Introduction
AWS Systems Manager Session Manager provides secure shell access to EC2 instances without opening SSH ports. When an instance shows as "not connected" in the SSM console, you can't start sessions, run commands, or manage the instance through SSM.
Symptoms
In the AWS Console:
Instance status: Connection lost
The instance is not connected to Session Manager.Via AWS CLI:
```bash $ aws ssm describe-instance-information --filters Key=InstanceIds,Values=i-abc123
{ "InstanceInformationList": [] } ```
When trying to start session:
TargetNotConnected: i-abc123 is not connected to the Session Manager.Common Causes
- 1.SSM agent not running - Agent stopped or crashed on the instance
- 2.Missing IAM role - Instance doesn't have an IAM instance profile
- 3.IAM permissions incorrect - Role lacks required SSM permissions
- 4.No internet access - Private instance without VPC endpoints
- 5.VPC endpoints missing - Required endpoints not configured
- 6.SSM agent version outdated - Very old agent version
- 7.Proxy misconfiguration - Agent can't reach SSM endpoints through proxy
- 8.Security group restrictions - Outbound traffic blocked
Step-by-Step Fix
- 1.Check logs for specific error messages
- 2.Verify configuration settings
- 3.Test network connectivity
- 4.Review recent changes
- 5.Apply corrective action
- 6.Verify the fix
Step 1: Check Instance IAM Role
aws ec2 describe-instances --instance-ids i-abc123 \
--query 'Reservations[*].Instances[*].IamInstanceProfile.Arn'If empty, attach an IAM role:
```bash # Create instance profile if needed aws iam create-instance-profile --instance-profile-name SSM-Instance-Profile
# Attach role to instance profile aws iam add-role-to-instance-profile \ --instance-profile-name SSM-Instance-Profile \ --role-name SSM-Instance-Role
# Attach to instance aws ec2 associate-iam-instance-profile \ --instance-id i-abc123 \ --iam-instance-profile Name=SSM-Instance-Profile ```
Step 2: Verify IAM Role Permissions
The IAM role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:UpdateInstanceInformation",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::aws-ssm-region/*",
"arn:aws:s3:::aws-windows-downloads-region/*",
"arn:aws:s3:::amazon-ssm-region/*"
]
}
]
}Use AWS managed policy AmazonSSMManagedInstanceCore:
aws iam attach-role-policy \
--role-name SSM-Instance-Role \
--policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCoreStep 3: Check SSM Agent Status
If you can SSH into the instance:
```bash # Amazon Linux 2 / RHEL / CentOS sudo systemctl status amazon-ssm-agent sudo systemctl restart amazon-ssm-agent
# Ubuntu sudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent.service sudo snap restart amazon-ssm-agent
# Check agent logs tail -f /var/log/amazon/ssm/amazon-ssm-agent.log ```
If agent is not installed:
```bash # Amazon Linux 2 sudo yum install -y amazon-ssm-agent sudo systemctl enable amazon-ssm-agent sudo systemctl start amazon-ssm-agent
# Ubuntu sudo snap install amazon-ssm-agent sudo snap start amazon-ssm-agent ```
Step 4: Verify Network Connectivity
Test if instance can reach SSM endpoints:
```bash # On the instance, test connectivity curl -v https://ssm.us-east-1.amazonaws.com curl -v https://ssmmessages.us-east-1.amazonaws.com
# Check DNS resolution nslookup ssm.us-east-1.amazonaws.com ```
If instance is in private subnet without internet gateway:
# Check if VPC endpoints exist
aws ec2 describe-vpc-endpoints \
--filters Name=vpc-id,Values=vpc-12345 Name=service-name,Values=com.amazonaws.us-east-1.ssmStep 5: Create VPC Endpoints for Private Subnets
```bash # Get VPC ID and subnet IDs VPC_ID=vpc-12345 SUBNETS="subnet-1 subnet-2" SG=sg-12345
# Create SSM endpoint aws ec2 create-vpc-endpoint \ --vpc-id $VPC_ID \ --vpc-endpoint-type Interface \ --service-name com.amazonaws.us-east-1.ssm \ --subnet-ids $SUBNETS \ --security-group-ids $SG
# Create SSM Messages endpoint (for Session Manager) aws ec2 create-vpc-endpoint \ --vpc-id $VPC_ID \ --vpc-endpoint-type Interface \ --service-name com.amazonaws.us-east-1.ssmmessages \ --subnet-ids $SUBNETS \ --security-group-ids $SG
# Create EC2 Messages endpoint (for Run Command) aws ec2 create-vpc-endpoint \ --vpc-id $VPC_ID \ --vpc-endpoint-type Interface \ --service-name com.amazonaws.us-east-1.ec2messages \ --subnet-ids $SUBNETS \ --security-group-ids $SG ```
Step 6: Check Security Group Rules
The instance security group must allow outbound HTTPS (443):
```bash # Check outbound rules aws ec2 describe-security-groups --group-ids sg-12345 \ --query 'SecurityGroups[*].IpPermissionsEgress'
# Add outbound rule if missing aws ec2 authorize-security-group-egress \ --group-id sg-12345 \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0 ```
For VPC endpoints, the endpoint security group must allow inbound HTTPS from the instance security group.
Step 7: Update SSM Agent
If agent is old:
```bash # Amazon Linux 2 sudo yum update amazon-ssm-agent -y sudo systemctl restart amazon-ssm-agent
# Ubuntu sudo snap refresh amazon-ssm-agent
# Verify version sudo amazon-ssm-agent -version ```
Step 8: Check Agent Registration
# On the instance
cat /var/lib/amazon/ssm/registrationIf missing or corrupted, re-register:
```bash # Stop agent sudo systemctl stop amazon-ssm-agent
# Remove registration sudo rm -f /var/lib/amazon/ssm/registration
# Start agent (auto-registers) sudo systemctl start amazon-ssm-agent
# Check registration sudo cat /var/lib/amazon/ssm/registration ```
Step 9: Verify Instance Appears in SSM
aws ssm describe-instance-information \
--filters Key=InstanceIds,Values=i-abc123 \
--query 'InstanceInformationList[*].[InstanceId,PingStatus,LastPingDateTime]'Should show PingStatus: Online with recent timestamp.
Step 10: Test Session Manager
```bash # Start session aws ssm start-session --target i-abc123
# Should open interactive shell ```
Verification
```bash # Check instance connection status aws ssm describe-instance-information \ --filters Key=InstanceIds,Values=i-abc123 \ --query 'InstanceInformationList[*].PingStatus'
# Should return: "Online"
# Test Run Command aws ssm send-command \ --instance-ids i-abc123 \ --document-name AWS-RunShellScript \ --parameters 'commands=["echo Hello from SSM"]' \ --query 'Command.CommandId' ```
Related Issues
- [Fix AWS EC2 Instance Not Responding](/articles/fix-aws-ec2-instance-not-responding)
- [Fix AWS SSM Command Failed](/articles/fix-aws-ssm-command-failed)
- [Fix AWS EC2 Instance Connect Not Working](/articles/fix-aws-ec2-instance-connect-not-working)
Related Articles
- [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
- [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
- [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
- [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
- [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS EC2 Systems Manager SSM Not Connected", "description": "Troubleshoot SSM Session Manager connection failures. Fix IAM roles, VPC endpoints, SSM agent issues, and network connectivity.", "url": "https://www.fixwikihub.com/fix-aws-ec2-systems-manager-ssm-not-connected", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-01T00:40:20.493Z", "dateModified": "2026-04-01T00:40:20.493Z" } </script>