.

Unless you have a specific reason for using the EC2Config service or an earlier version of the SSM Agent to process Systems Manager requests, we recommend that you download and install the latest version of the SSM Agent to each of your Amazon EC2 instances or managed instances (servers and VMs in a hybrid environment). For more information, see Installing SSM Agent on Windows.

SSM Agent (hybrid environment)

The SSM Agent download and installation process for managed instances in a hybrid environment is different than Amazon EC2 instances. For more information, see Install the SSM Agent on Servers and VMs in Your Windows Hybrid Environment.

Internet Access

Verify that your EC2 instances have outbound Internet access. Inbound Internet access is not required.

Configure Monitoring and Notifications (Optional)

You can configure Amazon CloudWatch Events to log status execution changes of the commands you send using Systems Manager. You can also configure Amazon Simple Notification Service (Amazon SNS) to send you notifications about specific command status changes. For more information, see Setting Up Events and Notifications.

Amazon S3 Bucket (Optional)

You can store System Manager output in an Amazon Simple Storage Service (Amazon S3) bucket. Output in the Amazon EC2 console is truncated after 2500 characters. Additionally, you might want to create an Amazon S3 key prefix (a subfolder) to help you organize output. For more information, see Create a Bucket.

For information about Systems Manager limits, see Amazon EC2 Systems Manager Limits. To increase limits, go to AWS Support Center and submit a limit increase request form.

Ec2messages and Undocumented API Calls

If you monitor API calls, you will see calls to the following APIs.

  • ec2messages:AcknowledgeMessage

  • ec2messages:DeleteMessage

  • ec2messages:FailMessage

  • ec2messages:GetEndpoint

  • ec2messages:GetMessages

  • ec2messages:SendReply

  • UpdateInstanceInformation

  • ListInstanceAssociations

  • DescribeInstanceProperties

  • DescribeDocumentParameters

Calls to ec2messages:* APIs are calls to the ec2messages endpoint. Systems Manager uses this endpoint to make calls from the SSM Agent to the Systems Manager service in the cloud. This endpoint is required to send and receive commands.

UpdateInstanceInformation: SSM agent calls the Systems Manager service in the cloud every five minutes to provide heartbeat information. This call is necessary to maintain a heartbeat with the agent so that the service knows the agent is functioning as expected.

ListInstanceAssociations: The agent calls this API to see if a new Systems Manager State Manager association is available. This API is required for State Manager to function.

DescribeInstanceProperties and DescribeDocumentParameters: Systems Manager calls these APIs to render specific nodes in the Amazon EC2 console. The DescribeInstanceProperties API displays the Managed Instances node in the left navigation. The DescribeDocumentParameters API displays the Documents node in the left navigation.