AWS : Simple Systems Manager (SSM)

Amazon EC2 Simple Systems Manager (SSM) is an Amazon Web Services tool that allows us to automatically configure virtual servers in a cloud or in on-premises data center.

We can use scripts, commands or the Elastic Compute Cloud (EC2) console to manage EC2 instances, virtual machines (VMs) or servers hosted on other clouds, or within local environments such as Windows.

Our user account must be configured to communicate with the SSM API.

We need to use the following the procedure to attach a managed AWS Identity and Access Management (IAM) policy to our user account that grants us full access to SSM API actions.

To create the IAM policy for our user account:

1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Policies.
3. In the Filter field, type AmazonSSMFullAccess and press Enter.

4. Select the check box next to AmazonSSMFullAccess and then choose Policy Actions, Attach.
5. On the Attach Policy page, choose the user account and then choose Attach Policy.

We must configure an AWS Identity and Access Management (IAM) instance profile role for Systems Manager.

The AmazonEC2RoleforSSM role should be attached to an Amazon EC2 instance. Let's create it first:

Attach the role while the instance is being created:

This role enables the instance to communicate with the Systems Manager API.

The SSM agent processes Run Command requests and configures the instances that are specified in the request. The agent is installed, by default, on Windows instance. However, we must manually install the agent on Linux. The following procedure describes how to install the agent on Ubuntu:

$ cd /tmp			
$ wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
$ sudo dpkg -i amazon-ssm-agent.deb
$ sudo systemctl enable amazon-ssm-agent

We can use User data instead:

#!/bin/bash
cd /tmp			
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
sudo dpkg -i amazon-ssm-agent.deb
sudo start amazon-ssm-agent

We can check if the agent is running on the instance:

$ ps -ef|grep agent | grep -v grep
root      1723     1  0 01:13 ?        00:00:00 /usr/bin/amazon-ssm-agent

We can use the following steps to list all services running on the instance by using Run Command from the Amazon EC2 console.

To execute a command using Run Command from the EC2 console:

1. In the navigation pane, choose Run Command:


2. Choose Run a command:


3. For Command document, choose AWS-RunPowerShellScript for Windows instances, and AWS-RunShellScript for Linux instances.
4. For Target instances, choose the instance we created. If we don't see the instance, verify that we are currently in the same region as the instance we created. Also verify that we configured the IAM role and trust policies as described earlier.
5. For Commands, type Get-Service for Windows, or ps -aux | less for Linux.
6. (Optional) For Working Directory, specify a path to the folder on our EC2 instances where we want to run the command.
7. (Optional) For Execution Timeout, specify the number of seconds the EC2Config service or SSM agent will attempt to run the command before it times out and fails.
8. For Comment, providing information is recommended so that it will help us identify this command in our list of commands.
9. For Timeout (seconds), type the number of seconds that Run Command should attempt to reach an instance before it is considered unreachable and the command execution fails.
10. Choose Run to execute the command. Run Command displays a status screen. Choose View result.
11. To view the output, choose the command invocation for the command, choose the Output tab.


12. Then choose View Output.

We must either have administrator privileges on the instances we want to configure or we must have been granted the appropriate permission in IAM.

The following command returns a list of Linux and Windows documents:

$ aws ssm list-documents
DOCUMENTIDENTIFIERS	Command	1	AWS-ApplyPatchBaseline	Amazon	1.2
PLATFORMTYPES	Windows
PLATFORMTYPES	Linux
DOCUMENTIDENTIFIERS	Command	1	AWS-ConfigureAWSPackage	Amazon	2.0
PLATFORMTYPES	Windows
PLATFORMTYPES	Linux
...

To check if an instance is ready to receive commands:

$ aws ssm describe-instance-information --output text --query "InstanceInformationList[*]"
2.0.796.0	ip-172-31-38-206	172.31.38.206	i-0698042a954420857	True	1496457091.34	Online	Ubuntu	Linux	16.04	EC2Instance

Using Run Command and the AWS-RunShellScript document, we can execute any command or script on an EC2 instance as if we were logged on locally.

To view the description and available parameters, we can use the following command to view a description of the Systems Manager JSON document:

$ aws ssm describe-document --name "AWS-RunShellScript" --query "[Document.Name,Document.Description]"
AWS-RunShellScript	Run a shell script or specify the commands to run.

