The AWS Missing Link: SSM Agent Configuration in VPC Private Subnets
This article takes aim at an AWS online documentation issue we call “The AWS Missing Link”; where we find that missing steps that are all too common in AWS’ online documentation. If you have experience in implementing AWS solutions that have a considerable number of steps, you have no doubt found that the AWS online documentation glosses over a subject matter or completely misses one or more steps.
We recently found this to be the case with deploying SSM Agent to EC2 Instances in a virtual private cloud endpoint (VPCE).
To let your EC2 managed instances show up in System Manager, you must add the DNS names of the SSM Endpoint and EC2 Messages Endpoint in the SSM Agent JSON configuration file(s).
Once you’ve completed Step 6 (Optional) Create a Virtual Private Cloud Endpoint, https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html, for SSM and your EC2 Messages, you will need to update your SSM Agent JSON files with these endpoints.
Here are the missing steps:
AWS provides you with a amazon-ssm-agent.json.template file. In Linux, you can find the file in /etc/amazon/ssm/. In Windows, this file is located in C:\Program Files\Amazon\SSM\.
1. Create a copy of the .template file and name it amazon-ssm-agent.json.
2. Open the JSON file. The Mds Endpoint and Ssm Endpoint values are blank by default.
3. Update the Mds Endpoint with the DNS name of your EC2 Messages Endpoint.
4. Update the Ssm Endpoint with the DNS name of your SSM Endpoint.
A portion of an SSM Agent JSON file, showing an example of the Endpoint values, follows:
"CommandWorkersLimit" : 5,
"StopTimeoutMillis" : 20000,
"Endpoint": "vpce- XXXXXXXX-yyyyyyyy.ssm.<region>.vpce.amazonaws.com",
"CustomInventoryDefaultLocation" : "",
"AssociationLogsRetentionDurationHours" : 24,
"RunCommandLogsRetentionDurationHours" : 336,
"SessionLogsRetentionDurationHours" : 336
5. Save your JSON file.
6. Restart your SSM Agent.
You will now be able to register EC2 instance in System Manager.
Convergency LLC is an IT consulting and advisory firm that specializes in cloud architecture, cloud migration, cloud audit and security risk management services.