This section describes tasks and prerequisites for setting up AWS Systems Manager. Use the following table to help you get started.
What do you want to do with Systems Manager?
Set up tasks
- Verify permissions and create an instance profile role.
- Create a few Amazon EC2 test instances (free tier) from recent Amazon Linux or Windows AMIs.
- Test out Systems Manager. Here are some walkthroughs to help you get started.
- Note: Some of these walkthroughs require additional setup tasks, such as additional permissions, before you can complete them.
- Run Command (EC2 console): Linux or Windows
- Run Command Walkthroughs (AWS CLI or AWS Tools for Windows PowerShell)
- State Manager Walkthroughs
- Parameter Store Walkthroughs
- Inventory Manager Walkthroughs
- Automation Walkthroughs
- Maintenance Window Walkthroughs
- Patch Manager Walkthroughs
Use Systems Manager to manage and configure my existing EC2 instances
- Verify permissions and create an instance profile role.
- Verify that your EC2 instances meet Systems Manager requirements.
- (Linux only) Install SSM Agent.
Use Systems Manager to manage and configure my servers and VMs in a hybrid environment
- Verify permissions and create an instance profile role.
- Verify that your servers and VMs in your hybrid environment meet Systems Manager requirements.
- Perform setup and activation tasks for managed instances in a hybrid environment.
Systems Manager Prerequisites
Systems Manager includes the following prerequisites.
Supported Operating System (Windows): Instances must run a supported version of Windows Server: Windows Server 2003 through Windows Server 2016, including R2 versions.
- Note: Patch Manager currently supports a different set of Windows operating systems. For information, see Operating Systems Supported by Patch Manager.
Supported Operating System (Linux): Instances must run a supported version of Linux.
- Note: Patch Manager currently supports a different set of Linux operating systems. For information, see Operating Systems Supported by Patch Manager.
- 64-Bit and 32-Bit Systems
- Amazon Linux base AMIs 2014.09, 2014.03 or later
- Ubuntu Server 16.04 LTS, 14.04 LTS, or 12.04 LTS
- Red Hat Enterprise Linux (RHEL) 6.5
- CentOS 6.3 or later
- 32-Bit Systems Only
- Raspbian Jessie
- Raspbian Stretch
- 64-Bit Systems Only
- Amazon Linux 2015.09, 2015.03 or later
- Amazon Linux 2
- Red Hat Enterprise Linux (RHEL) 7.4
- CentOS 7.1 or later
- SUSE Linux Enterprise Server (SLES) 12 or higher
Support Regions: Systems Manager is available in these regions.
- For servers and VMs in your hybrid environment, we recommend that you choose the region closest to your data center or computing environment.
Access to Systems Manager: Systems Manager requires an IAM role for instances that will process commands and a separate role for users executing commands. Both roles require permission policies that enable them to communicate with the Systems Manager API. You can choose to use Systems Manager managed policies or you can create your own roles and specify permissions. For more information, see Configuring Access to Systems Manager.
- If you are configuring on-premises servers or VMs that you want to configure using Systems Manager, you must also configure an IAM service role. For more information, see Create an IAM Service Role.
SSM Agent (EC2 Windows instances): SSM Agent processes Systems Manager requests and configures your machine as specified in the request. The SSM Agent is installed by default on Windows Server 2016 instances and instances created from Windows Server 2003-2012 R2 AMIs published in November 2016 or later.
- Windows AMIs published before November 2016 use the EC2Config service to process requests and configure instances.
- Unless you have a specific reason for using the EC2Config service or an earlier version of the SSM Agent to process Systems Manager requests, we recommend that you download and install the latest version of the SSM Agent to each of your Amazon EC2 instances or managed instances (servers and VMs in a hybrid environment). For more information, see Installing and Configuring SSM Agent on Windows Instances.
SSM Agent (EC2 Linux instances): SSM Agent processes Systems Manager requests and configures your machine as specified in the request. SSM Agent is installed, by default, on Amazon Linux base AMIs dated 2017.09 and later. You must manually install SSM Agent on other versions of EC2 Linux, including non-base images like Amazon ECS-Optimized AMIs. For more information, see Installing and Configuring SSM Agent on Linux Instances.
- The source code for SSM Agent is available on GitHub so that you can adapt the agent to meet your needs. We encourage you to submit pull requestsfor changes that you would like to have included. However, Amazon Web Services does not currently provide support for running modified copies of this software.
SSM Agent (hybrid environment): The SSM Agent download and installation process for managed instances in a hybrid environment is different than Amazon EC2 instances. For more information, see Install the SSM Agent on Servers and VMs in Your Windows Hybrid Environment.
Windows PowerShell 3.0 or Later: SSM Agent requires Windows PowerShell 3.0 or later to execute certain SSM Documents on Windows instances (for example, the AWS-ApplyPatchBaseline document). Verify that your Windows instances are running Windows Management Framework 3.0 or later. The framework includes PowerShell. For more information, see Windows Management Framework 3.0.
Internet Access: Verify that your EC2 instances have outbound Internet access. Inbound Internet access is not required.
Configure Monitoring and Notifications (Optional): You can configure Amazon CloudWatch Events to log status execution changes of the commands you send using Systems Manager. You can also configure Amazon Simple Notification Service (Amazon SNS) to send you notifications about specific command status changes. For more information, see Understanding Command Statuses.
Amazon S3 Bucket (Optional): You can store System Manager output in an Amazon Simple Storage Service (Amazon S3) bucket. Output in the Amazon EC2 console is truncated after 2500 characters. Additionally, you might want to create an Amazon S3 key prefix (a subfolder) to help you organize output. For more information, see Create a Bucket.
For information about Systems Manager limits, see AWS Systems Manager Limits. To increase limits, go to AWS Support Center and submit a limit increase request form.
Ec2messages and Undocumented API Calls
If you monitor API calls, you will see calls to the following APIs.
- ec2messages:AcknowledgeMessage
- ec2messages:DeleteMessage
- ec2messages:FailMessage
- ec2messages:GetEndpoint
- ec2messages:GetMessages
- ec2messages:SendReply
- UpdateInstanceInformation
- ListInstanceAssociations
- DescribeInstanceProperties
- DescribeDocumentParameters
Calls to ec2messages:*
APIs are calls to the ec2messages endpoint. Systems Manager uses this endpoint to make calls from the SSM Agent to the Systems Manager service in the cloud. This endpoint is required to send and receive commands.
UpdateInstanceInformation
: SSM Agent calls the Systems Manager service in the cloud every five minutes to provide heartbeat information. This call is necessary to maintain a heartbeat with the agent so that the service knows the agent is functioning as expected.
ListInstanceAssociations
: The agent calls this API to see if a new Systems Manager State Manager association is available. This API is required for State Manager to function.
DescribeInstanceProperties
and DescribeDocumentParameters
: Systems Manager calls these APIs to render specific nodes in the Amazon EC2 console. The DescribeInstanceProperties
API displays the Managed Instances node in the left navigation. The DescribeDocumentParameters
API displays the Documents node in the left navigation.
Comments
0 comments
Please sign in to leave a comment.