{"id":17095,"date":"2026-05-08T10:00:00","date_gmt":"2026-05-08T16:00:00","guid":{"rendered":"https:\/\/www.supportpro.com\/blog\/?p=17095"},"modified":"2026-05-10T21:41:31","modified_gmt":"2026-05-11T03:41:31","slug":"how-to-monitor-and-alert-ssm-agent-health-with-aws-config-eventbridge-and-lambda","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/how-to-monitor-and-alert-ssm-agent-health-with-aws-config-eventbridge-and-lambda\/","title":{"rendered":"How to Monitor and Alert SSM Agent Health with AWS Config, EventBridge, and Lambda"},"content":{"rendered":"\n

Managing EC2 instances at scale requires ensuring that all instances are properly configured and connected to AWS Systems Manager (SSM). Issues like missing or non-responsive SSM Agents and unmanaged instances can create operational gaps and disrupt automation. To solve this, we can use AWS Config, Amazon EventBridge, and AWS Lambda to build a monitoring and alerting system that continuously checks compliance, detects SSM Agent health issues in real time, and triggers alerts or remediation – improving visibility, security, and control across your AWS environment.<\/p>\n\n\n\n

A. Checking EC2 Instances for SSM Agent Health Issues<\/h2>\n\n\n\n

Before implementing monitoring, first log in to the AWS Console and validate your EC2 environment for the following conditions:<\/p>\n\n\n\n

    \n
  1. SSM Agent is not installed<\/strong>
    Identify EC2 instances where the AWS Systems Manager (SSM) Agent is missing, which prevents remote management and automation.<\/li>\n\n\n\n
  2. SSM Agent is stopped or not responding<\/strong>
    Detect instances where the SSM Agent is installed but inactive, unhealthy, or failing to communicate with AWS Systems Manager.<\/li>\n\n\n\n
  3. SSM is not managing the instance<\/strong>
    Find EC2 instances that are not properly registered or managed by AWS Systems Manager, often due to missing permissions or configuration issues.<\/li>\n<\/ol>\n\n\n\n

    Architecture Flow for Monitoring & Alerting<\/h2>\n\n\n\n
    EC2 Instance
          \u2193
    AWS Config (Managed Rule)
          \u2193
    EventBridge (NON_COMPLIANT Event)
          \u2193
    Lambda Function
          \u2193
    SNS \/ Email \/ Slack \/ Auto-remediation<\/code><\/pre>\n\n\n\n
    B. Prerequisites<\/h2>\n\n\n\n
    Before setting up monitoring and alerting, ensure the following requirements are in place:<\/p>\n\n\n\n
      \n
    1. IAM Role for EC2 Instances<\/strong>
      Each EC2 instance must have an IAM role attached with the AmazonSSMManagedInstanceCore<\/code> policy to enable Systems Manager access.<\/li>\n\n\n\n
    2. Enable AWS Config<\/strong>
      AWS Config must be enabled to continuously evaluate resource compliance and track configuration changes.<\/li>\n\n\n\n
    3. Install SSM Agent on EC2 Instances<\/strong>
      The SSM Agent must be installed and running on all target instances to allow proper communication with AWS Systems Manager.<\/li>\n\n\n\n
    4. Enable Amazon EventBridge<\/strong>
      Amazon EventBridge must be enabled to capture compliance state changes and trigger automated workflows.<\/li>\n<\/ol>\n\n\n\n
      \"\"<\/a><\/figure>\n\n\n\n
      C. AWS Config Rule to Check SSM Agent Health<\/h2>\n\n\n\n
      To monitor SSM Agent health effectively, you can use an AWS managed rule provided by AWS Config. This helps you automatically evaluate whether your EC2 instances are properly managed by AWS Systems Manager.<\/p>\n\n\n\n
      AWS offers a built-in rule called EC2_INSTANCE_MANAGED_BY_SSM<\/strong>.<\/p>\n\n\n\n
      What This Rule Checks<\/h3>\n\n\n\n
      This AWS Config rule helps ensure the following:<\/p>\n\n\n\n
        \n
      1. Verifies SSM management status<\/strong>
        Confirms whether EC2 instances are being managed by AWS Systems Manager.<\/li>\n\n\n\n
      2. Checks SSM Agent availability<\/strong>
        Ensures that the SSM Agent is installed and running on the instance, enabling proper communication with AWS SSM services.<\/li>\n<\/ol>\n\n\n\n
        Steps to Enable the Rule<\/h3>\n\n\n\n
          \n
        1. Open the AWS Config<\/strong> console<\/li>\n\n\n\n
        2. Navigate to Rules<\/strong><\/li>\n\n\n\n
        3. Click on Add rule<\/strong><\/li>\n\n\n\n
        4. Search for EC2_INSTANCE_MANAGED_BY_SSM<\/strong><\/li>\n\n\n\n
        5. Configure the scope of the rule<\/li>\n\n\n\n
        6. Set the resource type as: AWS::EC2::Instance<\/strong><\/li>\n\n\n\n
        7. Review and Save the rule<\/strong><\/li>\n<\/ol>\n\n\n\n
          Once enabled, AWS Config will continuously evaluate your EC2 instances and flag any non-compliant resources where SSM is not properly configured or active.

