This guide shares some practical pointers for digging into issues with AWS Systems Manager. Most of the time, problems show up in a few predictable places — the SSM Agent, Session Manager, Parameter Store, or Automation workflows. The idea here is to help you zero in on what’s actually going wrong instead of chasing symptoms

1. SSM Agent Connectivity

Check the Instance IAM Role

Start by making sure the EC2 instance actually has an IAM instance profile.
The role should include AmazonSSMManagedInstanceCore.
If you’re using a custom IAM policy, double-check that it lets the agent talk to the Systems Manager service — that part gets missed more often than we’d like to admit.

Network Reachability

If the instance lives in a public subnet:

• It needs a public IP.
• Outbound HTTPS (443) should be open.

If it’s in a private subnet:

• Make sure it can reach the internet through a NAT Gateway, or that VPC endpoints are in place.
• Route tables and security groups should allow outbound 443.
  Network issues are easily the most common blockers here.

Instances Without Internet

If your instance has no path out to the internet at all, set up these endpoints:

After creating them:

• Attach them to the subnets the instance is in.
• Enable Private DNS. Otherwise, the agent will try to reach public endpoints and fail.

Check the Agent Service

Run:

sudo systemctl status amazon-ssm-agent

If it’s down:

If it’s missing, install it according to your OS instructions.

Instance Metadata Service

The agent pulls credentials from IMDS.
If IMDS is disabled (which sometimes happens by accident in hardened images), the agent won’t authenticate and will quietly fail.

Confirm It Shows as “Managed”

Go to: Systems Manager → Managed Instances.
If the instance isn’t listed or shows Connection Lost, check:

/var/log/amazon/ssm/amazon-ssm-agent.log

The logs usually make the problem obvious once you see it.

2. Session Manager Issues

Verify the Agent

If your Session Manager screen just sits there blank or stalls, it’s usually the agent not responding.

sudo systemctl status amazon-ssm-agent

Restart if needed.

IAM Permissions

The role needs to be able to start sessions:

ssm:StartSession

ssm:DescribeInstanceInformation

If session logs are encrypted with KMS, both the user and the instance role need kms:Decrypt permissions. Easy detail to overlook.

Network / Proxy Check

Run:

nc -zv ssmmessages.<region>.amazonaws.com 443

If you’re in a proxy setup, make sure the agent is using the proxy settings — it doesn’t inherit them by default.

Logging & Encryption

If sessions drop or disconnect randomly, check:

• S3 or CloudWatch log bucket access
• KMS permissions if logging is encrypted

3. Parameter Store Issues

IAM Permissions

Make sure the instance role has:

ssm:GetParameter

kms:Decrypt (if the parameter is SecureString)

Parameter Name & Type

Verify the exact path — including any folder-style prefixes.
Also note the type: String, StringList, or SecureString.

CLI Availability

If you’re pulling parameters via scripts:

sudo yum install -y awscli

And confirm the AWS region matches where the parameters live.

4. Automation Document Errors

aws:runCommand

Check that the instance is listed as Managed and that the role can run commands:

Output details are under Systems Manager → Automation → Executions.

aws:copyImage

The automation role should allow:

Typical Causes

• Trust relationship missing in the role
• Incorrect parameters (like SubnetId or RoleArn)
• The instance isn’t registered as Managed
• VPC endpoint or network path missing

Once you’ve seen these a few times, they’re pretty recognizable.

Conclusion

In most cases, fixing Systems Manager issues comes down to IAM access, network paths, or the agent simply not running. Once those core pieces are aligned, everything else tends to fall into place without much friction. Don’t hesitate to re-check the basics — the root cause is usually simpler than it first appears.If you ever feel like it’s going in circles or you’d rather have a second set of eyes, SupportPRO is always here to help. Whether it’s a quick configuration check or full environment troubleshooting, we’ll work with you to get everything running smoothly again.