Use VPC endpoints with SSM Agent on EC2

How to adjust SSM Agent configuration for using your virtual private cloud endpoints: AWS provides you with a amazon-ssm-agent.json.template file. In Linux, you can find the file in /etc/amazon/ssm/. In Windows, this file is located in C:\Program Files\Amazon\SSM\.

  1. Create a copy of the .template file and name it amazon-ssm-agent.json.
  2. Open the JSON file. The Mds Endpoint and Ssm Endpoint values are blank by default.
  3. Update the Mds Endpoint with the DNS name of your EC2 Messages Endpoint.
  4. Update the Ssm Endpoint with the DNS name of your SSM Endpoint.
"Mds": {

"CommandWorkersLimit" : 5,

"StopTimeoutMillis" : 20000,

"Endpoint": "vpce-XXXXXXXX-yyyyyyyy.ec2messages.<region>.vpce.amazonaws.com",

"CommandRetryLimit": 15

},

"Ssm": {

"Endpoint": "vpce-XXXXXXXX-yyyyyyyy.ssm.<region>.vpce.amazonaws.com",

"HealthFrequencyMinutes": 5,

"CustomInventoryDefaultLocation" : "",

"AssociationLogsRetentionDurationHours" : 24,

"RunCommandLogsRetentionDurationHours" : 336,

"SessionLogsRetentionDurationHours" : 336

},
  1. Save your JSON file.
  2. Restart your SSM Agent.