Security group inbound rules for State Manager

Question

What security group inbound rule do I need to add that will allow AWS Systems Manager State Manager to run the AWS-RunPowerShellScript document on an association of EC2 Windows instances?

Accepted Answer

You don't need to define any inbound rules in the security group. The SSM agent initiates the communication with the service so you only need TCP port 443 open on the outbound as security groups are stateful. You can also use VPC Endpoints within the VPC to communicate with the SSM services. See: [Step 4: Create VPC endpoints](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html).

Answer

Adding inbound rules to the security group associated with the EC2 managed by Systems Manager is not necessary.

[How Moody’s uses AWS Systems Manager to patch servers across multiple cloud providers | AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/jp/blogs/mt/how-moodys-uses-aws-systems-manager-to-patch-servers-across-multiple-cloud-providers/)

> No additional inbound rules are required in the security group created for the EC2 instances in the private subnets.

Security group inbound rules for State Manager

관련 콘텐츠