Install AWS SSM Agent to on promise VM

Question

AWS SSM added support for on promise VM recently. When following the user guide, I am a bit lost on "Step 3: Install a TLS certificate on On-Premises Servers and VMs". It states that: On base operating systems, on instances created from AMIs that are not supplied by Amazon, and on your own on-premises servers and VMs, you must install and enable a certificate from Amazon Trust Services

using AWS Certificate Manager (ACM).

Each of your managed instances must have one of the following Transport Layer Security (TLS) certificates installed.

Amazon Root CA 1

Starfield Services Root Certificate Authority - G2

Starfield Class 2 Certificate Authority

Does it mean I need to get a certificate from ACM and installed on the VM if it is to communicate with AWS services? However my understanding is ACM is integrated with AWS services and they never give out private keys. Or I need to add the CA to the VM?

score 0 · Answer 1 · answered Jan 25 '20 at 18:59

0

Please browse through the below document, it will be helpful in understanding.

https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/

answered Jan 25 '20 at 18:59

X-Men

433
3
9

So need to make sure Amazon Trust Services CAs are in the trust store on my VM? – Tony Jan 31 '20 at 07:43
Yes, it seems so – X-Men Jan 31 '20 at 15:13

Install AWS SSM Agent to on promise VM

1 Answers1