Setting up Systems Manager unified console for an organization
The setup process for the Systems Manager unified console experience is completed from the Amazon Web Services Management Console with just a few clicks. To set up Systems Manager for an Amazon Organizations organization, you must have access to the management account for your organization and another account in your organization to use as a delegated administrator. Access to the management account is only required to enable or disable Systems Manager. To manage your nodes, you'll use the delegated administrator account. When managing nodes across an organization, Systems Manager uses various dependent services to set up and enhance the functionality of the unified console. As a result, Systems Manager must enable trusted access and register a delegated administrator account for the following services:
-
Amazon CloudFormation - Deploys resources required for Systems Manager to your accounts.
-
Amazon Resource Explorer - Searching and filtering EC2 instances in your accounts.
-
Amazon Systems Manager Explorer - Monitoring and troubleshooting the health of resources deployed for Systems Manager in your accounts.
-
Amazon Systems Manager Quick Setup - Deploys Quick Setup configurations required for Systems Manager to your accounts.
Before you begin setting up Systems Manager for an organization, make sure you're not already over the quota for delegated administrators for any of these dependent services. Otherwise, you won't be able to register the delegated administrator accounts necessary to enable Systems Manager. When you enable Systems Manager for an organization, every account in your organization is included. At this time, there is no provision for excluding accounts from the setting up process. When you enable Systems Manager, you can choose the Amazon Web Services Regions you want to include. Only Regions that currently support the unified console experience for Systems Manager can be selected. To learn more about the Regions where the console experience is available, see Supported Amazon Web Services Regions.
Note
If you've created an aggregator index for Resource Explorer in a Region different than your home Region, Systems Manager demotes the current index. Then, Systems Manager promotes the local index in your home Region as the new aggregator index. During this time, only nodes for your home Region are displayed. This process can take up to 24 hours to complete.
The setup process for the Systems Manager console experience completes many prerequisite tasks for you. This includes creating and attaching instance profiles with the required IAM permissions to your nodes and more. The following is a detailed list of the resources created by Systems Manager for the unified console.
IAM roles
-
RoleForOnboardingAutomation
– Allows Systems Manager to manage resources during the setting up process. For more information about the policy, see AWSQuickSetupSSMManageResourcesExecutionPolicy. -
RoleForLifecycleManagement
– Allows Lambda to manage the lifecycle of resources created by the setting up process. For more information about the policy, see AWSQuickSetupSSMLifecycleManagementExecutionPolicy. -
RoleForAutomation
– A service role for Systems Manager Automation to assume to execute runbooks. For more information, see Create the service roles for Automation using the console. -
AWSSSMDiagnosisAdminRole
– An adminsitrative role used to start automations that use diagnosis runbooks. For more information about the policies, see AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy, AWS-SSM-Automation-DiagnosisBucketPolicy, and AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy. -
AWSSSMDiagnosisExecutionRole
– An automation execution role for the diagnosis runbook. For more information about the policies, see AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy and AWS-SSM-Automation-DiagnosisBucketPolicy. -
AWSSSMRemediationAdminRole
– An adminsitrative role used to start automations that use remediation runbooks. For more information about the policies, see AWS-SSM-RemediationAutomation-AdministrationRolePolicy, AWS-SSM-Automation-DiagnosisBucketPolicy, and AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy. -
AWSSSMRemediationExecutionRole
– An automation execution role for the remediation runbook. For more information about the policies, see AWS-SSM-RemediationAutomation-ExecutionRolePolicy and AWS-SSM-Automation-DiagnosisBucketPolicy. -
ManagedInstanceCrossAccountManagementRole
– Allows Systems Manager to gather managed node information across accounts.
State Manager associations
-
EnableDHMCAssociation
– Runs daily and ensures Default Host Management Configuration is enabled. -
SystemAssociationForManagingInstances
– Runs every 30 days and ensures theAmazonSSMManagedInstanceCore
policy is applied to instance profiles attached to your nodes. If there's not at instance profile attached to the node, Systems Manager creates an instance profile with theAmazonSSMManagedInstanceCore
policy and attaches it to the node. If your nodes already have an instance profile attached, the policy is appended to the instance profile. If the instance profile already contains the necessary permissions, no changes are made.Note
If a node was launched by Amazon CloudFormation, the changes Systems Manager makes to the instance profile might cause Amazon CloudFormation to detect the resource as drifted.
-
SystemAssociationForEnablingExplorer
– Runs daily and ensures Explorer is enabled. Explorer is used to sync data from your managed nodes. -
EnableAREXAssociation
– Runs daily and ensures Amazon Resource Explorer is enabled. Resource Explorer is used to determine which Amazon EC2 instances in your organization aren't managed by Systems Manager. -
SSMAgentUpdateAssociation
– Runs every 14 days and ensures the latest available version of SSM Agent is installed on your managed nodes. -
SystemAssociationForInventoryCollection
– Runs every 12 hours and collects inventory data from your managed nodes.
S3 buckets
-
DiagnosisBucket
– Stores data collected from the diagnosis runbook execution.
Lambda functions
-
SSMLifecycleOperatorLambda
– Allows principals to access all Amazon Systems Manager Quick Setup actions. -
SSMLifecycleResource
– Custom resource to help manage the lifecycle of resources created by the setting up process.
Additionally, after the setup process completes you can select the Diagnose and remediate node task to automatically apply fixes to nodes that aren't reporting as managed by Systems Manager. This can include identifying issues such as network connectivity issues to the Systems Manager endpoints, and more.
To set up Systems Manager for an organization
-
Log in to the management account for your organization.
Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/
. -
Enter the ID of the account you want to register as a delegated administrator.
-
After the delegated administrator account is successfully registered, log in to the delegated administrator account you just registered and return to the Systems Manager console to finish setting up Systems Manager.
-
Select Enable Systems Manager.
-
In the Home Region section, you determine a Region where you want Systems Manager to aggregate your node data. By default, Systems Manager selects the Region you're currently using. To choose a different home Region, change the console to the Region you want to use before you set up Systems Manager. Node data is replicated across accounts and Regions for your organization and stored in the home Region. The Region you choose can't be changed after Systems Manager is set up. To use a different Region as the home Region for your organization, you must disable the unified console and complete the setup process again. If your organization uses IAM Identity Center, you must select the same Region where you set up IAM Identity Center as your home Region.
-
In the Regions section, select the Regions where you want to enable Systems Manager.
-
Choose Submit.
Depending on the size of your organization, it can take an extended amount of time to set up the Systems Manager unified console experience.