Question #1021
A solutions architect migrated an on-premises server using AWS Server Migration Service and created an AMI. An EC2 instance launched from this AMI resides in a public subnet with a public IP but does not appear as a managed instance in AWS Systems Manager. Which two steps should the solutions architect take to resolve this issue?
Ensure the Systems Manager Agent is installed and running on the instance.
Confirm the instance has an IAM role with permissions for Systems Manager.
Check if a VPC endpoint for Systems Manager is configured in the VPC.
Verify the AWS Application Discovery Agent is properly configured.
Validate the service-linked roles for Systems Manager are correctly set up.
Explanation
The correct answers are A and B.
Why A and B are correct:
- A: Systems Manager Agent (SSM Agent) must be installed and running on the EC2 instance to enable communication with AWS Systems Manager. Migrated on-premises servers often lack the pre-installed SSM Agent.
- B: The EC2 instance must have an IAM role with the AmazonSSMManagedInstanceCore policy (or equivalent permissions) to interact with Systems Manager. Without this role, the instance cannot authenticate with AWS SSM.
Why other options are incorrect:
- C: A VPC endpoint is unnecessary here because the instance resides in a public subnet with a public IP, allowing it to reach AWS public endpoints. VPC endpoints are typically used for private subnets without internet access.
- D: The AWS Application Discovery Agent is unrelated to Systems Manager; it is used for migration planning.
- E: Service-linked roles for Systems Manager are automatically created by AWS and are not typically the root cause of this issue.
Key Points:
1. SSM Agent is mandatory for Systems Manager functionality.
2. IAM roles grant permissions for AWS service interactions.
3. Public subnets with internet access do not require VPC endpoints for SSM.
Answer
The correct answer is: AB