Step 1: Complete Session Manager prerequisites - AWS Systems Manager

Step 1: Complete Session Manager prerequisites

Before using Session Manager, make sure your environment meets the following requirements.

Session Manager prerequisites
Requirement Description

Supported operating systems

Session Manager supports connecting to Amazon Elastic Compute Cloud (Amazon EC2) instances, in addition to servers or virtual machines (VMs) in your hybrid environment that use the advanced-instances tier.

Session Manager supports the following operating system versions:

Note

Session Manager supports EC2 instances, edge devices, and on-premises servers and virtual machines (VMs) in your hybrid environment that use the advanced-instances tier. For more information about advanced instances, see Turning on the advanced-instances tier.

Linux

Session Manager supports all the versions of Linux that are supported by AWS Systems Manager. For information, see Systems Manager prerequisites.

macOS

Session Manager supports all the versions of macOS that are supported by AWS Systems Manager. For information, see Systems Manager prerequisites.

Windows

Session Manager supports Windows Server 2012 through Windows Server 2019.

Note

Microsoft Windows Server 2016 Nano isn't supported.

SSM Agent

At minimum, AWS Systems Manager SSM Agent version 2.3.68.0 or later must be installed on the managed nodes you want to connect to through sessions.

To use the option to encrypt session data using a key created in AWS Key Management Service (AWS KMS), version 2.3.539.0 or later of SSM Agent must be installed on the managed node.

To start a Session Manager port forwarding or SSH session, version 2.3.672.0 or later of SSM Agent must be installed on the managed node.

To use shell profiles in a session, version 3.0.161.0 or later of SSM Agent must be installed on the managed node.

To stream session data using Amazon CloudWatch Logs, version 3.0.284.0 or later of SSM Agent must be installed on the managed node.

To install or update SSM Agent, see Working with SSM Agent.

About the ssm-user account

Starting with version 2.3.50.0 of SSM Agent, the agent creates a user account on the managed node, with root or administrator permissions, called ssm-user. (On versions before 2.3.612.0, the account is created when SSM Agent starts or restarts. On version 2.3.612.0 and later, ssm-user is created the first time a session starts on the managed node.) Sessions are launched using the administrative credentials of this user account. For information about restricting administrative control for this account, see Turn off or turn on ssm-user account administrative permissions.

ssm-user on Windows Server domain controllers

Beginning with SSM Agent version 2.3.612.0, the ssm-user account isn't created automatically on managed nodes that are used as Windows Server domain controllers. To use Session Manager on a Windows Server machine being used as a domain controller, you must create the ssm-user account manually if it isn't already present, and assign Domain Administrator permissions to the user. On Windows Server, SSM Agent sets a new password for the ssm-user account each time a session starts, so you don't need to specify a password when you create the account.

Connectivity to endpoints

The managed nodes you connect to must also allow HTTPS (port 443) outbound traffic to the following endpoints:

  • ec2messages.region.amazonaws.com

  • ssm.region.amazonaws.com

  • ssmmessages.region.amazonaws.com

Alternatively, you can connect to the required endpoints by using interface endpoints. For more information, see Step 6: (Optional) Use AWS PrivateLink to set up a VPC endpoint for Session Manager.

AWS CLI

(Optional) If you use the AWS Command Line Interface (AWS CLI) to start your sessions (instead of using the AWS Systems Manager console or Amazon EC2 console), version 1.16.12 or later of the CLI must be installed on your local machine.

You can call aws --version to check the version.

If you need to install or upgrade the CLI, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

Important

An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or updates are made to existing capabilities. If an older version of the agent is running on a managed node, some SSM Agent processes can fail. For that reason, we recommend that you automate the process of keeping SSM Agent up-to-date on your machines. For information, see Automating updates to SSM Agent. Subscribe to the SSM Agent Release Notes page on GitHub to get notifications about SSM Agent updates.

In addition, to use the CLI to manage your nodes with Session Manager, you must first install the Session Manager plugin on your local machine. For information, see (Optional) Install the Session Manager plugin for the AWS CLI.

Turn on advanced-instances tier (hybrid environments)

To connect to on-premises machines using Session Manager, you must turn on the advanced-instances tier in the AWS account and AWS Region where you create hybrid activations to register on-premises machines as managed instances. For more information about the advanced-instance tier, see Turning on the advanced-instances tier.

Verify IAM service role permissions (hybrid environments)

Hybrid instances use the AWS Identity and Access Management (IAM) service role specified in the hybrid activation to communicate with Systems Manager API operations. This service role must contain the permissions required to connect to your on-premises machines using Session Manager. If your service role contains the AWS managed policy AmazonSSMManagedInstanceCore, the required permissions for Session Manager are already provided.

If you find that the service role does not contain the required permissions, you must deregister the managed instance and register it with a new hybrid activation that uses an IAM service role with the required permissions. For more information about deregistering managed instances, see Deregistering managed nodes in a hybrid environment. For more information about creating IAM policies with Session Manager permissions, see Verify or create an IAM role with Session Manager permissions.