AWS Systems Manager
User Guide

Step 5: Attach an IAM Instance Profile to an Amazon EC2 Instance

The procedures in this topic describe how to attach the IAM instance profile for Systems Manager that you created in the previous topic, Step 4: Create an IAM Instance Profile for Systems Manager, to Amazon EC2 instances. You can attach the instance profile to new Amazon EC2 instances when you launch them, or to existing Amazon EC2 instances.

SSM Agent requirements for instances

AWS Systems Manager Agent (SSM Agent) is Amazon software that can be installed and configured on an Amazon EC2 instance, an on-premises server, or a virtual machine (VM). SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources.

If the Amazon Machine Image (AMI) type you choose in the first procedure doesn't come with SSM Agent preinstalled, you must manually install the agent on the new instance before it can be used with Systems Manager. If SSM Agent isn't installed on the existing EC2 instance you choose in the second procedure, you must manually install the agent on the instance before it can be used with Systems Manager.

SSM Agent is installed by default on the following AMIs:

  • Windows Server 2003-2012 R2 AMIs published in November 2016 or later

  • Windows Server 2016 and 2019

  • Amazon Linux

  • Amazon Linux 2

  • Ubuntu Server 16.04

  • Ubuntu Server 18.04

For information about manually installing SSM Agent on other Linux operating systems, see Installing and Configuring SSM Agent on Amazon EC2 Linux Instances.

TLS certificate requirement for instances

A Transport Layer Security (TLS) certificate must be installed on each managed instance you use with Systems Manager. These certificates are used to encrypt calls to other AWS services. A TLS certificate is already installed on each Amazon EC2 instance created from any Amazon Machine Image (AMI). On instances created from AMIs not supplied by Amazon, and on your own on-premises servers and VMs, you must install the certificate yourself. For more information, see Install a TLS certificate on On-Premises Servers and VMs.

Launch an Instance that Uses the Systems Manager Instance Profile (Console)

To launch an instance that uses the Systems Manager instance profile (console)

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation bar at the top of the screen, select the AWS Region for the instance.

  3. Choose Launch Instance.

  4. On the Choose an Amazon Machine Image (AMI) page, locate the AMI for the instance type you want to create, and then choose Select.

  5. Choose the type of instance to launch, such as t2.micro, and then choose Next: Configure Instance Details.

  6. On the Configure Instance Details page, in the IAM role drop-down list, select the instance profile you created using the procedure in Step 4: Create an IAM Instance Profile for Systems Manager.

  7. For other options on the page, make selections that meet your requirements for the instance. For more information, choose one of the following, depending on your selected operating system type:

  8. Complete the wizard.

If you create other instances that you want to configure using Systems Manager, you must specify the instance profile for each instance.

Attach the Systems Manager Instance Profile to an Existing Instance (Console)

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under Instances, choose Instances.

  3. Browse to and choose your Amazon EC2 instance from the list.

  4. In the Actions menu, choose Instance Settings, Attach/Replace IAM Role.

  5. For IAM role, select the instance profile you created using the procedure in Step 4: Create an IAM Instance Profile for Systems Manager.

  6. Choose Apply.

For more information about attaching IAM roles to instances, see Attaching an IAM Role to an Instance in the Amazon EC2 User Guide for Linux Instances.

Continue to Step 6: (Optional) Create a Virtual Private Cloud Endpoint.