lib/usertasks/descriptions/ec2-ssm-agent-connection-lost.md
Auto enrolling EC2 instances requires the SSM Agent to be installed and running on them. Some instances appear to have lost connection to Amazon Systems Manager.
You can see which instances lost connection using the SSM Fleet Manager.
The most common issues for instances losing connection:
SSM Agent is not running
Ensure the SSM Agent is running in the instance and is not reporting any error. Please check the instructions here.
SSM Agent can't reach the Amazon Systems Manager service
Ensure the instance's security groups allows outbound connections to Amazon Systems Manager endpoints. Allowing outbound on port 443 is enough for the agent to connect to AWS.
Instance is missing IAM policy
The SSM Agent requires the AmazonSSMManagedInstanceCore managed policy.
Ensure the instance has an IAM Profile and that it includes the above policy.
For more information please refer to this page.
After following the steps above, you can mark the task as resolved. Teleport will try to auto-enroll these instances again.