In summary, the procedures we need to take are as follows:<\/p>\n\n\n\n
- \n
- Install the SSM Agent on our Linux machine.<\/li>\n\n\n\n
- Create an IAM Service Role that our machine or the agents in our machine will use.<\/li>\n\n\n\n
- Create a Hybrid Activation and register our machine with the AWS System Manager.<\/li>\n\n\n\n
- Install and configure the CloudWatch agent on our Linux machine using the System Manager.<\/li>\n\n\n\n
- Install AWS CLI on our Linux machine using the System Manager.<\/li>\n<\/ol>\n\n\n\n
1. Install the SSM Agent<\/strong><\/h4>\n\n\n\n
There are several ways to install the SSM agent on your on-premise machine. One option, ideal for managing a large number of machines, is to utilise automation tools such as Ansible, Puppet, or Chef. But for this demonstration, we will log in to our machine and enter the following command:<\/p>\n\n\n\n
yum install -y https:\/\/s3.amazonaws.com\/ec2-downloads-windows\/SSMAgent\/latest\/linux_amd64\/amazon-ssm-agent.rpm<\/code><\/pre>\n\n\n\n![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-18-18-27-36-1024x372.png\")
<\/a><\/figure>\n\n\n\nRefer to this<\/a> link if you are using a different Linux flavour.<\/p>\n\n\n\n
2. Create an IAM Service Role<\/strong><\/h4>\n\n\n\n
The IAM service role that we will create will be used by both the SSM agent and the CloudWatch agent, which will be installed later. When we run the registration command, the SSM agent cr<\/span>eates a credentials<\/em> file with a default<\/em> profile in the root account (or the account where the registration command is run), containing the ACCESS_ID and ACCESS_KEY derived from the IAM service role. <\/p>\n\n\n\n
Create a local text file with the following trust policy:<\/p>\n\n\n\n
cat <<EOF > MyOnPremServiceRole-Trust.json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"ssm.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}\nEOF<\/code><\/pre>\n\n\n\nCreate a role with the above trust policy:<\/p>\n\n\n\n
aws iam create-role \\\n --role-name MyOnPremServiceRole \\\n --assume-role-policy-document file:\/\/MyOnPremServiceRole-Trust.json<\/code><\/pre>\n\n\n\nAttached the policies (1) AmazonSSMManagedInstanceCore<\/a> and (2) CloudWatchAgentServerPolicy<\/a> to the role.<\/p>\n\n\n\n
aws iam attach-role-policy \\\n --role-name MyOnPremServiceRole \\\n --policy-arn arn:aws:iam::aws:policy\/AmazonSSMManagedInstanceCore \n\naws iam attach-role-policy \\\n --role-name MyOnPremServiceRole \\\n --policy-arn arn:aws:iam::aws:policy\/CloudWatchAgentServerPolicy<\/code><\/pre>\n\n\n\n![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-18-21-04-17-1024x426.png\")
<\/a><\/figure>\n\n\n\n3. Create a Hybrid Activation<\/strong><\/h4>\n\n\n\n
Create a Hybrid activation using the following command:<\/p>\n\n\n\n
aws ssm create-activation \\\n --default-instance-name MyOnPremServers \\\n --description \"Activation for my on-prem servers\" \\\n --iam-role MyOnPremServiceRole \\\n --expiration-date \"2025-07-30T00:00:00\" \\\n --registration-limit 2 \\\n --region us-east-1 \\\n --tags \"Key=ServerOS,Value=CentOS7\"<\/code><\/pre>\n\n\n\nThe command should output the ActivationId<\/strong> and the ActivationCode<\/strong>. Use these values to register your machine.<\/p>\n\n\n\n
Log in to your server and run the following command:<\/p>\n\n\n\n
amazon-ssm-agent -register -code \"<ActivationCode>\" -id \"<ActivationId>\" -region \"us-east-1\"<\/code><\/pre>\n\n\n\n![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-18-21-27-02-1-1024x143.png\")
<\/a><\/figure>\n\n\n\nVerify the Hybrid activation and registration from the console. First, go to the Hybrid Activations<\/em> panel. You should see an entry similar to the image below:<\/p>\n\n\n\n
![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-18-21-22-39-1024x169.png\")
<\/a><\/figure>\n\n\n\nThen go to the Fleet Manager<\/em> panel. You should see your instance listed there with a Ping status<\/em> set to ‘Online’<\/em><\/span>.<\/p>\n\n\n\n
