Amazon EC2 host management - AWS Systems Manager
Configuring host management options for EC2 instances

Amazon EC2 host management

Use Quick Setup, a capability of AWS Systems Manager, to quickly configure required security roles and commonly used Systems Manager capabilities on your Amazon Elastic Compute Cloud (Amazon EC2) instances. You can use Quick Setup in an individual account or across multiple accounts and AWS Regions by integrating with AWS Organizations. These capabilities help you manage and monitor the health of your instances while providing the minimum required permissions to get started.

If you're unfamiliar with Systems Manager services and features, we recommend that you review the AWS Systems Manager User Guide before creating a configuration with Quick Setup. For more information about Systems Manager, see What is AWS Systems Manager?.

Important

Quick Setup might not be the right tool to use for EC2 management if either of the following applies to you:

  • You’re trying to create an EC2 instance for the first time to try out AWS capabilities.

  • You’re still new to EC2 instance management.

Instead, we recommend that you explore the following content:

If you’re already familiar with EC2 instance management and want to streamline configuration and management for multiple EC2 instances, use Quick Setup. Whether your organization has dozens, thousands, or millions of EC2 instances, use the following Quick Setup procedure to configure multiple options for them, all at once.

Show moreShow less
Prerequisites

The home Region for Quick Setup must already be specified before you complete the following tasks. For information, see Configure the home AWS Region.

Note

This configuration type lets you set multiple options for an entire organization defined in AWS Organizations, only some organizational accounts and Regions, or a single account. One of these options is to check for and apply updates to SSM Agent every two weeks. If you are an organization administrator, you can also choose to update all EC2 instances in your organization with agent updates every two weeks using the Default Host Management Configuration type. For information, see Default Host Management for an organization.

Configuring host management options for EC2 instances

To set up host management, perform the following tasks in the AWS Systems Manager Quick Setup console.

To open the Host Management configuration page

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  2. In the navigation pane, choose Quick Setup.

    -or-

    If the AWS Systems Manager home page opens first, choose the menu icon ( The menu icon ) to open the navigation pane, and then choose Quick Setup in the navigation pane.

  3. On the Host Management card, choose Create.

    Tip

    If you already have one or more configurations in your account, first choose the Library tab or the Create button in the Configurations section to view the cards.

To configure Systems Manager host management options

  • To configure Systems Manager functionality, in the Configuration options section, choose the options in the Systems Manager group that you want to enable for your configuration:

     

    Update Systems Manager (SSM) Agent every two weeks

    Enables Systems Manager to check every two weeks for a new version of the agent. If there is a new version, then Systems Manager automatically updates the agent on your managed node to the latest released version. Quick Setup doesn't install the agent on instances where it's not already present. For information about which AMIs have SSM Agent preinstalled, see Amazon Machine Images (AMIs) with SSM Agent preinstalled.

    We encourage you to choose this option to ensure that your nodes are always running the most up-to-date version of SSM Agent. For more information about SSM Agent, including information about how to manually install the agent, see Working with SSM Agent.

    Collect inventory from your instances every 30 minutes

    Enables Quick Setup to configure collection of the following types of metadata:

    • AWS components – EC2 driver, agents, versions, and more.

    • Applications – Application names, publishers, versions, and more.

    • Node details – System name, operating system (OS) name, OS version, last boot, DNS, domain, work group, OS architecture, and more.

    • Network configuration – IP address, MAC address, DNS, gateway, subnet mask, and more.

    • Services – Name, display name, status, dependent services, service type, start type, and more (Windows Server nodes only).

    • Windows roles – Name, display name, path, feature type, installed state, and more (Windows Server nodes only).

    • Windows updates – Hotfix ID, installed by, installed date, and more (Windows Server nodes only).

    For more information about Inventory, a capability of AWS Systems Manager, see AWS Systems Manager Inventory.

    Note

    The Inventory collection option can take up to 10 minutes to complete, even if you only selected a few nodes.

    Scan instances for missing patches daily

    Enables Patch Manager, a capability of Systems Manager, to scan your nodes daily and generate a report in the Compliance page. The report shows how many nodes are patch-compliant according to the default patch baseline. The report includes a list of each node and its compliance status.

