I added the policy: AmazonSSMManagedInstanceCore to the instance profile of the windows instance (which is running the SSM agent)... but it doesn't show up under session manager.
It keeps saying: "There are no instances which are associated with the required IAM role." Any idea what is causing this?
(I've tried with an amazon linux 2 instances as well -- same result).
Edit: Yes the instance is in a private subnet, with possibly no internet access -- so this is the likely problem.
On
b.b3rn4rd is correct (just tested it) you need the two VPC endpoints for private subnets if you lack a NAT gateway
but you need one more VPC endpoint for Systems Manager itself
which you can see from AWS's own troubleshooting steps when the Systems Manager can't connect to the EC2 instance:
Verify connectivity to Systems Manager endpoints on port 443
The best method to verify connectivity depends on your operating system.
Important: In the following command examples, replace RegionID with your AWS Region ID.
For a list of Systems Manager endpoints by Region, see AWS Systems Manager endpoints and quotas.
...
nc -vz ssm.RegionID.amazonaws.com 443 nc -vz ec2messages.RegionID.amazonaws.com 443 nc -vz ssmmessages.RegionID.amazonaws.com 443
Also need to make sure the Security Group the VPC endpoints are in has an inbound rule that allows all inbound TCP traffic from the SG the instances are placed in.
On
Place an instance in the private subnet will not be a problem for SSM if you have NAT gateway configured for this private subnet (make sure the private subnet can reach public internet, private subnet -> NAT gateway -> public subnet -> internet gateway).
There are three prerequisites for SSM to see the instances:
Hope the above can solve your problem.
aws session manager established communication with ec2 instance with SSM api (using websockets). The subnet your instance is in must have access to the internet, via NAT gateway for example (if it's in a private subnet) or you must create the following VPC endpoints: