Amazon Systems Manager in Amazon Web Services in China
Amazon Systems Manager (formerly Amazon EC2 Systems Manager) is a unified interface that allows you to easily centralize operational data and automate tasks across your Amazon resources. Systems Manager shortens the time to detect and resolve operational problems in your infrastructure. Systems Manager gives you a complete view of your infrastructure performance and configuration, simplifies resource and application management, and makes it easy to operate and manage your infrastructure at scale.
Region availability
Amazon Systems Manager is available in the following Regions in China:
-
Beijing Region
-
Ningxia Region
How Amazon Systems Manager differs
The following differences apply to Amazon Systems Manager:
- General
-
Using Systems Manager to configure, access, and manage Amazon IoT Greengrass Version 2 devices is not available.
- Application Manager
-
Creating Amazon CloudFormation templates and stacks by using Application Manager is not available.
- Automation
-
The Automation
aws:copyImageaction is not available.Concurrently running automations in multiple Amazon Web Services Regions and accounts is not available.
The following Automation actions for invoking APIs from other Amazon services are not available:
-
aws:executeAwsApi -
aws:waitForAwsResourceProperty -
aws:assertAwsResourceProperty
-
- Change Manager
-
The Change Manager capability is not available.
- Explorer
-
Creating resource data syncs is not available.
- Fleet Manager
-
To connect to a Windows Server managed instance using Fleet Manager’s Remote Desktop functionality, users must have been granted the correct IAM permissions for the Beijing and Ningxia Regions. See IAM permission policies for Fleet Manager Remote Desktop connections later in this page for policy examples.
- Incident Manager
-
The Incident Manager capability is not available.
- OpsCenter
-
The markdown support feature in the OpsItem description field in the console is not available.
- Patch Manager
-
The Patch now feature in Patch Manager is not available.
Patch policies (a Quick Setup configuration) are not available.
- Quick Setup
-
The Quick Setup capability is not available.
- Session Manager
-
To download the Session Manager plugin for Systems Manager, for use on your local machine, use the following URls:
-
Windows Server: https://s3.cn-north-1.amazonaws.com.cn/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe
-
Linux 32-bit: https://s3.cn-north-1.amazonaws.com.cn/session-manager-downloads/plugin/latest/linux_32bit/session-manager-plugin.rpm
-
Linux 64-bit: https://s3.cn-north-1.amazonaws.com.cn/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm
-
Ubuntu Server 32-bit: https://s3.cn-north-1.amazonaws.com.cn/session-manager-downloads/plugin/latest/ubuntu_32bit/session-manager-plugin.deb
-
Ubuntu Server 64-bit: https://s3.cn-north-1.amazonaws.com.cn/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb
-
- SSM Agent
-
Installation files for SSM Agent are available for both the Beijing and Ningxia Regions, for all supported operating systems. For information, see the following section, SSM Agent installation files in the Beijing and Ningxia Regions.
- State Manager
-
The following features aren’t supported.
-
Schedule Offset
-
TagOnCreatewhen creating a new State Manager association
-
SSM Agent installation files in the Beijing and Ningxia Regions
To install SSM Agent on Amazon Elastic Compute Cloud (Amazon EC2) instances, choose the appropriate installation file URL for your Amazon Web Services Region and operating system.
Amazon Linux
Use the following files when installing SSM Agent on Amazon Linux Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on Amazon Linux instances.
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
- x86
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_386/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_386/amazon-ssm-agent.rpm
-
Amazon Linux 2
Use the following files when installing SSM Agent on Amazon Linux 2 Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on Amazon Linux 2 instances.
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
CentOS
Use the following files when installing SSM Agent on CentOS Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on CentOS instances
CentOS 8
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_arm64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_arm64/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
CentOS 7
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_arm64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_arm64/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
CentOS 6
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/3.0.1390.0/linux_386/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/3.0.1390.0/linux_386/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/3.0.1390.0/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/3.0.1390.0/linux_amd64/amazon-ssm-agent.rpm
-
CentOS Stream 8
Use the following files when installing SSM Agent on CentOS Stream Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on CentOS Stream instances
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_arm64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_arm64/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
Debian Server
Use the following files when installing SSM Agent on Debian Server Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on Debian Server instances
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/debian_arm64/amazon-ssm-agent.deb -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/debian_arm64/amazon-ssm-agent.deb
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/debian_amd64/amazon-ssm-agent.deb -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/debian_amd64/amazon-ssm-agent.deb
-
Oracle Linux
Use the following files when installing SSM Agent on Oracle Linux Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on Oracle Linux instances
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
Red Hat Enterprise Linux (RHEL)
Use the following files when installing SSM Agent on RHEL Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on RHEL instances
RHEL 8
- ARM64
-
-
Beijing Region
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
RHEL 7
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_arm64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_arm64/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
RHEL 6
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/3.0.1390.0/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/3.0.1390.0/linux_amd64/amazon-ssm-agent.rpm
-
- x86
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/3.0.1390.0/linux_386/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/3.0.1390.0/linux_386/amazon-ssm-agent.rpm
-
Rocky Linux
Use the following files when installing SSM Agent on Rocky Linux Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on Rocky Linux instances
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_arm64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_arm64/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
SUSE Enterprise Linux Server (SLES)
Use the following files when installing SSM Agent on SLES Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on SLES instances
- ARM64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_arm64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_arm64/amazon-ssm-agent.rpm
-
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/linux_amd64/amazon-ssm-agent.rpm
-
Ubuntu Server
Use the following files when installing SSM Agent on Ubuntu Server Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on Ubuntu Server instances.
