Working with managed nodes - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with managed nodes

A managed node is any machine configured for Amazon Systems Manager. You can configure the following machine types as managed nodes:

  • Amazon Elastic Compute Cloud (Amazon EC2) instances

  • Servers on your own premises (on-premises servers)

  • Amazon IoT Greengrass core devices

  • Amazon IoT and non-Amazon edge devices

  • Virtual machines (VMs), including VMs in other cloud environments

Note

In the Systems Manager console, any machine prefixed with "mi-" is has been configured as a managed node using a hybrid activation. Edge devices display their Amazon IoT Thing name.

Amazon Systems Manager offers a standard-instances tier and an advanced-instances tier. Both support managed nodes in your hybrid and multicloud environment. The standard-instances tier allows you to register a maximum of 1,000 machines per Amazon Web Services account per Amazon Web Services Region. If you need to register more than 1,000 machines in a single account and Region, then use the advanced-instances tier. You can create as many managed nodes as you like in the advanced-instances tier. All managed nodes configured for Systems Manager are priced on a pay-per-use basis. For more information about enabling the advanced instances tier, see Turning on the advanced-instances tier. For more information about pricing, see Amazon Systems Manager Pricing.

Note
  • Advanced instances also allow you to connect to your non-EC2 nodes in a hybrid and multicloud environment by using Amazon Systems Manager Session Manager. Session Manager provides interactive shell access to your instances. For more information, see Amazon Systems Manager Session Manager.

  • The standard-instances quota also applies to EC2 instances that use a Systems Manager on-premises activation (which isn't a common scenario).

  • To patch applications released by Microsoft on virtual machines (VMs) on-premises instances, activate the advanced-instances tier. There is a charge to use the advanced-instances tier. There is no additional charge to patch applications released by Microsoft on Amazon Elastic Compute Cloud (Amazon EC2) instances. For more information, see About patching applications released by Microsoft on Windows Server.

Display managed nodes

If you don't see your managed nodes listed in the console, then do the following:

  1. Verify that the console is open in the Amazon Web Services Region where you created your managed nodes. You can switch Regions by using the list in the top, right corner of the console.

  2. Verify that the setup steps for your managed nodes meet Systems Manager requirements. For information, see Setting up Amazon Systems Manager.

  3. For non-EC2 machines, verify that you completed the hybrid activation process. For more information, see Setting up Systems Manager for hybrid and multicloud environments.

Note

Note the following information.

  • The Fleet Manager console does not display Amazon EC2 nodes that have been terminated.

  • Systems Manager requires accurate time references in order to perform operations on your machines. If the date and time aren't set correctly on your managed nodes, the machines might not match the signature date of your API requests. For more information, see Use cases and best practices.

  • When you create or edit tags, the system can take up to one hour to display changes in the table filter.

  • After the status of a managed node has been Connection Lost for at least 30 days, the node might no longer be listed in the Fleet Manager console. To restore it to the list, the issue that caused the lost connection must be resolved. For troubleshooting tips, see Troubleshooting managed node availability.

Verify Systems Manager support on a managed node

Amazon Config provides Amazon Managed Rules, which are predefined, customizable rules that Amazon Config uses to evaluate whether your Amazon resource configurations comply with common best practices. Amazon Config Managed Rules include the ec2-instance-managed-by-systems-manager rule. This rule checks whether the Amazon EC2 instances in your account are managed by Systems Manager. For more information, see Amazon Config Managed Rules.

Increase security posture on managed nodes

For information about increasing your security posture against unauthorized root-level commands on your managed nodes, see Restricting access to root-level commands through SSM Agent.

Deregister managed nodes

You can deregister managed nodes at any time. For example, if you're managing multiple nodes with the same Amazon Identity and Access Management (IAM) role and you notice any kind of malicious behavior, you can deregister any number of machines at any point. For information about deregistering managed nodes, see Deregistering managed nodes in a hybrid and multicloud environment.