AWS Systems Manager
User Guide

Systems Manager Prerequisites

AWS Systems Manager helps you configure and manage Amazon EC2 instances, on-premises servers and virtual machines, and other AWS resources at scale. Before you start using Systems Manager, we recommend that you learn about the following AWS services. A working knowledge of these services is essential for successfully setting up and using Systems Manager.

  • Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the AWS Cloud. For more information, see What is Amazon EC2? (Linux) and What is Amazon EC2? (Windows).

  • AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. For more information, see What is IAM? in the IAM User Guide.


This section describes the prerequisites for setting up and configuring your Amazon EC2 instances and your on-premises servers or virtual machines (VMs) for Systems Manager. This section uses the term managed instance to describe EC2 instances or on-premises servers and VMs that are configured for Systems Manager.

Requirement Description

Supported Operating Systems

Managed instances must run a supported version of Windows or Linux.


The Patch Manager and Session Manager capabilities do not currently support all the following operating systems. For information, see Patch Manager Prerequisites and Verify Session Manager Prerequisites.


Windows Server 2003 through Windows Server 2016, including R2 versions

Linux 64-Bit and 32-Bit Systems

  • Amazon Linux base AMIs 2014.09, 2014.03 or later

  • Ubuntu Server 18.04 LTS, 16.04 LTS, 14.04 LTS, or 12.04 LTS

  • Red Hat Enterprise Linux (RHEL) 6.5

  • CentOS 6.3 or later

Linux 32-Bit Systems Only

  • Raspbian Jessie

  • Raspbian Stretch

Linux 64-Bit Systems Only

  • Amazon Linux 2015.09, 2015.03 or later

  • Amazon Linux 2

  • Red Hat Enterprise Linux (RHEL) 6.0, 7.4, or 7.5

  • CentOS 7.1 or later

  • SUSE Linux Enterprise Server (SLES) 12 or higher

Supported Regions

Systems Manager is available in these Regions.

For servers and VMs in your hybrid environment, we recommend that you choose the Region closest to your data center or computing environment.

Access to Systems Manager

Configuring access to Systems Manager requires that you do the following:

For more information about access permissions for Systems Manager, see Authentication and Access Control for AWS Systems Manager.

SSM Agent

SSM Agent processes Systems Manager requests and configures your machine as specified in the request.


SSM Agent is installed by default on Windows Server 2016 instances and instances created from Windows Server 2003-2012 R2 AMIs published in November 2016 or later.

Windows AMIs published before November 2016 use the EC2Config service to process requests and configure instances.

Unless you have a specific reason for using the EC2Config service or an earlier version of SSM Agent to process Systems Manager requests, we recommend that you download and install the latest version of the SSM Agent to each of your Amazon EC2 instances or managed instances (servers and VMs in a hybrid environment). For more information, see Installing and Configuring SSM Agent on Windows Instances.


SSM Agent is installed by default on Amazon Linux, Amazon Linux 2, Ubuntu Server 16.04, and Ubuntu Server 18.04 LTS base AMIs. You must manually install SSM Agent on other versions of EC2 Linux, including non-base images like Amazon ECS-Optimized AMIs. For more information, see Installing and Configuring SSM Agent on Linux Instances.

On-premises servers and VMs

The SSM Agent download and installation process for servers and VMs in a hybrid environment is different than the process used for Amazon EC2 instances. For more information, see Install SSM Agent on Servers and VMs in a Windows Hybrid Environment.


The source code for SSM Agent is available on GitHub so that you can adapt the agent to meet your needs. We encourage you to submit pull requests for changes that you would like to have included. However, Amazon Web Services does not currently provide support for running modified copies of this software.

Configure Either an Interface VPC Endpoint or Internet Access

You must either configure Systems Manager to use an interface Virtual Private Cloud (VPC) endpoint or you must enable outbound internet access on your managed instances. Inbound internet access is not required.

To enhance the security posture of your managed instance, we recommend that you configure Systems Manager to use an interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that enables you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. PrivateLink restricts all network traffic between your managed instances, Systems Manager, and EC2 to the Amazon network (managed instances don't have access to the internet). Also, you don't need an internet gateway, a NAT device, or a virtual private gateway. For more information, see Setting Up VPC Endpoints for Systems Manager. For more information about PrivateLink and VPC endpoints, see Accessing AWS Services Through PrivateLink.

Amazon Root or Starfield Certificates

Your managed instances must have one of the following Transport Layer Security (TLS) certificates installed.

  • Amazon Root CA 1

  • Starfield Services Root Certificate Authority - G2

  • Starfield Class 2 Certificate Authority

AWS services use these certificates to encrypt calls to other AWS services. One of these certificates is installed, by default, on all Amazon Machine Images (AMIs). For base operating systems, or systems in your on-premises environment, you must install and enable one of these certificates from Amazon Trust Services. If certificates in your computing environment are managed by a Group Policy Object (GPO), then you might need to configure Group Policy to include one of these certificates. For more information about the Amazon Root and Starfield certificates, see How to Prepare for AWS’s Move to Its Own Certificate Authority.

Windows PowerShell 3.0 or Later

SSM Agent requires Windows PowerShell 3.0 or later to execute certain SSM documents on Windows instances (for example, the AWS-ApplyPatchBaseline document). Verify that your Windows instances are running Windows Management Framework 3.0 or later. The framework includes PowerShell.

Configure Monitoring and Notifications (Optional)

You can configure Amazon CloudWatch Events to log status execution changes of the commands you send using Systems Manager. You can also configure Amazon Simple Notification Service (Amazon SNS) to send you notifications about specific command status changes. For more information, see Understanding Command Statuses.

Amazon S3 Bucket (Optional)

You can store Systems Manager output in an Amazon Simple Storage Service (Amazon S3) bucket. Output in the console is truncated after 2500 characters. Additionally, you might want to create an Amazon S3 key prefix (a subfolder) to help you organize output. For more information, see Create a Bucket.

For information about Systems Manager limits, see AWS Systems Manager Limits.