If you’re running a group of Amazon EC2 instances, or just a single instance, you may want to take advantage of Amazon SSM (Systems Manager). This service can help automate the management of your instances, and it’s available for free to all AWS customers. In this article, I’ll show you how to enable Amazon SSM for your group or individual EC2 instances. Let’s get started!

 

Login

Login to your AWS account

Access AWS IAM

 

Proceed to Services –> All Services.

Alternatively, just type in ‘IAM’ in the search field then hit Enter.

Click on the “Access Management” button from within Identity and Access Management (IAM) menu.
From there, click onto Policies to view a list of all available policies.

 

 

Create a Group that allows Amazon Systems Manager access

 

Select Access Management –>Policies

You should now see a list of policies. Instead of parsing this entire list we can search for the required policy.
Enter the following policy name in the search field ‘AmazonSSMManagedInstanceCore’ then hit Enter.

Select the “AmazonSSMManagedInstanceCore” policy in the search results.

Located on the right side of your screen you will notice a button labeled ‘Actions’.
Select the ‘Actions’ button and a drop-down list appears. From the drop-down list, select the ‘Attach’ option. 

Select Actions –>Attach

The previous ‘Attach’ action will open a new page allowing you to attach your policy to users, groups, or roles in your account. From this list, select the group or user you wish to attach your policy to. 
Note: Best Practice suggests that policies should be attached to groups instead of users.

From the list of policies, select the Group or User of your choice.

Once you have made your selection, select the “Attach Policy” button.

You will then see a message stating the policy attachment was successful. 

You can now use this group to control who has access to manage Amazon Systems Manager.
Place IAM users into this newly created group. They will have access to AWS Systems Manager unless explicitly denied in another policy.

 

 

Create a Role for your EC2 instances

 

If you are not already there, return to the Identity and Access Management (IAM) screen.
This time we wlll select the “Roles” option from the Access management menu.

 

Select Access management –> Roles

 

 

Located on the right side of your screen you will notice a button labeled ‘Create role’.

Select the Create role button. A new page will load with the following options:

  1. AWS Service
  2. AWS Account
  3. Web Identity
  4. SAML 2.0 federation
  5. Custom trust policy

The next step requires selecting the appropriate AWS service. For our purposes, we will choose ‘AWS Service’ then select ‘EC2’ from its list of options in the ‘Common use cases’ section.

Select AWS Service then EC2 from the Use case, Common use cases section.

 

 

Select the Next button located on the bottom-right side of your screen to apply the selections.

 

 

After the previous section a new “Add permissions” page loads.
From the list of Permission policies search for the policy named “AmazonSSMManagedInstanceCore”

Once found, select the Policy “AmazonSSMManagedInstanceCore”

 

Select the Next button located on the right side of your screen to apply the selections.

Supply a name for the new Role in Role details, Role name field.
Note: The json content in ‘Select trusted entities’ should not be modified

 

Find the “Create Role” button in the lower-right portion of the page.
Select Create Role to apply changes

 

The new Role is now created and may be added to your EC2 instances for management in AWS Systems Manager.
From the EC2 console you will Select Actions–>Security–>Modify IAM role

From the “Modify IAM role” page you will select your IAM role then select Save.

If the Amazon SSM Agent has been properly configured, instances will be accessible from AWS Systems Manager.