Install SSM Agent on hybrid Windows Server nodes - AWS Systems Manager
Setting up private key auto rotationDeregister and reregister a managed node

Install SSM Agent on hybrid Windows Server nodes

This topic describes how to install SSM Agent on Windows Server machines for a hybrid and multicloud environment. If you plan to use non-EC2 Linux machines in a hybrid and multicloud environment, see the previous step, Install SSM Agent on hybrid Linux nodes.

Important

This procedure is for non-EC2 (Amazon Elastic Compute Cloud) machines in hybrid and multicloud environment. To download and install SSM Agent on an EC2 instance for Windows Server, see Manually installing and uninstalling SSM Agent on EC2 instances for Windows Server.

Before you begin, locate the Activation Code and Activation ID that were sent to you after you completed the hybrid activation earlier in Create a hybrid activation to register nodes with Systems Manager. You specify the Code and ID in the following procedure.

To install SSM Agent on non-EC2 Windows Server machines in a hybrid and multicloud environment

  1. Log on to a server or VM in your hybrid and multicloud environment.

  2. If you use an HTTP or HTTPS proxy, you must set the http_proxy or https_proxy environment variables in the current shell session. If you aren't using a proxy, you can skip this step.

    For an HTTP proxy server, set this variable:

    http_proxy=http://hostname:port
https_proxy=http://hostname:port

    For an HTTPS proxy server, set this variable:

    http_proxy=http://hostname:port
https_proxy=https://hostname:port

  3. Open Windows PowerShell in elevated (administrative) mode.

  4. Copy and paste the following command block into Windows PowerShell. Replace each example resource placeholder with your own information. For example, the Activation Code and Activation ID generated when you create a hybrid activation, and with the identifier of the AWS Region you want to download SSM Agent from.

    Note

    Note the following important details:

    • ssm-setup-cli supports a manifest-url option that determines the source where the agent is downloaded from. Don't specify a value for this option unless required by your organization.

    • You can use the script provided here to validate the signature of ssm-setup-cli.

    • When registering instances, only use the provided download link provided for ssm-setup-cli. ssm-setup-cli shouldn’t be stored separately for future use.

    region represents the identifier for an AWS Region supported by AWS Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.

    Additionally, ssm-setup-cli includes the following options:

    • version - Valid values are latest and stable.

    • downgrade - Reverts the agent to an earlier version.

    • skip-signature-validation - Skips the signature validation during the download and installation of the agent.

    64-bit
    [System.Net.ServicePointManager]::SecurityProtocol = 'TLS12'
$code = "activation-code"
$id = "activation-id"
$region = "us-east-1"
$dir = $env:TEMP + "\ssm"
New-Item -ItemType directory -Path $dir -Force
cd $dir
(New-Object System.Net.WebClient).DownloadFile("https://amazon-ssm-$region.s3.$region.amazonaws.com/latest/windows_amd64/ssm-setup-cli.exe", $dir + "\ssm-setup-cli.exe")
./ssm-setup-cli.exe -register -activation-code="$code" -activation-id="$id" -region="$region"
Get-Content ($env:ProgramData + "\Amazon\SSM\InstanceData\registration")
Get-Service -Name "AmazonSSMAgent"
    32-bit
    "[System.Net.ServicePointManager]::SecurityProtocol = 'TLS12'"
$code = "activation-code"
$id = "activation-id"
$region = "us-east-1"
$dir = $env:TEMP + "\ssm"
New-Item -ItemType directory -Path $dir -Force
cd $dir
(New-Object System.Net.WebClient).DownloadFile("https://amazon-ssm-$region.s3.$region.amazonaws.com/latest/windows_386/ssm-setup-cli.exe", $dir + "\ssm-setup-cli.exe")
./ssm-setup-cli.exe -register -activation-code="$code" -activation-id="$id" -region="$region"
Get-Content ($env:ProgramData + "\Amazon\SSM\InstanceData\registration")
Get-Service -Name "AmazonSSMAgent"

  5. Press Enter.

Note

If the command fails, verify that you are running the latest version of AWS Tools for PowerShell.

The command does the following:

  • Downloads and installs SSM Agent onto the machine.

  • Registers the machine with the Systems Manager service.

  • Returns a response to the request similar to the following:

        Directory: C:\Users\ADMINI~1\AppData\Local\Temp\2


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       07/07/2018   8:07 PM                ssm
{"ManagedInstanceID":"mi-008d36be46EXAMPLE","Region":"us-east-2"}

Status      : Running
Name        : AmazonSSMAgent
DisplayName : Amazon SSM Agent

The machine is now a managed node. These managed nodes are now identified with the prefix "mi-". You can view managed nodes on the Managed node page in Fleet Manager, by using the AWS CLI command describe-instance-information, or by using the API command DescribeInstanceInformation.

Setting up private key auto rotation

To strengthen your security posture, you can configure AWS Systems Manager Agent (SSM Agent) to automatically rotate the private key for a hybrid and multicloud environment. You can access this feature using SSM Agent version 3.0.1031.0 or later. Turn on this feature using the following procedure.

To configure SSM Agent to rotate the private key for a hybrid and multicloud environment

  1. Navigate to /etc/amazon/ssm/ on a Linux machine or C:\Program Files\Amazon\SSM for a Windows Server machine.

  2. Copy the contents of amazon-ssm-agent.json.template to a new file named amazon-ssm-agent.json. Save amazon-ssm-agent.json in the same directory where amazon-ssm-agent.json.template is located.

  3. Find Profile, KeyAutoRotateDays. Enter the number of days that you want between automatic private key rotations.

  4. Restart SSM Agent.

Every time you change the configuration, restart SSM Agent.

You can customize other features of SSM Agent using the same procedure. For an up-to-date list of the available configuration properties and their default values, see Config Property Definitions.

Deregister and reregister a managed node

You can deregister a managed node by calling the DeregisterManagedInstance API operation from either the AWS CLI or Tools for Windows PowerShell. Here's an example CLI command:

aws ssm deregister-managed-instance --instance-id "mi-1234567890"

To remove the remaining registration information for the agent, remove the IdentityConsumptionOrder key in the amazon-ssm-agent.json file. Then run the following command:

amazon-ssm-agent -register -clear

You can reregister a machine after you deregister it. Use the following procedure to reregister a machine as a managed node. After you complete the procedure, your managed node is displayed again in the list of managed nodes.

To reregister a managed node on a Windows Server hybrid machine

  1. Connect to your machine.

  2. Run the following command. Be sure to replace the placeholder values with the Activation Code and Activation ID generated when you create a hybrid activation, and with the identifier of the Region you want to download the SSM Agent from.

    'yes' | & Start-Process ./ssm-setup-cli.exe -ArgumentList @("-register", "-activation-code=$code", "-activation-id=$id", "-region=$region") -Wait
Get-Content ($env:ProgramData + "\Amazon\SSM\InstanceData\registration")
Get-Service -Name "AmazonSSMAgent"