AWS Systems Manager
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Step 1: Complete Session Manager Prerequisites

Before using Session Manager, make sure your environment meets the following requirements.

Session Manager Prerequisites

Requirement Description

Supported Operating Systems

AWS Session Manager supports the following operating system versions:


Session Manager supports Amazon EC2 instances, as well as servers or virtual machines (VMs) in your hybrid environment that use the advanced-instances tier. For more information about advanced instances, see (Optional) Enable the Advanced-Instances Tier.


Session Manager supports all the versions of Linux that are supported for AWS Systems Manager as a whole. For information, see Systems Manager Prerequisites.


Session Manager supports Windows Server 2008 R2 through Windows Server 2016.


Microsoft Windows Server 2016 Nano is not supported.

SSM Agent

SSM Agent version or later must be installed on the instances you want to connect to through sessions. To use the option to encrypt session data using a customer master key (CMK) created in AWS Key Management Service (AWS KMS), version 2.3.539.0 or later of SSM Agent must be installed.

To install or update SSM Agent, see Working with SSM Agent.

About the ssm-user account

Starting with version of SSM Agent, the agent creates a user account on the instance, with root or administrator privileges, called ssm-user. (On versions before 2.3.612.0, the account is created when SSM Agent starts or restarts. On version 2.3.612.0 and later, ssm-user is created the first time a session starts on the instance.) Sessions are launched using the administrative credentials of this user account. For information about restricting administrative control for this account, see Step 6: (Optional) Disable or Enable ssm-user Account Administrative Permissions.

ssm-user on Windows Server domain controllers

Beginning with SSM Agent version 2.3.612.0, the ssm-user account is not created automatically on managed instances that are used as Windows Server domain controllers. To use Session Manager on a Windows Server machine being used as a domain controller, you must create the ssm-user account manually if it isn't already present. On Windows Server, SSM Agent sets a new password for the ssm-user account each time a session starts, so you do not need to specify a password when you create the account.


(Optional) If you use the AWS CLI to start your sessions (instead of using the AWS Systems Manager console), version 1.16.12 or later of the CLI must be installed on your local machine.

You can call aws --version to check the version.

If you need to install or upgrade the CLI, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.


An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or updates are made to existing capabilities. If an older version of the agent is running on an instance, some SSM Agent processes can fail. For that reason, we recommend that you automate the process of keeping SSM Agent up-to-date on your instances. For information, see Automate Updates to SSM Agent. To be notified about SSM Agent updates, subscribe to the SSM Agent Release Notes page on GitHub.

In addition, to use the CLI to manage your instances with Session Manager, you must first install the Session Manager plugin on your local machine. For information, see (Optional) Install the Session Manager Plugin for the AWS CLI.