We can use the following command to view the available parameters and details about those parameters:

$ aws ssm describe-document --name "AWS-RunShellScript" --query "Document.Parameters[*]"
	(Required) Specify a shell script or a command to run.	commands	StringList
	(Optional) The path to the working directory on your instance.	workingDirectory	String
3600	(Optional) The time in seconds for a command to complete before it is considered to have failed. Default is 3600 (1 hour). Maximum is 28800 (8 hours).	executionTimeout	String

We may want to use the following command to get IP information for an instance:

$ aws ssm send-command --instance-ids "i-0698042a954420857" --document-name "AWS-RunShellScript" --comment "IP config" --parameters commands=ifconfig --output text
COMMAND	e4d8a901-34b7-480d-9e47-f0a71179be64	IP config	0	AWS-RunShellScript	0	1496465253.78	50	0		1496458053.78		Pending	Pending	1
INSTANCEIDS	i-0698042a954420857
NOTIFICATIONCONFIG		
COMMANDS	ifconfig

The following command uses the Command ID that was returned from the previous command to get the details and response data of the command execution. The system returns the response data if the command completed. If the command execution shows "Pending" we will need to execute this command again to see the response data:

$ aws ssm list-command-invocations --command-id "e4d8a901-34b7-480d-9e47-f0a71179be64" --details

The following command displays the default user account running the commands:

$ sh_command_id=$(aws ssm send-command --instance-ids "i-0698042a954420857" --document-name "AWS-RunShellScript" --comment "Demo run shell script on Linux Instance" --parameters commands=whoami --output text --query "Command.CommandId")

The following command uses the Command ID to get the status of the command execution on the instance. This example uses the Command ID that was returned in the previous command:

$ aws ssm list-commands  --command-id $sh_command_id
COMMANDS	136b1a05-6724-45f1-a23b-f98062fca64d	Demo run shell script on Linux Instance	1	AWS-RunShellScript	0	1496465641.83	50	0			1496458441.83		Success	Success	1
INSTANCEIDS	i-0698042a954420857
NOTIFICATIONCONFIG		
COMMANDS	whoami

The following command uses the Command ID from the previous command to get the status of the command execution on a per instance basis:

$ aws ssm list-command-invocations --command-id $sh_command_id --details

AWS (Amazon Web Services)

