AWS Systems Manager
User Guide

Systems Manager Prerequisites

AWS Systems Manager helps you configure and manage Amazon EC2 instances, on-premises servers and virtual machines (VMs), and other AWS resources at scale.

This section describes the prerequisites for setting up and configuring your Amazon EC2 instances and your on-premises servers or VMs for Systems Manager. This section uses the term managed instance to describe EC2 instances or on-premises servers and VMs that are configured for Systems Manager.

Important

Before you start using Systems Manager, we recommend that you learn about the following AWS services. A working knowledge of these services is essential for successfully setting up and using Systems Manager.

  • Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the AWS Cloud. For more information, see What is Amazon EC2? (Linux) and What is Amazon EC2? (Windows).

  • AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. For more information, see What is IAM? in the IAM User Guide.

Operating Systems

The following operating systems are supported by AWS Systems Manager.

Operating System Types

Windows Server

Version Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)
2003 and 2003 R2
2008
2008 R2
2012 and 2012 R2
2016
2019

Linux

Amazon Linux

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)
2012.03 – 2018.03

Note

Beginning with version 2015.03, Amazon Linux is released in Intel 64-bit (x86_64) versions only.

Amazon Linux 2

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)
2.0 and all later versions

Ubuntu Server

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)
12.04 LTS and 14.04 LTS
16.04 LTS and 18.04 LTS

Red Hat Enterprise Linux (RHEL)

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)
6.0
6.5
6.9
7.0
7.4
7.5
7.6

CentOS

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)
6.0
6.3 and later 6.x versions
7.1 and later 7.x versions

SUSE Linux Enterprise Server (SLES)

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)
12 and later 12.x versions

Raspbian

Version ARM 32-bit (arm)
Jessie
Stretch

SSM Agent

SSM Agent is the tool that processes Systems Manager requests and configures your machine as specified in the request. SSM Agent must be installed on each instance you want to use with Systems Manager. On some instance types, SSM Agent is installed by default. On others, you must install it manually, as described in the following table.

Note

SSM Agent is updated whenever changes are made to Systems Manager and when new capabilities are added. To ensure that your instances are always running the newest version of SSM Agent, we recommend that you create a State Manager association that automatically updates SSM Agent when a new version is available. You can also use Run Command to quickly update one or more instances with the latest version. For more information, see Automatically Update SSM Agent (CLI) (State Manager) and Update SSM Agent by using Run Command.

Operating System Type Description
Windows

SSM Agent is installed by default on Windows Server 2016 and 2019 instances, as well as on instances created from Windows Server 2003-2012 R2 AMIs published in November 2016 or later.

Windows AMIs published before November 2016 use the EC2Config service to process requests and configure instances.

Unless you have a specific reason for using the EC2Config service or an earlier version of SSM Agent to process Systems Manager requests, we recommend that you download and install the latest version of the SSM Agent to each of your Amazon EC2 instances or managed instances (servers and virtual machines (VMs) in a hybrid environment). For more information, see Installing and Configuring SSM Agent on Windows Instances.

Linux SSM Agent is installed by default on Amazon Linux, Amazon Linux 2, Ubuntu Server 16.04, and Ubuntu Server 18.04 LTS base EC2 AMIs. You must manually install SSM Agent on other versions of EC2 Linux, including non-base images like Amazon ECS-Optimized AMIs. For more information, see Installing and Configuring SSM Agent on Amazon EC2 Linux Instances.
On-premises servers and VMs

SSM Agent must be installed manually on on on-premises servers and VMs you want to use in a hybrid environment. The SSM Agent download and installation process for these machines is different than the process used for Amazon EC2 instances. For more information, see Install SSM Agent on Servers and Virtual Machines in a Windows Hybrid Environment.

Note

The source code for SSM Agent is available on GitHub so that you can adapt the agent to meet your needs. We encourage you to submit pull requests for changes that you would like to have included. However, Amazon Web Services does not currently provide support for running modified copies of this software.

Interface VPC Endpoint or Internet Access

In order for your managed instances and the Systems Manager service to communicate with each other, you must do one of the following:

  • Configure Systems Manager to use an interface Virtual Private Cloud (VPC) endpoint

  • Enable outbound internet access on your managed instances

Note

Enabling inbound internet access is not required.

To enhance the security posture of your managed instance, we recommend that you configure Systems Manager to use an interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that enables you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. PrivateLink restricts all network traffic between your managed instances, Systems Manager, and EC2 to the Amazon network (managed instances don't have access to the internet). Also, you don't need an internet gateway, a NAT device, or a virtual private gateway. For more information, see Setting Up VPC Endpoints for Systems Manager. For more information about PrivateLink and VPC endpoints, see Accessing AWS Services Through PrivateLink.

TLS Certificate

Each of your managed instances must have one of the following Transport Layer Security (TLS) certificates installed.

  • Amazon Root CA 1

  • Starfield Services Root Certificate Authority - G2

  • Starfield Class 2 Certificate Authority

AWS services use these certificates to encrypt calls to other AWS services. One of these certificates is installed, by default, on all Amazon Machine Images (AMIs). For base operating systems, or systems in your on-premises environment, you must install and enable one of these certificates from Amazon Trust Services. If certificates in your computing environment are managed by a Group Policy Object (GPO), then you might need to configure Group Policy to include one of these certificates. For more information about the Amazon Root and Starfield certificates, see How to Prepare for AWS’s Move to Its Own Certificate Authority.

Systems Manager Access Configurations

Configuring access to Systems Manager requires that you do the following:

For more information about access permissions for Systems Manager, see Authentication and Access Control for AWS Systems Manager.

Windows PowerShell

On your Windows Server instances, Windows PowerShell 3.0 or later is required to run certain SSM documents (for example, the AWS-ApplyPatchBaseline document). Verify that your Windows instances are running Windows Management Framework 3.0 or later. The framework includes PowerShell.

AWS Regions

AWS Systems Manager is available in the AWS Regions listed in the AWS Systems Manager Supported Regions table in the AWS General Reference. Before starting your Systems Manager configuration process, we recommend that you ensure the service is available in each of the AWS Regions you want to use it in.

For servers and VMs in your hybrid environment, we recommend that you choose the Region closest to your data center or computing environment.

(Optional) Monitoring and Notifications

You can configure Amazon CloudWatch Events to log status execution changes of the commands you send using Systems Manager. You can also configure Amazon Simple Notification Service (Amazon SNS) to send you notifications about specific command status changes. Using monitoring and notifications is optional, but we recommend setting them up at the beginning of your Systems Manager configuration process if you have decided to use either one. For more information, see Understanding Command Statuses.

(Optional) Amazon S3 Storage Bucket

Command output in the Systems Manager console is truncated after 2500 characters. In order to access complete output logs, you can store Systems Manager output in an Amazon Simple Storage Service (Amazon S3) bucket. You can also create an Amazon S3 key prefix (a subfolder) to help you organize the log output. Saving output log data in an S3 bucket is optional, but we recommend setting it up at the beginning of your Systems Manager configuration process if you have decided to use it. For more information, see Create a Bucket.

For information about Systems Manager limits, see AWS Systems Manager Limits.