By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to Connect to EC2 Instance via SSM Session Manager

0

I created an EC2 instance and attached an IAM role to it. However, I'm unable to connect to the instance using SSM Session Manager. Can you help me troubleshoot the issue?

Topics
ComputeManagement & Governance
Tags
Amazon EC2AWS Systems ManagerCompute
Language
English
Garre Sandeep
asked 13 days ago265 views
2 Answers
5
Accepted Answer

Hello Sandeep.

Verify IAM Role Permissions:

Ensure that the IAM role attached to your EC2 instance has the necessary permissions to interact with Systems Manager. The required permissions include AmazonSSMManagedInstanceCore managed policy or equivalent permissions.

You can attach the managed policy AmazonSSMManagedInstanceCore to your IAM role to grant the necessary permissions for Systems Manager.

Check Instance Status: Make sure that your EC2 instance is running and reachable over the network. If the instance is stopped or terminated, you won't be able to connect to it via Session Manager.

Verify that the instance is in a state where it can accept SSM connections. Instances should have the SSM agent installed and running. You can check the SSM agent status on the instance.

Security Group Configuration: Check the security group associated with your EC2 instance to ensure that it allows inbound and outbound traffic on the necessary ports for Session Manager. Inbound traffic on port 443 (HTTPS) is required for Session Manager connections.

Ensure that the security group allows traffic from the subnet where your Session Manager-managed instances are located.

Subnet Routing: Verify that the subnet where your EC2 instance resides has a route to the internet gateway (if the instance needs to communicate with Systems Manager endpoints over the internet). Instances in private subnets might require a NAT gateway or NAT instance for outbound internet access.

SSM Agent Configuration: Check the SSM agent logs on the EC2 instance for any errors or warnings that might indicate issues with the agent configuration or connectivity. The logs are typically located in /var/log/amazon/ssm/amazon-ssm-agent.log.

Instance Role Association: Ensure that the EC2 instance has the correct IAM role associated with it. You can verify this by checking the instance details in the EC2 console or by using the AWS CLI command aws ec2 describe-instances.

Check Session Manager Configuration: Verify that Session Manager is enabled in your AWS account and is configured correctly. You can check the Session Manager settings in the AWS Systems Manager console.

Network ACLs and VPC Endpoints:

If you're using network ACLs or VPC endpoints, ensure that they are configured to allow traffic to and from the Systems Manager endpoints. Session Manager communicates with Systems Manager endpoints in the AWS cloud.

Thanniru Anil Kumar
answered 13 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 13 days ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed 13 days ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 13 days ago
4

Hi Garre Sandeep

  1. Check IAM Role Permissions: Make sure the IAM role attached to your EC2 instance has the necessary permissions to use AWS Systems Manager (SSM) Session Manager. The role should have the AmazonSSMManagedInstanceCore managed policy attached, which grants permissions required for SSM Session Manager.

  2. Verify EC2 Instance Configuration: Ensure that your EC2 instance is configured properly to communicate with AWS Systems Manager. This includes having the SSM agent installed and running on the instance. You can verify this by logging into the EC2 instance and checking if the SSM agent is running.

  3. Security Group Configuration: Check the security group associated with your EC2 instance. Make sure it allows inbound traffic on port 443 (HTTPS) from the IP range used by the SSM service (usually within the amazonaws.com domain).

  4. Subnet Routing: Ensure that your EC2 instance is in a subnet with a route to the internet gateway (if it's in a public subnet). This allows the instance to communicate with AWS services, including SSM.

  5. SSM Session Manager Configuration: Double-check the configuration of SSM Session Manager in the AWS Management Console. Make sure it's enabled for your AWS account and region.

  6. Logs and Errors: Check the CloudWatch logs for your EC2 instance and SSM Session Manager. Look for any error messages or logs that might indicate what's going wrong.

  7. Instance Tags: Ensure that your EC2 instance has the appropriate tags required for SSM Session Manager to identify and manage it. The instance should have a tag with the key aws:ec2:ssm:document-name and a value of AWS-StartSSHSession.

Pandurangaswamy
answered 13 days ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content