Amazon EC2 Run Command allows you to manage EC2 instances, servers, or virtual machines running in AWS cloud remotely and securely. This feature provides you a simple method of automating general administrative tasks. These tasks may include: executing Shell scripts and commands on Linux systems, executing Windows PowerShell commands on Windows systems, installing software or patches etc.
One of the best features of using Amazon EC2 Run Command is that it allows you to execute the scripts and commands across multiple instances. In addition, it also provides perceptibility into the results thus making it easy to manage configuration changes across multiple instances. For this purpose, EC2 Run command uses Simple Systems Manager (SSM) agent service. In this article, we will explain a step by step guide about how to use SSM agent to manage EC2 instance remotely and securely.
In order to complete this lab tutorial, you need to perform the following tasks:
- Grant Your User Account Access to Simple Systems Manager
- Install SSM Agent on EC2 Instance
- Create a Role for Systems Manager Managed Instances
- Attach Role to the Instance
- Test Run Command Output
Grant Your User Account Access to Simple Systems Manager
Your user account must be configured to communicate with the SSM API. Use the following procedure to attach a managed AWS Identity and Access Management (IAM) policy to your user account. This role will grant full access to SSM API actions to your user account.
To create the IAM policy for your user account, you need to perform the following steps:
- Open the IAM management console.
- In the left pane, click Policies.
- In the Filter text box, type AmazonSSMFullAccess and press Enter.
- Select the AmazonSSMFullAccess policy from the search result.
- Click Actions and select Attach to attach this policy as shown in the following figure.
- On the Attach Policy page, select the user account (your account) for which you want to attach this policy.
Installing SSM Agent on EC2 Instance
In order to allow inter-communication with your local machine and the EC2 instance, SSM agent needs to be installed. In the Windows instances, it is installed by default. But for Linux instances, such as Amazon Linux, RHEL, and Ubuntu, you need to install it manually.
Depending on the Linux variant you are using, the SSM installation process may differ slightly. However, if you are familiar with Linux platform, there should not be a big challenge for you. Here, we are going to explain SSM installation on Ubuntu 16.04. For the other Linux platforms, you may refer the following link.
We assume that you are already connected to your EC2 instance that you want to manage using EC2 Run Command. If you face any issue or eager to learn more about various ways to connect EC2 Linux instance, the following article will help you a lot.
To install SSM agent on Ubuntu, you need to follow the following steps:
- For x64 Ubuntu, run the following commands:
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb sudo dpkg -i amazon-ssm-agent.deb
- For x86 (32-Bit) Ubuntu, run the following commands:
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_386/amazon-ssm-agent.deb sudo dpkg -i amazon-ssm-agent.deb
- Once the SSM agent installation is done, verify that the SSM agent service is running properly. To do so, execute the following command:
sudo systemctl status amazon-ssm-agent
- The status fo SSM agent service should be running as shown in the above figure. If it is stopped or disabled by any reason, execute the following commands to start and enable this service manually.
sudo systemctl enable amazon-ssm-agent sudo systemctl start amazon-ssm-agent
Creating a Role for Systems Manager Managed Instances
In order allow your instance to communicate with the Systems Manager API, you need to create a Role. For this, you need to perform the following steps:
- In the left pane of IAM management console, click Roles, and then select Create New Role to create a new IAM role.
- In the Select Role Type page, select Amazon EC2. You will be redirected to Attach policy page.
- In the Attach Policy page, select the AmazonEC2RoleforSSM managed policy as shown in the following figure and proceed to the next page.
- Specify the role name and click Create Role to finish the wizard.
Attaching Role to the Instance
Now, you have just created a role for SSM and instance communication, now, you need to assign this role with the instance you want to manage. To do so, perform the following steps:
- Select the instance on which you have installed SSM agent earlier.
- Click Actions and navigate to Instance Settings>Attach/Replace IAM role as shown in the following figure.
- In the Attach/Replace IAM role page, select the role you have created for the instance previously and attach it.
Testing EC2 Run Command
Now, you have done all the prerequisites to manage your EC2 instances using Run Command. To test and validate that you are able to manage EC2 instances using Run Command with the help of SSM agent, perform the following steps:
- Switch back to the AWS EC2 console, and click Run Command under the System Manager Services section as shown in the following figure.
- In the Run Command list, you can select any of the valid action that you may wish to perform. For example, select the AWS-RunShellScript option as shown in the following figure.
- Scroll down to the Target Instances section and select the instance for which you have attached role and installed SSM agent.
Note: It may take some time until the instance shows in the target instance list.
- Now, scroll down to the Commands section. For demonstration purpose, we will test the running services on Linux instance using SSM agent. For this, we will use the ps -aux commands:
- Optionally, you can also specify the Working directory, execution timeout, and comments. Click the Info button in front of each option and check what each option actually does.
- Type a descriptive message in the Comment box and accept the Default Timeout value.
- In the Advanced section, you can write output to an S3 bucket and get email alerts if you have configured the Email Notification. For the testing purpose, leave the both options default.
- Click Run to run the command.
Viewing Run Command’s Output
In the previous step, make sure that the commands run successfully. If you get any error, review it and check the settings you made. To view the output result of Run Command, perform the following steps:
- Click View Result on the page displayed after clicking the Run option of the previous steps.
- Select the Output tab and click View Output as shown in the following figure.
- The output would be something like as shown in the following figure that exactly comes when you run ps -aux command on a Linux machine. Is not it?
In this tutorial, we have explained a step by step guide how to install SSM agent on EC2 Linux instance, how to use EC2 Run Command to manage EC2 instances remotely and securely. Hope, you loved it. Here are few more topics for your: