Configuration of Amazon SSM

Unlink other Cloud providers like linode, rackspace and others AWS doesnot provide web based login interface for AWS instances.

1. However in AWS webconsole we can trigger ubuntu or windows based command to instances through  Amazon EC2 Systems Manager (AWS SSM). What's more interesting is that we can trigger the same code on all servers, so we do not have to login in each instance or use any other tools to fire commands in instances. It is greatly helpful if we anyhow dont have cli access to EC2 instance  or we want to fire a command on many servers.

In this blog we will learn to setup AWS SSM on Ubuntu instance. The procedure is almost same for all Linux/Windows based instances.

Requirement to setup AWS SSM

1. AWS SSM EC2 role on EC2 instance
2. AWS SSM agent on EC2 instance

AWS SSM EC2 role on EC2 instance

First we need assign a EC2 Role on our EC2 instance if don't has any role.

Login to AWS console go to IAM -> ROLES -> CREATE A ROLE -> PROVIDE ROLE NAME -> Select ROLE TYPE (AMAZON EC2) -> In ATTACH POLICY, SELECT "AmazonEC2RoleforSSM" -> CREATE ROLE

Now go to AWS EC2 service, Select Ec2 instance -> ACTIONS -> INSTANCE SETTINGS -> ATTACH/REPLACE IAM ROLE -> select your create ROLE -> SAVE

Now our EC2 instance will have IAM permission to communicate with SSM service.

AWS SSM agent on EC2 instance

Now we need to setup SSM agent on our instances so our instance can update the SSM service  about it's status  and to allow SSM service to trigger commands on the instance.

To install SSM agent download the the package from AWS s3 bucket and install the package. Here is shell script to download and install SSM agent on Ubuntu 64Bit  server.

#!/bin/bash
cd /tmp			
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb # 64-Bit
# wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_386/amazon-ssm-agent.deb # 32-Bit
sudo dpkg -i amazon-ssm-agent.deb
sudo start amazon-ssm-agent

After installing the agent, it will update the SSM service about it's state.

Using AWS SSM

After giving AWS IAM Role and installing SSM agent, we will be able to run command from AWS console.

Login to AWS webconsole, Go to AWS EC2. In the Left column in SYSTEM MANAGER SERVICE.

1. Select RUN COMMAND
2. In document type, select AWS-RunShellScript
3. In target instance, Select all your instances on which you want to trigger the command
4. In commands, Type all the SHELL  commands you want to perform
5. Select the current working directory for the commands
6. Select Timeout on which the command will timeout
7. In advance options. Provide S3 Bucket information if you want to save the output
8. Enable SNS notification to send notification about the command status
9. Select RUN

In the end, there is AWS CLI equivalent command if we want to trigger the SSM service from aws CLI.

After running the command we can se the Output of the Action performed or we can use S3 bucket to view output, if selected.

NOTE:

1. After installing SSM agent, it may take some time for EC2 instance to be appear in SSM target instances list.
2. In commands use only Non-Interactive or Fully automated commands which dont require USER input so that the commands should wait for user input and TIMEOUT.
3. The commands are triggered using ROOT permissions, so update your command activity and permission according to requirements
4. At the time of writing this article SSM service was not available in Mumbai Region

THANKS