πŸ’‘ Big News! πŸ§™ AI Wizard - Instant Page Insights is Here : Explore Smarter, Friendlier Solutions Just for You β†’
Cloud
AWS
Ec2
Ssm

βœ… Step-by-Step: Enable AWS SSM on Ubuntu 22.04 EC2

πŸ“Œ 1. Verify Prerequisites

RequirementDetails
βœ… EC2 in VPCUbuntu 22.04-based EC2 instance
βœ… Internet accessVia NAT Gateway or VPC Interface Endpoints
βœ… IAM RoleMust have SSM permissions
βœ… Port 443 openOutbound from instance (HTTPS)

πŸ› οΈ 2. Attach IAM Role with SSM Permissions

  1. Create IAM Role with the following AWS-managed policy:
Policy: AmazonSSMManagedInstanceCore
  1. Attach the IAM Role to your EC2 instance.

πŸ“¦ 3. Install the SSM Agent (if not pre-installed)

As of 2024+, Ubuntu 22.04 on EC2 often includes SSM Agent pre-installed, but verify:

βœ… A. Check status:

sudo systemctl status amazon-ssm-agent

πŸ”„ B. If not installed, run:

# Install dependencies
sudo apt update
sudo apt install -y snapd
 
# Install SSM Agent via Snap (recommended method)
sudo snap install amazon-ssm-agent --classic
 
# Start the agent
sudo systemctl enable --now snap.amazon-ssm-agent.amazon-ssm-agent.service

β›³ Alternative via .deb:

wget https://s3.amazonaws.com/amazon-ssm-region/ubuntu_amd64/amazon-ssm-agent.deb
# Replace 'region' with your AWS region, e.g., 'ap-south-1'
sudo dpkg -i amazon-ssm-agent.deb
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

πŸ” 4. Verify Agent is Running

ps aux | grep ssm-agent
sudo systemctl status amazon-ssm-agent

🌐 5. Ensure Outbound Internet or VPC Endpoints

βœ… Option A: NAT Gateway

Ensure private subnet routes 0.0.0.0/0 to a NAT Gateway.

βœ… Option B: VPC Endpoints (if no NAT)

Create Interface VPC Endpoints for:

  • com.amazonaws.ap-south-1.ssm
  • com.amazonaws.ap-south-1.ec2messages
  • com.amazonaws.ap-south-1.ssmmessages

Allow traffic on port 443 to these endpoints via security groups.

πŸš€ 6. Connect via Session Manager

A. From Console:

AWS Console > Systems Manager > Session Manager > Start Session

B. From AWS CLI:

aws ssm start-session --target i-0123456789abcdef0

βœ… 7. (Optional) Enable Logging + Auditing

For enterprise governance, enable:

  • CloudTrail logging
  • SSM Session Logging (to S3 or CloudWatch)

Go to: Systems Manager > Session Manager > Preferences > Create Logging Configuration

πŸ” Troubleshooting Checklist

IssueFix
SSM agent not startingCheck service logs: journalctl -u amazon-ssm-agent
EC2 not showing in SSMIAM role missing or misconfigured
No outbound accessCheck NAT/VPC Endpoints
Access denied in CLIIAM user/role needs ssm:StartSession

🧰 Example IAM Policy for SSM Access (CLI Users/Admins)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ssm:StartSession",
        "ssm:TerminateSession",
        "ssm:DescribeSessions",
        "ssm:GetConnectionStatus"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
Resize EbsAws S3 CLI
πŸ§™ AI Wizard - Instant Page Insights

Click the button below to analyze this page.
Get an AI-generated summary and key insights in seconds.
Powered by Perplexity AI!