Amazon Linux 2 instances won't appear in Systems Manager

Question

I think I've done everything listed as a pre-req for this, but I just can't get the instances to appear in Systems Manager as managed instances.

I've picked an AMI which i believe should have the agent in by default.

ami-032598fcc7e9d1c7a

PS C:\Users\*> aws ec2 describe-images --image-ids ami-032598fcc7e9d1c7a
{
    "Images": [
        {
            "ImageLocation": "amazon/amzn2-ami-hvm-2.0.20200520.1-x86_64-gp2",
            "Description": "Amazon Linux 2 AMI 2.0.20200520.1 x86_64 HVM gp2",

I've also created my own Role, and included the following policy which i've used previously to get instances into Systems Manager.

Finally I've attached the role to the instances.

I've got Systems Manager set to a 30 min schedule and waited this out and the instances don't appear. I've clearly missed something here, would appreciate suggestions of what.

Does the agent use some sort of backplane to communicate, or should I have enabled some sort of communication with base in the security groups?

Could this be because the instances have private IPs only? Previous working examples had public IPs, but I dont want that for this cluster.

Answer 1

Besides the role for ec2 instances, SSM also needs to be able to assume role to securely run commands on the instances. You only did the first step. All the steps are described in AWS documentation for SSM.

However, I strongly recommend you use the Quick Setup feature in System Manager to setup everything for you in no time!

In AWS Console:

1. Go to Systems Manager
2. Click on Quick Setup
3. Leave all the defaults
4. In the Targets box at the bottom, select Choose instances manually and tick your ec2 instance(s)
5. Finish the setup
6. It will automatically create AmazonSSMRoleForInstancesQuickSetup Role and assign it to the selected ec2 instance(s) and also create proper AssumeRole for SSM
7. Go to EC2 Console, find that ec2 instance(s), right-click and reboot it by choosing Instance State > Reboot
8. Wait for a couple of minutes
9. Refresh the page and try to Connect via Session Manager tab

Notes:

• It's totally fine and recommended to create your ec2 instances in private subnets if you don't need them to be accessed from internet. However, make sure the private subnet has internet access itself via NAT. It's a hidden requirement of SSM!
• Some of the AmazonLinux2 images like amzn2-ami-hvm-2.0.20200617.0-x86_64-gp2 does not have proper SSM Agent pre-installed. So, recreate your instance using a different AMI and try again with the above steps if it didn't work.

Answer 2

Could this be because the instances have private IPs only? Previous working examples had public IPs, but I don't want that for this cluster.

If you place your instance in a private subnet (or in a public subnet but without a public IP), then the SSM agent can't connect to the SSM Service. Thus it can't register to it.

There are two solutions to this issue:

• Setup VPC Interface endpoint in a private subnet for SSM System Manger. With this your intances will be able to connect to the SSM service without the internet.
• Create a public subnet with NAT gateway/instance, and setup route tables to route internet traffic from the private subnets to the NAT gateway. This way your private instances will be able to access the SSM service over internet through the NAT device.