Installing and Configuring SSM Agent on Linux


The Systems Manager Agent (SSM Agent) is at the heart of all the automation, management, and other tasks possible via Systems Manager. It must be installed on any machine managed by SSM. In this hands-on lab, we will manually install and configure SSM Agent on a Linux OS on an EC2 instance. We will then assign an appropriate SSM IAM role to our EC2 instance to be configured with Systems Manager. This lab assumes some knowledge of Linux — specifically, RHEL/CentOS package management and some general Linux skills.

Log in to the EC2 Instance via SSH

  • Open a terminal session, and log in to the EC2 instance provided on the lab page via SSH using the credentials listed: ssh <PUBLIC_IP_OF_EC2_INSTANCE>

Install the SSM Agent Using YUM

  1. Download and install the SSM Agent for this Linux machine (the EC2 instance in our case is a CentOS 7 system): wget sudo yum -y localinstall amazon-ssm-agent.rpm
  2. Enter the cloud_user password.

Log in to the AWS Console and Create IAM SSM Role for EC2

  1. In the browser, log in to the AWS console using the credentials provided on the lab page.
  2. Navigate to IAM > Roles.
  3. Click Create role.
  4. With AWS service selected as the type of trusted entity, select EC2 as the service that will use this role.
  5. Click Next: Permissions.
  6. In the search bar, type “AmazonEC2RoleforSSM”.
  7. Select this role, and click Next: Tags.
  8. Leave tags as default, and click Next: Review.
  9. Give your role the name “MyEC2SSMRole”.
  10. Click Create role. Give it a minute to finish creating.

Attach IAM Role to EC2 Instance

  1. Navigate to EC2 > Instances.
  2. Select the listed SSMInstallInstance instance.
  3. Select Actions > Instance Settings > Attach/Replace IAM Role.
  4. Select your IAM role in the dropdown.
  5. Click Apply and then Close.

Log Back in to Command Line of EC2 Instance

  1. In the terminal, enable SSM Agent:sudo systemctl enable amazon-ssm-agent
  2. Start SSM Agent:sudo systemctl start amazon-ssm-agent
  3. To confirm the SSM Agent has started and is running successfully, check its status:sudo systemctl status amazon-ssm-agentThe output should show an active (running) status.

Check Logs for SSM Agent and Enable Debug Logging for It

  1. Look at the SSM Agent log file:sudo tail -f /var/log/amazon/ssm/amazon-ssm-agent.logWe should see the SSM Agent has ongoing communication with Systems Manager.
  2. Press Ctrl+C to quit the process.
  3. Copy the example template to its original file name so it can be detected by SSM Agent:sudo cp /etc/amazon/ssm/seelog.xml.template /etc/amazon/ssm/seelog.xml
  4. Open the file you just copied:sudo vim /etc/amazon/ssm/seelog.xml
  5. Look for this line:<seelog type="adaptive" mininterval="2000000" maxinterval="100000000" critmsgcount="500" minlevel="info">Change minlevel="info" to minlevel="debug".
  6. Save and quit the file by pressing Escape followed by::wq!
  7. Restart SSM Agent:sudo systemctl restart amazon-ssm-agent
  8. Tail the SSM Agent’s log file to observe the newly enabled verbosity (debug):sudo tail -f /var/log/amazon/ssm/amazon-ssm-agent.log

Check Logs for SSM Agent and Enable Debug Logging for It

Login back to AWS Console, check if you can use SSM now.