How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?

Last updated: 2020-09-10

My Amazon Elastic Compute Cloud (Amazon EC2) instance doesn't have internet access. How can I manage my instance using AWS Systems Manager? 


Amazon EC2 instances must be registered as managed instances to be managed with AWS Systems Manager. Follow these steps:

  1. Verify that SSM Agent is installed on the instance.
  2. Create an AWS Identity and Access Management (IAM) instance profile for Systems Manager. You can either create a new role, or add the needed permissions to an existing role.
  3. Attach the IAM role to your private EC2 instance.
  4. Open the Amazon EC2 console, and then select your instance. On the Description tab, note the VPC ID and Subnet ID.
  5. Create a VPC endpoint for Systems Manager.
    For Service Name, select com.amazonaws.[region].ssm (for example, For a full list of Region codes, see Available Regions.
    For VPC, choose the VPC ID for your instance.
    For Subnets, choose the Subnet ID for your instance. Be sure to choose subnets from different Availability Zones within the Region.
    Note: If you have more than one subnet in the same Availability Zone, you don't need to create VPC endpoints for the extra subnets. Any other subnets within the same Availability Zone can access and use the interface.
    For Enable DNS name, select Enable for this endpoint.
    For Security group, select an existing security group, or create a new one. The security group must allow inbound traffic to your instance on port 443. If you create a new security group, note the Group ID.
  6. Repeat step 5 with the following change:
    For Service Name, select com.amazonaws.[region].ec2messages.
  7. Repeat step 5 with the following change:
    For Service Name, select com.amazonaws.[region].ssmmessages. You must do this if you want to use Session Manager.
  8. If you created a new security group, open the VPC console, choose Security Groups, and then select the new security group. On the Inbound rules tab, choose Edit inbound rules. Add a rule with the following details, and then choose Save rules.
    For Type, choose HTTPS.
    For Source, choose your VPC/Subnet CIDR.

After the three endpoints are created, your instance will appear in Managed Instances, and can be managed using Systems Manager.