![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-18-21-29-37-1024x214.png\")
<\/a><\/figure>\n\n\n\n4. Install and configure the CloudWatch agent.<\/strong><\/h4>\n\n\n\n
To test and demonstrate that the System Manager can now manage our machine, we will install and configure the CloudWatch agent using the System Manager Run Command<\/em>.<\/p>\n\n\n\n
First<\/em>, we need to install the CloudWatch agent package using the document AWS-ConfigureAWSPackage<\/strong>.<\/p>\n\n\n\n
aws ssm send-command \\\n --document-name \"AWS-ConfigureAWSPackage\" \\\n --parameters action=\"Install\",installationType=\"Uninstall and reinstall\",name=\"AmazonCloudWatchAgent\",version=\"latest\" \\\n --region us-east-1 \\ \n --targets Key=tag:ServerOS,Values=CentOS7<\/code><\/pre>\n\n\n\nVerify from the Run Command <\/em>panel that the run is successful. <\/p>\n\n\n\n
![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-19-20-46-47-1024x556.png\")
<\/a><\/figure>\n\n\n\nYou can also verify this from the machine itself to confirm that the package is installed.<\/p>\n\n\n\n
![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-19-11-23-55-1024x233.png\")
<\/a><\/figure>\n\n\n\nNext<\/em>, we need to instruct the CloudWatch agent to use the \/root\/.aws\/credentials<\/em> as our credential file. We accomplish this by uncommenting the lines in \/opt\/aws\/amazon-cloudwatch-agent\/etc\/common-config.toml,<\/strong> specifically the [credentials] <\/em>section and the shared_credential_profile<\/em> parameter, <\/span>and assigning a value of ‘default<\/em>‘.<\/span><\/p>\n\n\n\n
We will use the AWS-RunShellScript<\/strong> run document for this.<\/p>\n\n\n\n
aws ssm send-command \\\n --document-name \"AWS-RunShellScript\" \\\n --parameters '{\"workingDirectory\":[\"\/opt\/aws\/amazon-cloudwatch-agent\/etc\"],\"executionTimeout\":[\"3600\"],\"commands\":[\"if ! test -f common-config.toml.bak; then cp common-config.toml common-config.toml.bak; fi\",\"sed -e '\"'\"'s\/\\\\# \\\\[credentials\\\\]\/\\\\[credentials\\\\]\/'\"'\"' -e '\"'\"'s\/\\\\# shared_credential_profile = \\\\\\\"{profile_name}\\\\\\\"\/ shared_credential_profile = \\\\\\\"default\\\\\\\"\/'\"'\"' common-config.toml.bak > common-config.toml\"]}' \\\n --timeout-seconds 600 \\\n --region us-east-1 \\ \n --targets Key=tag:ServerOS,Values=CentOS7<\/code><\/pre>\n\n\n\nVerify the result of the run by taking the diff <\/em>between the original and the modified file.<\/strong><\/p>\n\n\n\n
![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-19-16-25-56-1024x302.png\")
<\/a><\/figure>\n\n\n\nNext<\/em>, we need to add a default region to our \/root\/.aws\/credentials<\/strong><\/em>. This is necessary because the Run Command document we will execute later to configure and start the CloudWatch agent will read the tokens and region from this file.<\/p>\n\n\n\n
aws ssm send-command \\\n --document-name \"AWS-RunShellScript\" \\\n --parameters '{\"workingDirectory\":[\"\/root\/.aws\"],\"executionTimeout\":[\"3600\"],\"commands\":[\"if ! test -f credentials.bak; then cp credentials credentials.bak; fi\",\"sed '\"'\"'\/\\\\[default\\\\]\/a\\\\region = us-east-1'\"'\"' credentials.bak > credentials\"]}' \\\n --timeout-seconds 600 \\\n --region us-east-1 \\ \n --targets Key=tag:ServerOS,Values=CentOS7<\/code><\/pre>\n\n\n\nVerify the result of the run by taking the diff <\/em>between the original and the modified file.<\/strong><\/p>\n\n\n\n
![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-19-17-46-11-1024x265.png\")
<\/a><\/figure>\n\n\n\nNext, we will create the CloudWatch agent configuration file and store it in the SSM Parameter Store. <\/p>\n\n\n\n
