Get started with AWS Systems Manager

AWS Systems Manager is a management service offered by Amazon Web Services (AWS) that provides a centralized platform for managing and maintaining various aspects of your AWS infrastructure and applications for hybrid and multicloud environments.

It enables you to automate common operational tasks, gain insights into your system's health and performance, and maintain consistent configurations across your resources.

How Systems Manager works

The following diagram describes how some Systems Manager capabilities perform actions on your resources. The diagram doesn't cover all capabilities. Each enumerated interaction is described before the diagram.

1. Access Systems Manager – Use one of the available options for accessing Systems Manager.

2. Choose a Systems Manager capability – Determine which capability can help you perform the action you want to perform on your resources. The diagram shows only a few of the capabilities that IT administrators and DevOps personnel use to manage their applications and resources.

3. Verification and processing – Systems Manager verifies that your user, group, or role has the required AWS Identity and Access Management (IAM) permissions to perform the action you specified. If the target of your action is a managed node, the Systems Manager Agent (SSM Agent) running on the node performs the action. For other types of resources, Systems Manager performs the specified action or communicates with other AWS services to perform the action on behalf of Systems Manager.

4. Reporting – Systems Manager, SSM Agent, and other AWS services that performed an action on behalf of Systems Manager report status. Systems Manager can send status details to other AWS services, if configured.

5. Systems Manager operations management capabilities – If enabled, Systems Manager operations management capabilities such as Explorer, OpsCenter, and Incident Manager aggregate operations data or create artifacts in response to events or errors with your resources. These artifacts include operational work items (OpsItems) and incidents. Systems Manager operations management capabilities provide operational insight into your applications and resources and automated remediation solutions to help troubleshoot problems.

Systems Manager capabilities

Systems Manager groups capabilities into the following categories.

• Application management

• Change management

• Node management

• Operations management

• Quick Setup

• Shared resources

Getting started with AWS Systems Manager

Use this tutorial to get started with AWS Systems Manager. You'll learn how to launch an Amazon Elastic Compute Cloud (Amazon EC2) instance that is managed by Systems Manager, and how to connect to the managed instance.

Because Systems Manager is a collection of multiple capabilities, no single walkthrough or tutorial can introduce the entire service. This tutorial provides an introduction to some of the capabilities.

Prerequisites

Before you begin, be sure that you've completed the steps in Setting up Systems Manager for EC2 instances.

Configure instance permissions for Systems Manager

By default, AWS Systems Manager doesn't have permission to perform actions on your instances. You can provide instance permissions at the account level using an AWS Identity and Access Management (IAM) role, or at the instance level using an instance profile. If your use case allows, AWS recommends granting access at the account level using the Default Host Management Configuration.

Recommended configuration

Default Host Management Configuration allows Systems Manager to manage your Amazon EC2 instances automatically. After you've turned on this setting, all instances using Instance Metadata Service Version 2 (IMDSv2) in the AWS Region and AWS account with SSM Agent version 3.2.582.0 or later installed automatically become managed instances. Default Host Management Configuration doesn't support Instance Metadata Service Version 1.

Default Host Management Configuration allows instance management without the use of instance profiles and ensures that Systems Manager has permissions to manage all instances in the Region and account. If the permissions provided aren't sufficient for your use case, you can also add policies to the default IAM role created by the Default Host Management Configuration. Alternatively, if you don't need permissions for all of the capabilities provided by the default IAM role, you can create your own custom role and policies. Any changes made to the IAM role you choose for Default Host Management Configuration applies to all managed Amazon EC2 instances in the Region and account. For more information about the policy used by Default Host Management Configuration, see AWS managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy.For more information about the Default Host Management Configuration, see Default Host Management Configuration.

You can turn on the Default Host Management Configuration from the Fleet Manager console. To successfully complete this procedure using either the AWS Management Console or your preferred command line tool, you must have permissions for the GetServiceSetting, ResetServiceSetting, and UpdateServiceSetting API operations. Additionally, you must have permissions for the iam:PassRole permission for the AWSSystemsManagerDefaultEC2InstanceManagementRole IAM role. The following is an example policy. Replace each example resource placeholder with your own information.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetServiceSetting",
                "ssm:ResetServiceSetting",
                "ssm:UpdateServiceSetting"
            ],
            "Resource": "arn:aws:ssm:region:account-id:servicesetting/ssm/managed-instance/default-instance-management-role"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::account-id:role/service-role/AWSSystemsManagerDefaultEC2InstanceManagementRole",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "ssm.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

Before you begin, if you have instance profiles attached to your Amazon EC2 instances, remove any permissions that allow the ssm:UpdateInstanceInformation operation. The SSM Agent attempts to use instance profile permissions before using the Default Host Management Configuration permissions. If you allow the ssm:UpdateInstanceInformation operation in your instance profiles, the instance will not use the Default Host Management Configuration permissions.

