AWS Systems Manager Agent (SSM Agent) is a crucial software component that enables AWS Systems Manager to manage, configure, and automate tasks on EC2 instances and on-premises servers. As a SysOps Administrator, understanding SSM Agent is essential for effective infrastructure management.
SSM Age…AWS Systems Manager Agent (SSM Agent) is a crucial software component that enables AWS Systems Manager to manage, configure, and automate tasks on EC2 instances and on-premises servers. As a SysOps Administrator, understanding SSM Agent is essential for effective infrastructure management.
SSM Agent is pre-installed on many Amazon Machine Images (AMIs), including Amazon Linux, Amazon Linux 2, Ubuntu Server, and Windows Server AMIs. For other operating systems or on-premises servers, manual installation is required.
Key Functions of SSM Agent:
1. **Run Command**: Executes commands remotely across multiple instances, enabling automation of administrative tasks like software installations, patches, and configuration changes.
2. **Session Manager**: Provides secure shell access to instances through the browser or AWS CLI, eliminating the need for open inbound ports, bastion hosts, or SSH keys.
3. **Patch Manager**: Facilitates automated patching of managed instances with security-related updates.
4. **State Manager**: Maintains consistent configuration across your fleet by applying desired state configurations.
5. **Parameter Store Integration**: Allows secure storage and retrieval of configuration data and secrets.
Prerequisites for SSM Agent functionality include:
- An IAM instance profile with appropriate permissions (AmazonSSMManagedInstanceCore policy)
- Outbound internet access or VPC endpoints to reach Systems Manager endpoints
- The agent must be running and healthy
For troubleshooting, administrators should check agent logs located in /var/log/amazon/ssm/ on Linux or %PROGRAMDATA%\Amazon\SSM\Logs on Windows. Common issues include incorrect IAM permissions, network connectivity problems, or outdated agent versions.
SSM Agent automatically updates itself when managed by Systems Manager, ensuring you always have the latest features and security patches. This self-updating capability reduces operational overhead and maintains security compliance across your infrastructure.
SSM Agent: Complete Guide for AWS SysOps Administrator Associate Exam
What is SSM Agent?
SSM Agent (AWS Systems Manager Agent) is a software component that must be installed and running on Amazon EC2 instances, on-premises servers, and virtual machines to enable AWS Systems Manager to manage, configure, and execute commands on these resources. It acts as the communication bridge between your managed instances and the Systems Manager service.
Why is SSM Agent Important?
SSM Agent is critical for several reasons:
• Centralized Management: Enables unified management of your entire infrastructure through a single interface • Secure Access: Eliminates the need to open SSH or RDP ports, enhancing security posture • Automation: Facilitates automated patching, configuration management, and command execution • Hybrid Support: Allows management of both cloud and on-premises resources • Compliance: Helps maintain compliance through consistent configuration and reporting
How SSM Agent Works
Installation and Pre-requisites: • SSM Agent comes pre-installed on many Amazon Machine Images (AMIs) including Amazon Linux, Amazon Linux 2, Ubuntu Server, and Windows Server • For other operating systems or on-premises servers, manual installation is required • The agent runs as a background service (amazon-ssm-agent on Linux, AmazonSSMAgent on Windows)
Communication Flow: 1. SSM Agent polls the Systems Manager service endpoints regularly 2. When commands or documents are sent, the agent retrieves them from the service 3. The agent executes the commands locally on the instance 4. Results and status are sent back to Systems Manager 5. All communication is outbound from the instance to the service (HTTPS on port 443)
Required IAM Permissions: • Instances need an IAM instance profile with appropriate permissions • The AmazonSSMManagedInstanceCore managed policy provides minimum required permissions • For advanced features, additional permissions may be needed
Network Requirements: • Outbound HTTPS (443) access to Systems Manager endpoints • Can use VPC endpoints (PrivateLink) for private connectivity • Required endpoints: ssm, ssmmessages, and ec2messages
Common SSM Agent Features and Use Cases
• Run Command: Execute shell scripts or PowerShell commands remotely • Session Manager: Secure shell access through the browser or CLI • Patch Manager: Automated patching of operating systems and applications • State Manager: Maintain consistent configuration across instances • Inventory: Collect metadata about instances and installed software
Troubleshooting SSM Agent
If an instance does not appear in Systems Manager: 1. Verify SSM Agent is installed and running 2. Check IAM instance profile has correct permissions 3. Confirm network connectivity to Systems Manager endpoints 4. Ensure the instance has proper metadata service access 5. Review SSM Agent logs for errors
1. Remember the Three Prerequisites: When instances are not appearing in Systems Manager, think of the trilogy - SSM Agent installed and running, IAM permissions configured, and network connectivity established
2. Pre-installed AMIs: Know that Amazon Linux, Amazon Linux 2, Ubuntu, and Windows Server AMIs have SSM Agent pre-installed. Custom or older AMIs may require manual installation
3. Port 443 Outbound: SSM Agent uses outbound HTTPS only. No inbound ports need to be opened, making it more secure than traditional SSH/RDP
4. VPC Endpoints for Private Networks: For instances in private subnets with no internet access, remember that VPC endpoints (ssm, ssmmessages, ec2messages) enable Systems Manager connectivity
5. Hybrid Activations: On-premises servers require a hybrid activation to register with Systems Manager and generate a Managed Instance ID starting with 'mi-'
6. Agent Updates: SSM Agent can update itself using State Manager associations - this is a best practice for keeping agents current
7. Instance Profile vs User Credentials: EC2 instances should use IAM instance profiles, not embedded credentials. This is both a security and functionality requirement
8. Session Manager Benefits: When questions mention secure access, no bastion hosts, or auditing shell sessions, Session Manager (which requires SSM Agent) is typically the answer
9. Managed Instance: Any resource with SSM Agent properly configured becomes a 'managed instance' in Systems Manager terminology
10. Cross-Account Management: Remember that SSM Agent communicates with Systems Manager in its own account. Cross-account management requires additional configuration