cat <<EOF > OnPremCWAgent-config.json\n{\n \"agent\": {\n \"metrics_collection_interval\": 60,\n \"run_as_user\": \"root\",\n \"region\": \"us-east-1\"\n },\n \"logs\": {\n \"logs_collected\": {\n \"files\": {\n \"collect_list\": [\n {\n \"file_path\": \"\/var\/log\/secure\",\n \"log_group_class\": \"STANDARD\",\n \"log_group_name\": \"MyOnPrem\",\n \"log_stream_name\": \"{local_hostname}\",\n \"retention_in_days\": -1\n }\n ]\n }\n }\n },\n\t\"metrics\": {\n \"namespace\": \"MyOnPremNamespace\",\n\t\t\"metrics_collected\": {\n\t\t\t\"cpu\": {\n\t\t\t\t\"measurement\": [\n\t\t\t\t\t\"cpu_usage_idle\"\n\t\t\t\t],\n\t\t\t\t\"metrics_collection_interval\": 60,\n\t\t\t\t\"resources\": [\n\t\t\t\t\t\"*\"\n\t\t\t\t],\n\t\t\t\t\"totalcpu\": true\n\t\t\t},\n\t\t\t\"disk\": {\n\t\t\t\t\"measurement\": [\n\t\t\t\t\t\"used_percent\"\n\t\t\t\t],\n\t\t\t\t\"metrics_collection_interval\": 60,\n\t\t\t\t\"resources\": [\n\t\t\t\t\t\"*\"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"diskio\": {\n\t\t\t\t\"measurement\": [\n\t\t\t\t\t\"write_bytes\",\n\t\t\t\t\t\"read_bytes\",\n\t\t\t\t\t\"writes\",\n\t\t\t\t\t\"reads\"\n\t\t\t\t],\n\t\t\t\t\"metrics_collection_interval\": 60,\n\t\t\t\t\"resources\": [\n\t\t\t\t\t\"*\"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"mem\": {\n\t\t\t\t\"measurement\": [\n\t\t\t\t\t\"mem_used_percent\"\n\t\t\t\t],\n\t\t\t\t\"metrics_collection_interval\": 60\n\t\t\t},\n\t\t\t\"net\": {\n\t\t\t\t\"measurement\": [\n\t\t\t\t\t\"bytes_sent\",\n\t\t\t\t\t\"bytes_recv\",\n\t\t\t\t\t\"packets_sent\",\n\t\t\t\t\t\"packets_recv\"\n\t\t\t\t],\n\t\t\t\t\"metrics_collection_interval\": 60,\n\t\t\t\t\"resources\": [\n\t\t\t\t\t\"*\"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"swap\": {\n\t\t\t\t\"measurement\": [\n\t\t\t\t\t\"swap_used_percent\"\n\t\t\t\t],\n\t\t\t\t\"metrics_collection_interval\": 60\n\t\t\t}\n\t\t}\n\t}\n}\nEOF\n\naws ssm put-parameter \\\n --region us-east-1 \\\n --name OnPremCWAgent-config \\\n --type String \\\n --value file:\/\/OnPremCWAgent-config.json<\/code><\/pre>\n\n\n\nPlease note that in our configuration file, we will collect the log file \/var\/log\/secure<\/em> and store it in the log group MyOnPrem<\/em>. We will also collect metrics, including disk usage, CPU usage, and memory usage and place them under MyOnPremNamespace<\/em> namespace.<\/p>\n\n\n\n
Finally, start the CloudWatch agent with the configuration file we uploaded to the SSM Parameter store. We will use the AmazonCloudWatch-ManageAgent <\/strong>document for this:<\/p>\n\n\n\n
aws ssm send-command \\\n --document-name \"AmazonCloudWatch-ManageAgent\" \\\n --parameters '{\"action\":[\"configure\"],\"mode\":[\"onPremise\"],\"optionalConfigurationSource\":[\"ssm\"],\"optionalConfigurationLocation\":[\"OnPremCWAgent-config\"],\"optionalRestart\":[\"yes\"]}' \\\n --timeout-seconds 600 \\\n --region us-east-1 \\\n --targets Key=tag:ServerOS,Values=CentOS7<\/code><\/pre>\n\n\n\nVerify the result of the run by checking if the amazon-cloudwatch-agent.service <\/strong>is running on the machine.<\/p>\n\n\n\n
![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-20-09-15-26-1024x282.png\")
<\/a><\/figure>\n\n\n\nLogs under the log group ‘MyOnPrem’ <\/em>and metrics under the namespace ‘MyOnPre<\/em><\/span>mNamespace’<\/em> should also be created.<\/p>\n\n\n\n
![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-19-19-37-04-m-1024x432.png\")
<\/a>Log Group<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-19-19-39-46-1024x222.png\")
<\/a>Metrics<\/figcaption><\/figure>\n\n\n\n 5. Install AWS CLI on the Linux machine.<\/strong><\/h4>\n\n\n\n
For completion, we will install the AWS CLI on our Linux machine using the AWS RunShellScript <\/strong>document<\/span>.<\/p>\n\n\n\n
aws ssm send-command \\\n --document-name \"AWS-RunShellScript\" \\\n --parameters '{\"workingDirectory\":[\"\"],\"executionTimeout\":[\"3600\"],\"commands\":[\"curl \\\"https:\/\/awscli.amazonaws.com\/awscli-exe-linux-x86_64.zip\\\" -o \\\"awscliv2.zip\\\"\",\"unzip awscliv2.zip\",\".\/aws\/install\",\"\",\"\"]}' \\\n --timeout-seconds 600 \\\n --region us-east-1 \\\n --targets Key=tag:ServerOS,Values=CentOS7<\/code><\/pre>\n\n\n\n
![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-18-18-27-36.png\")
<\/a><\/figure>\n\n\n\n