    For information about patching operations and patch baselines, see AWS Systems Manager Patch Manager.

    For information about patch compliance, see the Systems Manager Compliance page.

    For information about patching managed nodes in multiple accounts and Regions in one configuration, see Using Quick Setup patch policies and Patch Manager organization patching configuration.

    Important

    Systems Manager supports several methods for scanning managed nodes for patch compliance. If you implement more than one of these methods at a time, the patch compliance information you see is always the result of the most recent scan. Results from previous scans are overwritten. If the scanning methods use different patch baselines, with different approval rules, the patch compliance information can change unexpectedly. For more information, see Avoiding unintentional patch compliance data overwrites.

To configure Amazon CloudWatch host management options

  • To configure CloudWatch functionality, in the Configuration options section, choose the options in the Amazon CloudWatch group that you want to enable for your configuration:

     

    Install and configure the CloudWatch agent

    Installs the basic configuration of the unified CloudWatch agent on your Amazon EC2 instances. The agent collects metrics and log files from your instances for Amazon CloudWatch. This information is consolidated so you can quickly determine the health of your instances. For more information about the CloudWatch agent basic configuration, see CloudWatch agent predefined metric sets. There might be added cost. For more information, see Amazon CloudWatch pricing.

    Update the CloudWatch agent once every 30 days

    Enables Systems Manager to check every 30 days for a new version of the CloudWatch agent. If there is a new version, Systems Manager updates the agent on your instance. We encourage you to choose this option to ensure that your instances are always running the most up-to-date version of the CloudWatch agent.

To configure Amazon EC2 Launch Agent host management options

  • To configure Amazon EC2 Launch Agent functionality, in the Configuration options section, choose the options in the Amazon EC2 Launch Agent group that you want to enable for your configuration:

     

    Update the EC2 launch agent once every 30 days

    Enables Systems Manager to check every 30 days for a new version of the launch agent installed on your instance. If a new version is available, Systems Manager updates the agent on your instance. We encourage you to choose this option to ensure that your instances are always running the most up-to-date version of the applicable launch agent. For Amazon EC2 Windows instances, this option supports EC2Launch, EC2Launch v2, and EC2Config. For Amazon EC2 Linux instances, this option supports cloud-init. For Amazon EC2 Mac instances, this option supports ec2-macos-init. Quick Setup doesn't support updating launch agents that are installed on operating systems not supported by the launch agent, or on AL2023.

    For more information about these initialization agents see the following topics:

To select the EC2 instances to be updated by the host management configuration

  • In the Targets section, choose the method to determine the accounts and Regions where the configuration is to be deployed:

    Note

    You can't create multiple Quick Setup Host Management configurations that target the same AWS Region.

    Entire organization

    Your configuration is deployed to all organizational units (OUs) and AWS Regions in your organization.

    Note

    The Entire organization option is only available if you're configuring host management from your organization's management account.

    Custom

    1. In the Target OUs section, select the OUs where you want to deploy this host management configuration.

    2. In the Target Regions section, select the Regions where you want to deploy this host management configuration.

    Current account

    Choose one of the Region options and follow the steps for that option.

     

    Current Region

    Choose how to target instances in the current Region only:

    • All instances – The host management configuration automatically targets every EC2 in the current Region.

    • Tag – Choose Add and enter the key and optional value that is added to the instances to be targeted.

    • Resource group – For Resource group, select an existing resource group that contains the EC2 instances to be targeted.

    • Manual – In the Instances section, select the check box of each EC2 instance to be targeted.

    Choose Regions

    Choose how to target instances in the Region you specify by choosing one of the following:

    • All instances – All instances in the Regions you specify are targeted.

    • Tag – Choose Add and enter the key and optional value that has been added to the instances to be targeted.

    In the Target Regions section, select the Regions where you want to deploy this host management configuration.
To specify an instance profile option

  • Entire organization and Custom targets only.

    In the Instance profile options section, choose whether you want to add the required IAM policies to the existing instance profiles attached to your instances, or to allow Quick Setup to create the IAM policies and instance profiles with the permissions needed for the configuration you choose.

After specifying all your configuration choices, choose Create.