How to enable AWS Systems Manager for Multi Account and Multi Region

Hey Anil,

1. You can aggregate data about Systems Manager managed instances (EC2 or on-prem) from multiple accounts/regions into a central location (S3 bucket or Explorer). You can also send workflows to other accounts/Regions using Automation within Systems Manager.

2. If the customer does not have OS-level remote management currently (e.g. SCCM for Windows, Ansible, etc.), then you may have to resort to manual installation. You can try to install via UserData but that will be dependent on if the instance runs userdata at every boot. Another option would be to leverage AWS AMIs that include SSM Agent already - see section AMIs with SSM Agent preinstalled.

3. You can use Explorer or AWS Config to mark instances as compliant or not for registering with Systems Manager. How the instance profile was created in the first place will determine your answer on how you should update. For example, if they were created via CFN, then you want to update your stack template. If they were created manually, you could consider using AWS Config + Remediation Actions via Automation which can invoke a custom document to append the required permissions. If there is no IAM role entirely, you could use State Manager Associations (or Config) to routinely attach (or simply ensure) the IAM role to the EC2 instance.