Connecting to Managed Instances Using SSM Session Manager

1. Log in to the on-premises VM via SSH using the credentials provided:

   ssh cloud_user<ON_PREMISES_VM_IP>
   

2. Once you log in as cloud_user, there should be a file named ssm_commands.txt. This file should have a list of commands for setting up SSM Agent and registering it with SSM. For now, we'll only install SSM Agent and enable it for starting up on boot:

   sudo yum -y install https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
   

1. In a new terminal, log in to the main SSM node spun up for you by the lab:

   ssh cloud_user@<SSM_MAIN_NODE_IP>
   

   Once you log in as cloud_user, there should be a file named create_hybrid_activation.txt, which has commands for creating a hybrid activation, as well as some commands we'll use later.

2. Create a hybrid activation:

   aws ssm create-activation --default-instance-name MyOnPremInstance --iam-role SSMServiceRoleForActivation --registration-limit 1
   

3. The command above will return an ActivationID and an ActivationCode. Copy them into a file to use in the next step.

1. On the CLI of the on-premises VM, register with SSM (using the ActivationCode and ActivationId from the previous step/task):

   sudo amazon-ssm-agent -register -code "<ActivationCode>" -id "<ActivationId>" -region us-east-1
   

   You should see logs confirming successful registration of your on-premises VM with SSM.

2. Restart SSM Agent:

   sudo systemctl restart amazon-ssm-agent
   

Note: If for any reason the activation command fails, double-check your ActivationID and ActivationCode, as well as internet connectivity of your on-premises VM outbound port 443/HTTPS. Look in /var/log/amazon/ssm/amazon-ssm-agent.log for further troubleshooting hints.

Log back in to the SSM Main node as cloud_user and issue the following commands to find the newly registered on-premises VM's instance ID (which should start with mi) and log in to its shell using SSM API.

1. Find the on-premises registered VM's instance ID using the SSM API:

   aws ssm describe-instance-information
   

   In the output, you should only see one instance with the name MyOnPremInstance. Copy its InstanceId for the next command.

2. Log in to the shell of the on-premises managed SSM instance using the Session Manager session API:

   aws ssm start-session --target <ON_PREMISES_INSTANCE_ID>
   

   You're now logged in without using SSH.

1. Log in to the AWS Management Console with the credentials provided.
2. Navigate to EC2 and verify you see the EC2 instance named SSM-Setup-Via-GUI.
   • This instance already has SSM Agent installed.

1. Navigate to IAM.
2. Go into Roles.
3. Create a role and choose the AWS service EC2.
4. Head to Permissions, type "SSM" in the policy search bar, and select the policy AmazonEC2RoleforSSM.
5. Click Next, leave the tags as their default, and give your IAM role a name (e.g., "MyGUISSMRoleForEC2").
6. In the EC2 console, select the SSM-Setup-Via-GUI instance, go into its instance settings, and select Attach/Replace IAM Role.
7. In the dropdown, select the MyGUISSMRoleForEC2 you just created and click Apply.
8. Reboot the EC2 instance SSM-Setup-Via-GUI.

1. Navigate to the Systems Manager console and select Session Manager in the left-hand menu.
2. Click Start session. You might already see the on-premises instance we set up earlier in the lab. Wait a couple minutes for your newly configured SSM-Setup-Via-GUI instance to show up.
3. Once it does, select it, and click Start session. It should log you in to a browser-based shell session with your instance.