I'm at my wit's end here! I'm trying to create a basic EC2 instance in a private network with SSM access, starting from a completely empty VPC. I've done tons of research and tried multiple options but still can't get it to work. I've used both Amazon Linux 2023 and Amazon Linux 2 AMIs that should have SSM installed. I've also included user data at startup, created service endpoints for SSM, added the necessary security group rules for port 443, and assigned the SSMRole to the EC2's IAM role. Yet, I keep encountering the same error: "SSM agent is not online. The SSM agent was unable to connect to a system manager endpoint to register itself with the service." I've spent around 6 hours trying to fix this by deleting and re-trying different options. Does anyone have a simple CloudFormation template or advice that could help me resolve this?
4 Answers
Your instance needs outbound internet access. If it’s a single instance, assign it a public IP with no inbound rules. For more instances, look into using a NAT gateway to manage network traffic.
Ensure your instance has the proper IAM permissions, access to service endpoints through a NAT gateway, or VPC endpoints. And do make sure the AMI you selected has the SSM agent included.
You don't need a user data script for Amazon Linux 2 because the SSM agent should start automatically. Double-check your network settings, especially if your EC2 is in a private subnet. If you're not routing correctly, the SSM agent won’t be able to connect. Also, consider temporarily adding a public IP so you can debug directly by SSHing into your instance and checking the logs.
I did add a public IP, and that worked, but I still don't understand the routing issues. The documentation is overwhelming!
It sounds like you might be missing an instance profile with the required SSM permissions. Make sure to assign the `AmazonSSMManagedInstanceCore` policy to your IAM role. There's a whole guide on this if you need it!
I swear I set that up, but I’ll double-check it again.
Yeah, that seems to be a critical missing piece. Thanks for clarifying!