1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

2. In the navigation pane, choose Fleet Manager.

   -or-

   If the AWS Systems Manager home page opens first, choose the menu icon to open the navigation pane, and then choose Fleet Manager in the navigation pane.

   

3. Choose Default Host Management Configuration under the Account management dropdown.

   

4. Turn on Enable Default Host Management Configuration.

   

5. Choose the IAM role used to enable Systems Manager capabilities for your instances. We recommend using the default role provided by Default Host Management Configuration. It contains the minimum set of permissions necessary to manage your Amazon EC2 instances using Systems Manager. If you prefer to use a custom role, the role's trust policy must allow Systems Manager as a trusted entity.

   

6. Choose Configure to complete setup.

   

After turning on the Default Host Management Configuration, it might take up 30 minutes for your instances to use the credentials of the role you chose. You must turn on the Default Host Management Configuration in each Region you wish to automatically manage your Amazon EC2 instances.

Launch an instance using an AMI with SSM Agent preinstalled

You can launch an Amazon EC2 instance using the AWS Management Console as described in the following procedure. This tutorial is intended to help you launch your first managed instance quickly, so it doesn't cover all possible options.

To launch an instance

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. From the EC2 console dashboard, in the Launch instance box, choose Launch instance, and then choose Launch instance from the options that appear.

3. For Name and tags, for Name, enter a descriptive name for your instance.

   

4. For Application and OS Images (Amazon Machine Image), do the following:

   1. Choose the Quick Start tab, and then choose Amazon Linux. This is the operating system (OS) for your instance.

   2. For Amazon Machine Image (AMI), choose an HVM version of Amazon Linux 2.

      

5. For Instance type, from the Instance type list, choose the hardware configuration for your instance. Choose the t2.micro instance type, which is selected by default. The t2.micro instance type is eligible for the AWS Free Tier. In AWS Regions where t2.micro is unavailable, you can use a t3.micro instance under the Free Tier. For more information, see AWS Free Tier.

   

6. For Key pair (login), for Key pair name, choose a key pair.

   💡

   To create Security Group and SSH key pair you can use the following guide: How to launch a single EC2 instance via AWS CLI

   

7. For Network settings, choose Edit. For Security group name, notice that the wizard created and selected a security group for you. You can use this security group, or alternatively you can select a security group that you created previously using the following steps:

   1. Choose Select existing security group.

   2. From Common security groups, choose your security group from the list of existing security groups.

      

8. If you aren't using Default Host Management Configuration, expand the Advanced details section, and for IAM instance profile, choose the instance profile that you created when getting set up in Step 1: Configure instance permissions for Systems Manager.

9. Keep the default selections for the other configuration settings for your instance.

10. Review a summary of your instance configuration in the Summary pane. When you're ready, choose Launch instance.

11. A confirmation page informs you that your instance is launching. Choose View all instances to close the confirmation page and return to the console.

12. On the Instances screen, you can view the status of the launch. It takes a short time for an instance to launch.

    

13. It can take a few minutes for the instance to show as managed and be ready for you to connect to it. To check that your instance passed its status checks, view this information in the Status check column.

Connect to your managed instance

To connect to your managed instance

1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

2. In the navigation pane, choose Fleet Manager.

   -or-

   If the AWS Systems Manager home page opens first, choose the menu icon ( ) to open the navigation pane, and then choose Fleet Manager in the navigation pane.

3. Choose the button next to the instance that you want to connect to using RDP.

4. In the Node actions menu, choose Start terminal session.

5. Select Connect.

Launch EC2 with Intance Profile and Connect to the Fleet Manager

1. Before launching EC2 instance, we need first to create Instance Profile with the required permissions AmazonSSMManagedInstanceCore:

   

2. Give the proper naming for the permissions role:

   

3. Under Advanced details in EC2 launch section select the new created Instance Profile role:

   

4. For testing purposes specify 3 instances to launch:

   

5. Under Fleet Manager in Systems Manager Menu you will find all three managed EC2 instances:

   

References

1. AWS Systems Manager

2. Getting started with AWS Systems Manager

3. Default Host Management Configuration

4. Step 1: Configure instance permissions for Systems Manager

5. AmazonSSMManagedInstanceCore