Install and start the SSM Agent on the instance (it ships with most modern AMIs). Attach an instance profile with the AmazonSSMManagedInstanceCore policy. Give the agent a network path to SSM endpoints, via VPC endpoints or a NAT route. Confirm the instance shows as Managed in Fleet Manager.

Compliance Medium severity

AWS Security Hub · SSM

SSM.1: Instances are not managed by Systems Manager, so no patching or audit

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub SSM.1 check?

SSM.1 fails for any EC2 instance that is not managed by AWS Systems Manager. An instance is "managed" once the SSM Agent is running, the instance has an instance profile granting SSM permissions, and it appears in Fleet Manager's managed-instances list.

Why does SSM.1 matter?

An unmanaged instance is invisible to the whole operational control plane: Patch Manager can't push updates, Session Manager can't open a shell, Run Command and State Manager can't reach it, and Inventory has no record of it. The most direct cost is patch lag — unmanaged hosts drift further behind every week, which is exactly how CVEs like Log4Shell turn into fleet-wide compromises.

How do I fix SSM.1?

Install and start the SSM Agent on the instance (it ships with most modern AMIs).
Attach an instance profile with the AmazonSSMManagedInstanceCore policy.
Give the agent a network path to SSM endpoints, via VPC endpoints or a NAT route.
Confirm the instance shows as Managed in Fleet Manager.

Remediation script · bash

# 1. AWS Config: bind to the service-linked role, record all resources, then start.
ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
aws iam create-service-linked-role --aws-service-name config.amazonaws.com 2>/dev/null || true
aws configservice put-configuration-recorder \
  --configuration-recorder "name=default,roleARN=arn:aws:iam::${ACCOUNT}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig,recordingGroup={allSupported=true,includeGlobalResourceTypes=true}"
aws configservice start-configuration-recorder --configuration-recorder-name default

# 2. IAM Access Analyzer: create an external access analyzer in this Region.
aws accessanalyzer create-analyzer --analyzer-name external-access --type ACCOUNT

# 3. Systems Manager: enroll an instance role, then confirm it is managed.
aws iam attach-role-policy --role-name app-instance-role \
  --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws ssm describe-instance-information \
  --query 'InstanceInformationList[].{Id:InstanceId,Ping:PingStatus}' --output table

Full walkthrough (console steps, edge cases and verification) in the lesson Enable AWS security tooling (Config, Access Analyzer, SSM).

Is SSM.1 a false positive?

All three pieces must be present — agent running, IAM permissions, and connectivity. An instance with the agent installed but no instance profile, or no route to the SSM endpoints, still fails.

Full lesson Enable AWS security tooling (Config, Access Analyzer, SSM) Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for SSM controls ↗ Check your own account for SSM.1 →

Part of the learning path See what's happening

SSM.2 Instances are missing security patches
SSM.3 SSM associations are non-compliant
SSM.4 SSM documents can be shared publicly
SSM.6 SSM Automation runs are not logged
SSM.7 SSM documents can be shared publicly