Setting up Systems Manager unified console for an organization - AWS Systems Manager

Setting up Systems Manager unified console for an organization

The setup process for the Systems Manager unified console experience is completed from the AWS Management Console with just a few clicks. To set up Systems Manager for an AWS Organizations organization, you must have access to the management account for your organization and another account in your organization to use as a delegated administrator. Access to the management account is only required to enable or disable Systems Manager. To manage your nodes, you'll use the delegated administrator account. When managing nodes across an organization, Systems Manager uses various dependent services to set up and enhance the functionality of the unified console. As a result, Systems Manager must enable trusted access and register a delegated administrator account for the following services:

  • AWS CloudFormation - Deploys resources required for Systems Manager to your accounts.

  • AWS Resource Explorer - Searching and filtering EC2 instances in your accounts.

  • AWS Systems Manager Explorer - Monitoring and troubleshooting the health of resources deployed for Systems Manager in your accounts.

  • AWS Systems Manager Quick Setup - Deploys Quick Setup configurations required for Systems Manager to your accounts.

Before you begin setting up Systems Manager for an organization, make sure you're not already over the quota for delegated administrators for any of these dependent services. Otherwise, you won't be able to register the delegated administrator accounts necessary to enable Systems Manager. When you enable Systems Manager for an organization, every account in your organization is included. At this time, there is no provision for excluding accounts from the setting up process. When you enable Systems Manager, you can choose the AWS Regions you want to include. Only Regions that currently support the unified console experience for Systems Manager can be selected. To learn more about the Regions where the console experience is available, see Supported AWS Regions.

Note

If you've created an aggregator index for Resource Explorer in a Region different than your home Region, Systems Manager demotes the current index. Then, Systems Manager promotes the local index in your home Region as the new aggregator index. During this time, only nodes for your home Region are displayed. This process can take up to 24 hours to complete.

The setup process for the Systems Manager console experience completes many prerequisite tasks for you. This includes creating and attaching instance profiles with the required IAM permissions to your nodes and more. Additionally, after the setup process completes you can select the Diagnose and remediate node task to automatically apply fixes to nodes that aren't reporting as managed by Systems Manager. This can include identifying issues such as network connectivity issues to the Systems Manager endpoints, and more.

To set up Systems Manager for an organization

  1. Log in to the management account for your organization.

  2. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  3. Enter the ID of the account you want to register as a delegated administrator.

  4. After the delegated administrator account is successfully registered, log in to the delegated administrator account you just registered and return to the Systems Manager console to finish setting up Systems Manager.

  5. Select Enable Systems Manager.

  6. In the Home Region section, you determine a Region where you want Systems Manager to aggregate your node data. By default, Systems Manager selects the Region you're currently using. To choose a different home Region, change the console to the Region you want to use before you set up Systems Manager. Node data is replicated across accounts and Regions for your organization and stored in the home Region. The Region you choose can't be changed after Systems Manager is set up. To use a different Region as the home Region for your organization, you must disable the unified console and complete the setup process again. If your organization uses IAM Identity Center, you must select the same Region where you set up IAM Identity Center as your home Region.

  7. In the Regions section, select the Regions where you want to enable Systems Manager.

  8. Choose Submit.

Depending on the size of your organization, it can take an extended amount of time to set up the Systems Manager unified console experience.