Why is my EC2 instance not appearing under Managed Instances in the Systems Manager console?

Last updated: 2020-03-06

My Amazon Elastic Compute Cloud (Amazon EC2) instance is not appearing under Managed Instances in the AWS Systems Manager console.

Short description

managed instance is an EC2 instance that's configured for use with Systems Manager. Managed instances can use Systems Manager services such as Run Command, Patch Manager, and Automation workflows.

To be a managed instance, instances must meet the following prerequisites:

  • Have the AWS Systems Manager Agent (SSM Agent) installed and running.
  • Have connectivity with Systems Manager endpoints using the SSM Agent.
  • Have the correct AWS Identity and Access Management (IAM) role attached.
  • Have connectivity to the instance metadata service

Note: For hybrid instances, see Setting up AWS Systems Manager for hybrid environments.

Resolution

Note: Be sure to select the Region your instance is in before beginning this resolution.

Verify that the following prerequisites are met on the instance:

SSM Agent is installed and running on the instance

Be sure that your operating system is supported by Systems Manager. For the list of supported operating systems, see Supported operating systems.

SSM Agent is preinstalled on some Windows and Linux operating systems. For the list of operating systems that have SSM Agent preinstalled, see Working with SSM Agent.

If SSM Agent is not preinstalled, manually install it.

Linux: Installing and configuring SSM Agent on EC2 instances for Linux

Windows: Install and configure SSM Agent on EC2 instances for Windows Server

To check the status of SSM Agent, use the following commands:

Amazon Linux 1, RHEL 6 (or similar distributions):

$ sudo status amazon-ssm-agent

Amazon Linux 2, Ubuntu, RHEL 7 (or similar distributions):

$ sudo systemctl status amazon-ssm-agent

Latest Ubuntu 18.04 systems that use snap:

$ sudo snap services amazon-ssm-agent    
Service                            Startup  Current  Notes
amazon-ssm-agent.amazon-ssm-agent  enabled  active   -

Windows:

$ Get-Service AmazonSSMAgent

Verify connectivity to Systems Manager endpoints on port 443

For a list of Systems Manager endpoints by Region, see AWS Systems Manager endpoints and quotas.

To test connectivity to endpoints from port 443, use the telnet command. The following example shows how to test connectivity to endpoints in the us-east-1 Region.

telnet ssm.us-east-1.amazonaws.com 443
telnet ec2messages.us-east-1.amazonaws.com 443
telnet ssmmessages.us-east-1.amazonaws.com 443

Note: The ssmmessages endpoint is required only for AWS Systems Manager Session Manager.

If the connection isn't working, confirm that your VPC's route table, security groups, and network access control list (ACL) are configured to allow outbound connections on port 443. Systems Manager endpoints are public endpoints. This means that the internet must be reachable from your instance by using Internet Gateway or NAT.

If your instances are in a private subnet, you can configure VPC endpoints to reach Systems Manager endpoints. This enables you to privately access Amazon EC2 and Systems Manager APIs using private IP addresses. For more information, see How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?

Note: Each interface endpoint creates an elastic network interface in the provided subnet. The security group attached to the elastic network interface requires that port 443 allow inbound traffic.

Verify that the correct IAM role is attached to the instance

To use APIs to call a Systems Manager endpoint, the correct IAM role must be attached to the instance. Confirm that the IAM role has the AWS managed policy AmazonSSMManagedInstanceCore attached to it. If you're using a custom IAM policy, confirm that your custom policy uses the permissions found under AmazonSSMManagedInstanceCore. Also, confirm that the trust policy of the IAM role allows ec2.amazonaws.com to assume this role.

For more information, see Add permissions to a Systems Manager instance profile (console).

Verify connectivity to the instance metadata service

SSM Agent must communicate with the instance metadata service in order to get necessary information about the instance. To test this connection, use the telnet command.

telnet 169.254.169.254 80

If you're using a proxy on the instance, the proxy might block connectivity to the metadata URL. Confirm that you configured your SSM Agent to work with a proxy. Use the following links to configure SSM Agent to use a proxy.

Windows: Configure SSM Agent to use a proxy for Windows Server instances

Linux: Configure SSM Agent to use a proxy

If you verify all the preceding prerequisites and the instance still doesn't appear as a managed instance in the Systems Manager console, refer to the SSM Agent logs:

Windows: The SSM Agent logs for Windows are found under %PROGRAMDATA%\Amazon\SSM\Logs.

Linux: The SSM Agent logs for Linux are found under /var/log/amazon/ssm.


Did this article help?


Do you need billing or technical support?