1. AWS : EKS (Elastic Container Service for Kubernetes)
2. AWS : Creating a snapshot (cloning an image)
3. AWS : Attaching Amazon EBS volume to an instance
4. AWS : Adding swap space to an attached volume via mkswap and swapon
5. AWS : Creating an EC2 instance and attaching Amazon EBS volume to the instance using Python boto module with User data
6. AWS : Creating an instance to a new region by copying an AMI
7. AWS : S3 (Simple Storage Service) 1
8. AWS : S3 (Simple Storage Service) 2 - Creating and Deleting a Bucket
9. AWS : S3 (Simple Storage Service) 3 - Bucket Versioning
10. AWS : S3 (Simple Storage Service) 4 - Uploading a large file
11. AWS : S3 (Simple Storage Service) 5 - Uploading folders/files recursively
12. AWS : S3 (Simple Storage Service) 6 - Bucket Policy for File/Folder View/Download
13. AWS : S3 (Simple Storage Service) 7 - How to Copy or Move Objects from one region to another
14. AWS : S3 (Simple Storage Service) 8 - Archiving S3 Data to Glacier
15. AWS : Creating a CloudFront distribution with an Amazon S3 origin
16. AWS : Creating VPC with CloudFormation
17. AWS : WAF (Web Application Firewall) with preconfigured CloudFormation template and Web ACL for CloudFront distribution
18. AWS : CloudWatch & Logs with Lambda Function / S3
19. AWS : Lambda Serverless Computing with EC2, CloudWatch Alarm, SNS
20. AWS : Lambda and SNS - cross account
21. AWS : CLI (Command Line Interface)
22. AWS : CLI (ECS with ALB & autoscaling)
23. AWS : ECS with cloudformation and json task definition
24. AWS Application Load Balancer (ALB) and ECS with Flask app
25. AWS : Load Balancing with HAProxy (High Availability Proxy)
26. AWS : VirtualBox on EC2
27. AWS : NTP setup on EC2
28. AWS: jq with AWS
29. AWS & OpenSSL : Creating / Installing a Server SSL Certificate
30. AWS : OpenVPN Access Server 2 Install
31. AWS : VPC (Virtual Private Cloud) 1 - netmask, subnets, default gateway, and CIDR
32. AWS : VPC (Virtual Private Cloud) 2 - VPC Wizard
33. AWS : VPC (Virtual Private Cloud) 3 - VPC Wizard with NAT
34. DevOps / Sys Admin Q & A (VI) - AWS VPC setup (public/private subnets with NAT)
35. AWS - OpenVPN Protocols : PPTP, L2TP/IPsec, and OpenVPN
36. AWS : Autoscaling group (ASG)
37. AWS : Setting up Autoscaling Alarms and Notifications via CLI and Cloudformation
38. AWS : Adding a SSH User Account on Linux Instance
39. AWS : Windows Servers - Remote Desktop Connections using RDP
40. AWS : Scheduled stopping and starting an instance - python & cron
41. AWS : Detecting stopped instance and sending an alert email using Mandrill smtp
42. AWS : Elastic Beanstalk with NodeJS
43. AWS : Elastic Beanstalk Inplace/Rolling Blue/Green Deploy
44. AWS : Identity and Access Management (IAM) Roles for Amazon EC2
45. AWS : Identity and Access Management (IAM) Policies, sts AssumeRole, and delegate access across AWS accounts
46. AWS : Identity and Access Management (IAM) sts assume role via aws cli2
47. AWS : Creating IAM Roles and associating them with EC2 Instances in CloudFormation
48. AWS Identity and Access Management (IAM) Roles, SSO(Single Sign On), SAML(Security Assertion Markup Language), IdP(identity provider), STS(Security Token Service), and ADFS(Active Directory Federation Services)
49. AWS : Amazon Route 53
50. AWS : Amazon Route 53 - DNS (Domain Name Server) setup
51. AWS : Amazon Route 53 - subdomain setup and virtual host on Nginx
52. AWS Amazon Route 53 : Private Hosted Zone
53. AWS : SNS (Simple Notification Service) example with ELB and CloudWatch
54. AWS : Lambda with AWS CloudTrail
55. AWS : SQS (Simple Queue Service) with NodeJS and AWS SDK
56. AWS : Redshift data warehouse
57. AWS : CloudFormation
58. AWS : CloudFormation Bootstrap UserData/Metadata
59. AWS : CloudFormation - Creating an ASG with rolling update
60. AWS : Cloudformation Cross-stack reference
61. AWS : OpsWorks
62. AWS : Network Load Balancer (NLB) with Autoscaling group (ASG)
63. AWS CodeDeploy : Deploy an Application from GitHub
64. AWS EC2 Container Service (ECS)
65. AWS EC2 Container Service (ECS) II
66. AWS Hello World Lambda Function
67. AWS Lambda Function Q & A
68. AWS Node.js Lambda Function & API Gateway
69. AWS API Gateway endpoint invoking Lambda function
70. AWS API Gateway invoking Lambda function with Terraform
71. AWS API Gateway invoking Lambda function with Terraform - Lambda Container
72. Amazon Kinesis Streams
73. AWS: Kinesis Data Firehose with Lambda and ElasticSearch
74. Amazon DynamoDB
75. Amazon DynamoDB with Lambda and CloudWatch
76. Loading DynamoDB stream to AWS Elasticsearch service with Lambda
77. Amazon ML (Machine Learning)
78. Simple Systems Manager (SSM)
79. AWS : RDS Connecting to a DB Instance Running the SQL Server Database Engine
80. AWS : RDS Importing and Exporting SQL Server Data
81. AWS : RDS PostgreSQL & pgAdmin III
82. AWS : RDS PostgreSQL 2 - Creating/Deleting a Table
83. AWS : MySQL Replication : Master-slave
84. AWS : MySQL backup & restore
85. AWS RDS : Cross-Region Read Replicas for MySQL and Snapshots for PostgreSQL
86. AWS : Restoring Postgres on EC2 instance from S3 backup
87. AWS : Q & A
88. AWS : Security
89. AWS : Security groups vs. network ACLs
90. AWS : Scaling-Up
91. AWS : Networking
92. AWS : Single Sign-on (SSO) with Okta
93. AWS : JIT (Just-in-Time) with Okta