          <\/a><\/p>\n\n\n\n

          D. Capture NON_COMPLIANT Events Using EventBridge<\/h2>\n\n\n\n
          Once the AWS Config rule is active, the next step is to capture compliance state changes in real time using Amazon EventBridge. This allows you to automatically react whenever an EC2 instance becomes NON_COMPLIANT<\/strong> with the SSM Agent health rule.<\/p>\n\n\n\n
          EventBridge Rule<\/h3>\n\n\n\n
          Create an EventBridge rule to listen for AWS Config compliance changes. This rule filters events where resources are marked as NON_COMPLIANT<\/strong>, specifically for the EC2_INSTANCE_MANAGED_BY_SSM rule.<\/p>\n\n\n\n
          When a violation is detected, the event is forwarded to downstream services such as AWS Lambda for processing.<\/p>\n\n\n\n
          E. Lambda Function for Alerting & Analysis<\/h2>\n\n\n\n
          AWS Lambda is used to process NON_COMPLIANT events and trigger alerts or remediation actions. It acts as the core logic layer in the monitoring pipeline, analyzing the event and deciding the next step.<\/p>\n\n\n\n
          IAM Permissions for Lambda Execution Role<\/h3>\n\n\n\n
          To ensure the Lambda function can properly interact with AWS services, attach the following permissions to its execution role:<\/p>\n\n\n\n
            \n
          1. AWSConfigRulesExecutionRole<\/strong>
            Allows Lambda to interact with AWS Config rules and retrieve compliance data.<\/li>\n\n\n\n
          2. AmazonSSMReadOnlyAccess<\/strong>
            Grants read access to Systems Manager data for analyzing instance health and SSM status.<\/li>\n\n\n\n
          3. AmazonSNSFullAccess<\/strong>
            Enables Lambda to publish notifications to SNS topics for alerts via email, SMS, or integrated channels like Slack.<\/li>\n<\/ol>\n\n\n\n
            With this setup, any NON_COMPLIANT EC2 instance is automatically detected, processed by Lambda, and forwarded as an alert or remediation action\u2014ensuring continuous visibility and proactive security management.<\/p>\n\n\n\n
            \"\"<\/a><\/figure>\n\n\n\n
            F. Optional: Auto-Remediation<\/h2>\n\n\n\n
            To go beyond monitoring and alerts, you can implement auto-remediation<\/strong> to fix SSM Agent issues automatically without manual intervention. This helps maintain continuous compliance and reduces operational overhead.<\/p>\n\n\n\n
            Using SSM Automation Runbook<\/h3>\n\n\n\n
            You can leverage AWS Systems Manager Automation Runbooks<\/strong> to define remediation actions for common SSM-related issues.<\/p>\n\n\n\n
            In this setup, the Lambda function triggered by a NON_COMPLIANT<\/strong> event invokes an SSM Automation document to remediate the issue.<\/p>\n\n\n\n
            Automation Actions<\/h3>\n\n\n\n
            The automation workflow can handle the following scenarios:<\/p>\n\n\n\n
            a. Install SSM Agent if missing<\/strong>
            Automatically installs the AWS Systems Manager Agent on EC2 instances where it is not present.<\/p>\n\n\n\n
            b. Restart SSM Agent if stopped<\/strong>
            Detects inactive or unresponsive agents and restarts the service to restore connectivity with AWS Systems Manager.<\/p>\n\n\n\n
            Conclusion<\/h2>\n\n\n\n
            Monitoring SSM Agent health is essential for maintaining secure and manageable EC2 environments. By combining AWS Config, EventBridge, Lambda, and optional SSM Automation<\/strong>, you can build a fully automated system that not only detects non-compliant instances but also responds to them in real time. This approach improves visibility, reduces manual effort, and strengthens the overall security posture of your AWS infrastructure.<\/p>\n\n\n\n
            Facing challenges with AWS monitoring, EC2 management, or SSM Agent issues?<\/a> <\/p>\n\n\n\n
            Get expert help from SupportPro<\/a> for reliable cloud support, automation setup, and 24\/7 technical assistance to keep your infrastructure secure and running smoothly.

            <\/p>\n\n\n\n
            \n
            Facing issues? <\/p>\n\n\n\n
            Our technical support
            engineers can solve it. <\/p>\n\n\n\n            \"Contact<\/a><\/span>