Ubuntu Server 20.10 STR & 20.04, 18.04, and 16.04 LTS 64-bit (Snap)
Installation on these versions of Ubuntu Server uses the Snap format instead of installation commands with URLs for installation files. For instructions, see Install SSM Agent on Ubuntu Server 20.10 STR & 20.04, 18.04, and 16.04 LTS 64-bit (Snap).
Ubuntu Server 16.04 and 14.04 64-bit (deb)
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/debian_amd64/amazon-ssm-agent.deb -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/debian_amd64/amazon-ssm-agent.deb
-
Ubuntu Server 16.04 and 14.04 32-bit
- x86
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/debian_386/amazon-ssm-agent.deb -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/debian_386/amazon-ssm-agent.deb
-
Windows Server
Use the following files when installing SSM Agent on Windows Server Amazon EC2 instances. For full instructions, see Manually installing SSM Agent on Windows Server instances
- x86_64
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/windows_amd64/AmazonSSMAgentSetup.exe -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/windows_amd64/AmazonSSMAgentSetup.exe
-
- x86
-
-
Beijing Region
https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/windows_386/AmazonSSMAgentSetup.exe -
Ningxia Region
https://s3.cn-northwest-1.amazonaws.com.cn/amazon-ssm-cn-northwest-1/latest/windows_386/AmazonSSMAgentSetup.exe
-
IAM permission policies for Fleet Manager Remote Desktop connections
The following are example IAM policies that you can attach to a user or role to allow different types of interaction with Remote Desktop in the Beijing and Ningxia Regions. Replace each example resource placeholder with your own information.
Standard policy for connecting to EC2 instances
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "SSM", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetInventorySchema" ], "Resource": "*" }, { "Sid": "TerminateSession", "Effect": "Allow", "Action": [ "ssm:TerminateSession" ], "Resource": "*", "Condition": { "StringLike": { "ssm:resourceTag/aws:ssmmessages:session-id": [ "${aws:userid}" ] } } }, { "Sid": "SSMStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws-cn:ec2:*:111122223333:instance/*", "arn:aws-cn:ssm:*:111122223333:managed-instance/*", "arn:aws-cn:ssm:*::document/AWS-StartPortForwardingSession" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "ssm-guiconnect.amazonaws.com" } } }, { "Sid": "GuiConnect", "Effect": "Allow", "Action": [ "ssm-guiconnect:CancelConnection", "ssm-guiconnect:GetConnection", "ssm-guiconnect:StartConnection", "ssm-guiconnect:ListConnections" ], "Resource": "*" } ] }
Policy for connecting to EC2 instances with specific tags
Note
In the following IAM policy, the SSMStartSession section requires an Amazon Resource Name (ARN) for the ssm:StartSession action. As shown, the ARN you specify does not require an Amazon Web Services account ID. If you specify an account ID, Fleet Manager returns an AccessDeniedException. The AccessTaggedInstances section, which is located lower in the example policy, also requires ARNs for ssm:StartSession. For those ARNs, you do specify Amazon Web Services account IDs.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "SSM", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetInventorySchema" ], "Resource": "*" }, { "Sid": "SSMStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws-cn:ssm:*::document/AWS-StartPortForwardingSession" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "ssm-guiconnect.amazonaws.com" } } }, { "Sid": "AccessTaggedInstances", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws-cn:ec2:*:111122223333:instance/*", "arn:aws-cn:ssm:*:111122223333:managed-instance/*" ], "Condition": { "StringLike": { "ssm:resourceTag/tag key": [ "tag value" ] } } }, { "Sid": "GuiConnect", "Effect": "Allow", "Action": [ "ssm-guiconnect:CancelConnection", "ssm-guiconnect:GetConnection", "ssm-guiconnect:StartConnection", "ssm-guiconnect:ListConnections" ], "Resource": "*" } ] }
Policy for Amazon IAM Identity Center users to connect to EC2 instances
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SSO", "Effect": "Allow", "Action": [ "sso:ListDirectoryAssociations*", "identitystore:DescribeUser" ], "Resource": "*" }, { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "SSM", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceInformation", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetInventorySchema" ], "Resource": "*" }, { "Sid": "TerminateSession", "Effect": "Allow", "Action": [ "ssm:TerminateSession" ], "Resource": "*", "Condition": { "StringLike": { "ssm:resourceTag/aws:ssmmessages:session-id": [ "${aws:userName}" ] } } }, { "Sid": "SSMStartSession", "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": [ "arn:aws-cn:ec2:*:*:instance/*", "arn:aws-cn:ssm:*:*:managed-instance/*", "arn:aws-cn:ssm:*:*:document/AWS-StartPortForwardingSession" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "ssm-guiconnect.amazonaws.com" } } }, { "Sid": "SSMSendCommand", "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws-cn:ec2:*:*:instance/*", "arn:aws-cn:ssm:*:*:managed-instance/*", "arn:aws-cn:ssm:*:*:document/AWSSSO-CreateSSOUser" ] }, { "Sid": "GuiConnect", "Effect": "Allow", "Action": [ "ssm-guiconnect:CancelConnection", "ssm-guiconnect:GetConnection", "ssm-guiconnect:StartConnection", "ssm-guiconnect:ListConnections" ], "Resource": "*" } ] }