Step 1: Complete Session Manager prerequisites - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 1: Complete Session Manager prerequisites

Before using Session Manager, make sure your environment meets the following requirements.

Session Manager prerequisites
Requirement Description

Supported operating systems

Session Manager supports connecting to Amazon Elastic Compute Cloud (Amazon EC2) instances, in addition to non-EC2 machines in your hybrid and multicloud environment that use the advanced-instances tier.

Session Manager supports the following operating system versions:

Note

Session Manager supports EC2 instances, edge devices, and on-premises servers and virtual machines (VMs) in your hybrid and multicloud environment that use the advanced-instances tier. For more information about advanced instances, see Configuring instance tiers.

Linux and macOS

Session Manager supports all the versions of Linux and macOS that are supported by Amazon Systems Manager. For information, see Supported operating systems and machine types.

Windows

Session Manager supports Windows Server 2012 through Windows Server 2022.

Note

Microsoft Windows Server 2016 Nano isn't supported.

SSM Agent

At minimum, Amazon Systems Manager SSM Agent version 2.3.68.0 or later must be installed on the managed nodes you want to connect to through sessions.

To use the option to encrypt session data using a key created in Amazon Key Management Service (Amazon KMS), version 2.3.539.0 or later of SSM Agent must be installed on the managed node.

To use shell profiles in a session, SSM Agent version 3.0.161.0 or later must be installed on the managed node.

To start a Session Manager port forwarding or SSH session, SSM Agent version 3.0.222.0 or later must be installed on the managed node.

To stream session data using Amazon CloudWatch Logs, SSM Agent version 3.0.284.0 or later must be installed on the managed node.

For information about how to determine the version number running on an instance, see Checking the SSM Agent version number. For information about manually installing or automatically updating SSM Agent, see Working with SSM Agent.

About the ssm-user account

Starting with version 2.3.50.0 of SSM Agent, the agent creates a user account on the managed node, with root or administrator permissions, called ssm-user. (On versions before 2.3.612.0, the account is created when SSM Agent starts or restarts. On version 2.3.612.0 and later, ssm-user is created the first time a session starts on the managed node.) Sessions are launched using the administrative credentials of this user account. For information about restricting administrative control for this account, see Turn off or turn on ssm-user account administrative permissions.

ssm-user on Windows Server domain controllers

Beginning with SSM Agent version 2.3.612.0, the ssm-user account isn't created automatically on managed nodes that are used as Windows Server domain controllers. To use Session Manager on a Windows Server machine being used as a domain controller, you must create the ssm-user account manually if it isn't already present, and assign Domain Administrator permissions to the user. On Windows Server, SSM Agent sets a new password for the ssm-user account each time a session starts, so you don't need to specify a password when you create the account.

Connectivity to endpoints

The managed nodes you connect to must also allow HTTPS (port 443) outbound traffic to the following endpoints:

  • ec2messages.region.amazonaws.com.cn

  • ssm.region.amazonaws.com.cn

  • ssmmessages.region.amazonaws.com.cn

For more information, see the following topics:

Alternatively, you can connect to the required endpoints by using interface endpoints. For more information, see Step 6: (Optional) Use Amazon PrivateLink to set up a VPC endpoint for Session Manager.

Amazon CLI

(Optional) If you use the Amazon Command Line Interface (Amazon CLI) to start your sessions (instead of using the Amazon Systems Manager console or Amazon EC2 console), version 1.16.12 or later of the CLI must be installed on your local machine.

You can call aws --version to check the version.

If you need to install or upgrade the CLI, see Installing the Amazon Command Line Interface in the Amazon Command Line Interface User Guide.

Important

An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or updates are made to existing capabilities. Failing to use the latest version of the agent can prevent your managed node from using various Systems Manager capabilities and features. For that reason, we recommend that you automate the process of keeping SSM Agent up to date on your machines. For information, see Automating updates to SSM Agent. Subscribe to the SSM Agent Release Notes page on GitHub to get notifications about SSM Agent updates.

In addition, to use the CLI to manage your nodes with Session Manager, you must first install the Session Manager plugin on your local machine. For information, see Install the Session Manager plugin for the Amazon CLI.

Turn on advanced-instances tier (hybrid and multicloud environments)

To connect to non-EC2 machines using Session Manager, you must turn on the advanced-instances tier in the Amazon Web Services account and Amazon Web Services Region where you create hybrid activations to register non-EC2 machines as managed nodes. There is a charge to use the advanced-instances tier. For more information about the advanced-instance tier, see Configuring instance tiers.

Verify IAM service role permissions (hybrid and multicloud environments)

Hybrid-activated nodes use the Amazon Identity and Access Management (IAM) service role specified in the hybrid activation to communicate with Systems Manager API operations. This service role must contain the permissions required to connect to your hybrid and multicloud machines using Session Manager. If your service role contains the Amazon managed policy AmazonSSMManagedInstanceCore , the required permissions for Session Manager are already provided.

If you find that the service role does not contain the required permissions, you must deregister the managed instance and register it with a new hybrid activation that uses an IAM service role with the required permissions. For more information about deregistering managed instances, see Deregistering managed nodes in a hybrid and multicloud environment. For more information about creating IAM policies with Session Manager permissions, see Step 2: Verify or add instance permissions for Session Manager.