The SSM agent doesn't require any inbound ports to be opened, all communication from the agent is outbound HTTPS to the SSM and EC2 Messages endpoints in the region where your instances are registered:
Hope that helps.
An inbound port is required to create a Systems Manager Session Manager session.
The minimum requirement seems to be port 22 inbound from the security group itself - port 22 can be happily blocked in the VPC NACL and just allowed on the Security Group from the security group to itself.
Session Manager does not require any inbound ports to support any of the features it supports. Even if you make use of the SSH tunneling feature of Session Manager (https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html), there's no need for any inbound ports to be open.
SSM agent failing on Fargate with ecs execasked 3 months ago
Error when trying to register a windows on premise SSM agent (and missing error details)asked 6 months ago
Hybrid Instances using SSM VPC Endpointsasked 2 years ago
SSM agent syslog errorsasked 3 years ago
What protocol and port # does SSM agent run on?asked 5 years ago
SSM Agent Latest Version Release Dateasked 2 years ago
SSM Agent update problemsAccepted Answerasked 4 months ago
SSM Agent update failureasked 8 months ago
SSM agent service failed to start on windows-server 2019 (datacenter)asked 6 months ago
Are security groups enforced when using ssm start-session with port forwardingasked 4 months ago