Why is my EC2 instance not appearing under Managed Instances in the Systems Manager console?
Last updated: 2020-03-06
My Amazon Elastic Compute Cloud (Amazon EC2) instance is not appearing under Managed Instances in the AWS Systems Manager console.
Short description
A managed instance is an EC2 instance that's configured for use with Systems Manager. Managed instances can use Systems Manager services such as Run Command, Patch Manager, and Automation workflows.
To be a managed instance, instances must meet the following prerequisites:
- Have the AWS Systems Manager Agent (SSM Agent) installed and running.
- Have connectivity with Systems Manager endpoints using the SSM Agent.
- Have the correct AWS Identity and Access Management (IAM) role attached.
- Have connectivity to the instance metadata service
Note: For hybrid instances, see Setting up AWS Systems Manager for hybrid environments.
Resolution
Note: Be sure to select the Region your instance is in before beginning this resolution.
Verify that the following prerequisites are met on the instance:
SSM Agent is installed and running on the instance
Be sure that your operating system is supported by Systems Manager. For the list of supported operating systems, see Supported operating systems.
SSM Agent is preinstalled on some Windows and Linux operating systems. For the list of operating systems that have SSM Agent preinstalled, see Working with SSM Agent.
If SSM Agent is not preinstalled, manually install it.
Linux: Installing and configuring SSM Agent on EC2 instances for Linux
Windows: Install and configure SSM Agent on EC2 instances for Windows Server
To check the status of SSM Agent, use the following commands:
Amazon Linux 1, RHEL 6 (or similar distributions):
$ sudo status amazon-ssm-agent
Amazon Linux 2, Ubuntu, RHEL 7 (or similar distributions):
$ sudo systemctl status amazon-ssm-agent
Latest Ubuntu 18.04 systems that use snap:
$ sudo snap services amazon-ssm-agent
Service Startup Current Notes
amazon-ssm-agent.amazon-ssm-agent enabled active -
Windows:
$ Get-Service AmazonSSMAgent
Verify connectivity to Systems Manager endpoints on port 443
For a list of Systems Manager endpoints by Region, see AWS Systems Manager endpoints and quotas.
To test connectivity to endpoints from port 443, use the telnet command. The following example shows how to test connectivity to endpoints in the us-east-1 Region.
telnet ssm.us-east-1.amazonaws.com 443
telnet ec2messages.us-east-1.amazonaws.com 443
telnet ssmmessages.us-east-1.amazonaws.com 443
Note: The ssmmessages endpoint is required only for AWS Systems Manager Session Manager.
If the connection isn't working, confirm that your VPC's route table, security groups, and network access control list (ACL) are configured to allow outbound connections on port 443. Systems Manager endpoints are public endpoints. This means that the internet must be reachable from your instance by using Internet Gateway or NAT.
If your instances are in a private subnet, you can configure VPC endpoints to reach Systems Manager endpoints. This enables you to privately access Amazon EC2 and Systems Manager APIs using private IP addresses. For more information, see How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?
Note: Each interface endpoint creates an elastic network interface in the provided subnet. The security group attached to the elastic network interface requires that port 443 allow inbound traffic.
Verify that the correct IAM role is attached to the instance
To use APIs to call a Systems Manager endpoint, the correct IAM role must be attached to the instance. Confirm that the IAM role has the AWS managed policy AmazonSSMManagedInstanceCore attached to it. If you're using a custom IAM policy, confirm that your custom policy uses the permissions found under AmazonSSMManagedInstanceCore. Also, confirm that the trust policy of the IAM role allows ec2.amazonaws.com to assume this role.
For more information, see Add permissions to a Systems Manager instance profile (console).
Verify connectivity to the instance metadata service
SSM Agent must communicate with the instance metadata service in order to get necessary information about the instance. To test this connection, use the telnet command.
telnet 169.254.169.254 80
If you're using a proxy on the instance, the proxy might block connectivity to the metadata URL. Confirm that you configured your SSM Agent to work with a proxy. Use the following links to configure SSM Agent to use a proxy.
Windows: Configure SSM Agent to use a proxy for Windows Server instances
Linux: Configure SSM Agent to use a proxy
If you verify all the preceding prerequisites and the instance still doesn't appear as a managed instance in the Systems Manager console, refer to the SSM Agent logs:
Windows: The SSM Agent logs for Windows are found under %PROGRAMDATA%\Amazon\SSM\Logs.
Linux: The SSM Agent logs for Linux are found under /var/log/amazon/ssm.
Did this article help?
Do you need billing or technical support?