Why is my EC2 instance not appearing under Managed Instances in the Systems Manager console?

Last updated: 2020-03-06

My Amazon Elastic Compute Cloud (Amazon EC2) instance is not appearing under Managed Instances in the AWS Systems Manager console.

Short Description

managed instance is an EC2 instance that is configured for use with Systems Manager. Managed instances can use Systems Manager services such as Run Command, Patch Manager, and Automation workflows.

Instances must meet the following prerequisites to be managed instances:

  • Have the AWS Systems Manager Agent (SSM Agent) installed and running.
  • Have connectivity with Systems Manager endpoints using the SSM Agent.
  • Have the correct AWS Identity and Access Management (IAM) role attached.
  • Have connectivity to the instance metadata service

Resolution

Verify that the following prerequisites are met on the instance:

SSM Agent is installed and running on the instance

Be sure that your operating system is supported by Systems Manager. For the list of supported operating systems, see AWS Systems Manager - Supported Operating Systems.

SSM Agent is preinstalled on some Windows and Linux operating systems. For the list of operating systems that have SSM Agent preinstalled, see AWS Systems Manager - Working with SSM Agent.

If SSM Agent is not preinstalled, you can manually install it. 

Linux: Installing and Configuring SSM Agent on Amazon EC2 Linux Instances

Windows: Install and Configure SSM Agent on Amazon EC2 Windows Instances

To check the status of SSM Agent, use the following commands:

Amazon Linux 1, RHEL 6 (or similar distributions):

$ sudo status amazon-ssm-agent

Amazon Linux 2, Ubuntu, RHEL 7 (or similar distributions):

$ sudo systemctl status amazon-ssm-agent

Latest Ubuntu 18.04 systems that use snap:

$ sudo snap services amazon-ssm-agent    
Service                            Startup  Current  Notes
amazon-ssm-agent.amazon-ssm-agent  enabled  active   -

Windows:

$ Get-Service AmazonSSMAgent

Verify connectivity to Systems Manager endpoints on port 443

For a list of Systems Manager endpoints by Region, see AWS Systems Manager Endpoints and Quotas.

To test connectivity to endpoints from port 443, use the telnet command. The following example shows how to test connectivity to endpoints in the us-east-1 Region.

telnet ssm.us-east-1.amazonaws.com 443
telnet ec2messages.us-east-1.amazonaws.com 443
telnet ssmmessages.us-east-1.amazonaws.com 443

Note: The ssmmessages endpoint is required only for AWS Systems Manager Session Manager.

If the connection isn't working, make sure that your VPC's route table, security groups, and network access control list (ACL) are configured to allow outbound connections on port 443. Systems Manager endpoints are public endpoints. This means that the internet must be reachable from your instance by using Internet Gateway or NAT.

If your instances are in a private subnet, you can configure VPC endpoints to reach Systems Manager endpoints. This enables you to privately access Amazon EC2 and Systems Manager APIs using private IP addresses. For more information, see How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?

Note: Each interface endpoint creates an elastic network interface in the provided subnet. The security group attached to the elastic network interface requires that port 443 allow inbound traffic.

Verify that the correct IAM role is attached to the instance

To use APIs to call a Systems Manager endpoint, the correct IAM role must be attached to the instance. Make sure that the IAM role has the AWS managed policy AmazonSSMManagedInstanceCore attached to it. If you are using a custom IAM policy, make sure that the permissions found under AmazonSSMManagedInstanceCore are used in your custom policy. Also, make sure that the trust policy of the IAM role allows ec2.amazonaws.com to assume this role.

For more information, see Add Permissions to a Systems Manager Instance Profile (Console).

Verify connectivity to the instance metadata service

SSM Agent must be able to communicate with the instance metadata service in order to get necessary information about the instance. To test this connection, use the telnet command.

telnet 169.254.169.254 80

If you are using a proxy on the instance, the proxy might block connectivity to the metadata URL. Make sure that you configured your SSM Agent to work with a proxy. Use the following links to configure SSM Agent to use a proxy.

Windows: Configure SSM Agent to Use a Proxy for Windows Instances

Linux: Configure SSM Agent to Use a Proxy

If you verify all the preceding prerequisites and the instance still doesn't appear as a managed instance in the Systems Manager console, refer to the SSM Agent logs:

Windows: The SSM Agent logs for Windows are found under %PROGRAMDATA%\Amazon\SSM\Logs.

Linux: The SSM Agent logs for Linux are found under /var/log/amazon/ssm.


Did this article help you?

Anything we could improve?


Need more help?