Setup AWS Run command on EC2 machines

Posted By : Abhishek Kumar | 29-Dec-2016

AWS

AWS EC2 Run Commands allows to remotely executes commands on your EC2 instances or On premise instances using the web console and AWS CLI.
AWS EC2 Run commands allows us to remotely manage our instances so we dont need to login to our instances to perform any operations.

It provides operations like executing shell scripts and commands on linux machines, running powershell commands on windows machines, Installing or updating the software or patches and more.
AWS EC2 Run commands also allow us to execute same commands or scripts on multiple instances.

In this tutorial we will explain on how to execute Amazon EC2 Run command on linux machines.

Attach SSM Policy to your Instance Role

The EC2 instance must have the proper permission to access the SSM service in AWS. For this you need to attach SSM policy to EC2 Instance

1) Create a Instance and assign an IAM Role to it.

2) Generate A policy for EC2 Instance to access SSM service.

Here is IAM policy of "AmazonEC2RoleforSSM"

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeAssociation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:GetParameters",
                "ssm:ListAssociations",
                "ssm:ListInstanceAssociations",
                "ssm:PutInventory",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ds:CreateComputer",
                "ds:DescribeDirectories"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::amazon-ssm-packages-*"
        }
    ]
}

3) Go to "IAM" console -> Select "Roles" -> Select "Permission" -> Select "Attach Policy" -> Select predefined policy "AmazonEC2RoleforSSM" or Select "Custom Created Policy"

Install Simple System Manager (SSM) agent on your Instance
Download the SSM agent package from amazon s3 bucket

For RHEL/Centos/AmazonAMI 64bit
curl https://amazon-ssm-region.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o amazon-ssm-agent.rpm

For RHEL/Centos/AmazonAMI 32bit
curl https://amazon-ssm-region.s3.amazonaws.com/latest/linux_386/amazon-ssm-agent.rpm -o amazon-ssm-agent.rpm

Then install using
sudo yum install -y amazon-ssm-agent.rpm

Check Status
sudo status amazon-ssm-agent

Start the Service
sudo start amazon-ssm-agent

   For Debain/Ubuntu 64Bit
       curl https://amazon-ssm-region.s3.amazonaws.com/latest/debian_amd64/amazon-ssm-agent.deb -o /tmp/ssm/amazon-ssm-agent.deb

   For Debain/Ubuntu 32Bit
       curl https://amazon-ssm-region.s3.amazonaws.com/latest/debian_386/amazon-ssm-agent.deb -o /tmp/ssm/amazon-ssm-agent.deb

Install using
sudo dpkg -i amazon-ssm-agent.deb

Check Status
sudo status amazon-ssm-agent

Start SSM agent
sudo start amazon-ssm-agent

NOTE: Replace region with your region in which the instance is running.

Afer successful installation and activation of SSM agent, Your instance will be visible in the "Managed Instances" section.

Execute command/scripts using Amazon EC2 Run Command

    1) Go to EC2 -> Run Commands
    2) In "Command Document", Select "AWS-RunShellScript"
    3) In "Target Instances", Select the instance on which you want to execute the commands. Only instances with SSM agent installed will be visible in this.
    4) In "Commands", copy paste your command/script.
    5) In "Working Directory", choose path from where you want to execute your command. (optional).
    6) Set "Execution Time" after which the commands will be considered failed.
    7) Mention any comments as note/lable. (optional)
    8) Set the timeout for the commands
    9) Select the s3 bucket where the output the command will be stored.
    10) Select IAM Role which has permission to publish to SNS topic
    11) Select the SNS Topic ARN to send notification about the command.
    12) Set Notification type

    13) On "AWS Command Line Interface command" you will get the AWS CLI equivalent command to run Amazon EC2 Run command.

    14) Select "RUN" to execute your commands on selected instances.

    15) Once the command is executed you can view the output of the command by selection the Instance -> Select the "Output" -> Select "View Output".