Step 1: Complete Session Manager prerequisites - AWS Systems Manager

Step 1: Complete Session Manager prerequisites

Before using Session Manager, make sure your environment meets the following requirements.

Session Manager prerequisites
Requirement Description

Supported Operating Systems

AWS Session Manager supports the following operating system versions:


Session Manager supports EC2 instances, as well as servers or virtual machines (VMs) in your hybrid environment that use the advanced-instances tier. For more information about advanced instances, see Enabling the advanced-instances tier.


Session Manager supports all the versions of Linux that are supported for AWS Systems Manager as a whole. For information, see Systems Manager prerequisites.


Session Manager supports Windows Server 2008 R2 through Windows Server 2019.


Microsoft Windows Server 2016 Nano is not supported.

SSM Agent

At minimum, SSM Agent version or later must be installed on the instances you want to connect to through sessions.

To use the option to encrypt session data using a customer master key (CMK) created in AWS Key Management Service (AWS KMS), version 2.3.539.0 or later of SSM Agent must be installed on the managed instance.

To start a Session Manager port forwarding or SSH session, version 2.3.672.0 or later of SSM Agent must be installed on the managed instance.

To install or update SSM Agent, see Working with SSM Agent.

About the ssm-user account

Starting with version of SSM Agent, the agent creates a user account on the instance, with root or administrator privileges, called ssm-user. (On versions before 2.3.612.0, the account is created when SSM Agent starts or restarts. On version 2.3.612.0 and later, ssm-user is created the first time a session starts on the instance.) Sessions are launched using the administrative credentials of this user account. For information about restricting administrative control for this account, see (Optional) Disable or enable ssm-user account administrative permissions.

ssm-user on Windows Server domain controllers

Beginning with SSM Agent version 2.3.612.0, the ssm-user account is not created automatically on managed instances that are used as Windows Server domain controllers. To use Session Manager on a Windows Server machine being used as a domain controller, you must create the ssm-user account manually if it isn't already present. On Windows Server, SSM Agent sets a new password for the ssm-user account each time a session starts, so you do not need to specify a password when you create the account.


(Optional) If you use the AWS CLI to start your sessions (instead of using the AWS Systems Manager console or Amazon EC2 console), version 1.16.12 or later of the CLI must be installed on your local machine.

You can call aws --version to check the version.

If you need to install or upgrade the CLI, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.


An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or updates are made to existing capabilities. If an older version of the agent is running on an instance, some SSM Agent processes can fail. For that reason, we recommend that you automate the process of keeping SSM Agent up-to-date on your instances. For information, see Automating updates to SSM Agent. To be notified about SSM Agent updates, subscribe to the SSM Agent Release Notes page on GitHub.

In addition, to use the CLI to manage your instances with Session Manager, you must first install the Session Manager plugin on your local machine. For information, see (Optional) Install the Session Manager Plugin for the AWS CLI.