error messageI am experiencing this problem. Session manager is unable to connect to the SSM agent on ALL of my instances (see attached picture link) I have an IAM role with all required permissions and policy AmazonSSMManagedInstanceCore is attached as well. It was working just fine couple of days ago, but now I cannot connect to my EC2 which has Jenkins Server running.

I tried methods below to get the connection back:

1. Attached and deattached the role
2. Launched a new instance and still no connection
3. Used service "Run Command" and tried to "UpdataSSMAgent", did not work
4. Tried to run Jenkins pipeline to enable amazon ssm-agent
5. Created vpc endpoints for the ssm.service, since the error is about the endpoint

I am out of options, I need to go inside the server as soon as possible.

error messageI am experiencing this problem. Session manager is unable to connect to the SSM agent on ALL of my instances (see attached picture link) I have an IAM role with all required permissions and policy AmazonSSMManagedInstanceCore is attached as well. It was working just fine couple of days ago, but now I cannot connect to my EC2 which has Jenkins Server running.

I tried methods below to get the connection back:

1. Attached and deattached the role
2. Launched a new instance and still no connection
3. Used service "Run Command" and tried to "UpdataSSMAgent", did not work
4. Tried to run Jenkins pipeline to enable amazon ssm-agent
5. Created vpc endpoints for the ssm.service, since the error is about the endpoint

I am out of options, I need to go inside the server as soon as possible.

• amazon-web-services
• aws-ssm

• This is an issue with your own account, and you should be asking AWS support directly via their website. We have no access to your account or their servers in order to investigate or troubleshoot this issue on your behalf. – Ken White Commented Jan 31 at 21:15
• There are other EC2 connect options such as ICE. – jarmod Commented Jan 31 at 22:58

1 Answer 1

For sure this is a network (VPC) issue. I assume you lost the internet connection, or something is filtering your connection from the servers to the AWS endpoints. Filtering - it can be a Security Group (missing or too restrictive egress rule attached to your EC2), VPC NACL, or third-party solution.

If you still can connect from Jenkins, then you can check if you actually have any internet access (if you cannot curl google, then you need to check the VPC configuration (NAT and rout tables).

Also, you can check the SSM endpoints addresses with nslookup ssm.region.amazonaws, and then try to curl them from Jenkins - if you can reach them, then it means that you have a DNS issue -> https://docs.aws.amazon/systems-manager/latest/userguide/troubleshooting-ssm-agent.html#agent-ts-dns-attributes

If you cannot reach them, you can try VPC Reachability Analyzer, and check your traffic route from the EC2 server to the SSM endpoint IP address.

The VPC endpoints are a bit expensive, so I personally try to avoid them. If you really cannot use the "public" endpoints for ssm, then remember that there are 3 different endpoints required by SSM agent that you need to create, and attach to the subnets (that should have access through them), and you need to have a security group, that will allow your EC2 servers to connect. Also, pay attention to the DNS options in your VPC. You may find more about the VPC endpoints in the link that I mentioned before.