Connect to Ec2 instance bastion via Session Manager

Is the instance in an subnet with Internet access? The SSMAgent needs to be able to reach the SSM APIs. If you look at the instance in SSM Fleet Manager, you should see the instance listed and its Node State as 'Running'. If you don't then likely the instance has no path to the Internet. The SSMAgent originates connectivity outbound.

If the VPC is not meant to be public, you can deploy a VPC Endpoint to the SSM API Endpoint in the subnet where the instance is deployed. See Step 6: (Optional) Create a Virtual Private Cloud endpoint (https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html)

Is the agent running on your instance. Do you have the bootstrap script to start the agent during launch, possibly using EC2 userdata?

By default, SSM agent is installed on Amazon Linux Base Amazon Machine Images (AMIs) dated 2017.09 and later. SSM Agent is also installed by default on Amazon Linux 2 AMIs and Amazon Linux 2 ECS-Optimized Base AMIs. The latest Amazon EKS optimized AMIs install SSM Agent automatically.

AWS has a troubleshooting guide for the SSM agent but your mileage may vary if you don't have access to the OS through other means.

The two areas to focus on

• verify what @Scott_K mentioned. Further details in the troubleshooting guide linked above.
• verify that an EC2 instance profile is associated with the EC2 instance and that a policy like AmazonSSMManagedInstanceCore has been attached to the role. This policy allows an instance to use AWS Systems Manager service core functionality including permissions for communication between instances and the Systems Manager API.