Home > Amazon Web Services, Jamf Pro, Linux > Managing AWS-hosted VMs using EC2 Systems Manager

Managing AWS-hosted VMs using EC2 Systems Manager

I’ve been doing a lot of work recently with Linux VMs that are hosted on Amazon Web ServicesEC2 service. As part of this work, I’ve been working on two problems in parallel:

  • Enabling automation of certain management commands for the VMs
  • Securing SSH

Part of the issue was that I thought I needed to have SSH available to enable remote administration. If that was true, I also needed to secure SSH access so that I could use it and malicious third parties couldn’t. However, whatever method I chose also needed to be easily accessible to my team so that they could access the AWS-hosted VMs in case of an emergency where I wasn’t available.

I went through a few iterations of SSH solutions, including investigating multi-factor authentication and setting up SSH bastions. In the end though, I discovered a surprising solution that fixed both of my problems: AWS’s EC2 Systems Manager

Systems Manager allowed me to do the following:

  1. Manage my Linux VMs on EC2 without using SSH
  2. Block SSH access on my Linux VMs
  3. Run commands on multiple VMs at once
  4. Create a library of frequently used tasks and run those commands without needing to re-enter the scripts used to run those tasks.
  5. Not spend extra money on a management solution because AWS makes Systems Manager available at no cost to AWS customers.

For more details, please see below the jump.

To get started with EC 2 Systems Manager, the first thing you need to do is create an IAM role that you can associate the following policy with:

AmazonEC2RoleforSSM

This AWS policy enables an EC2-hosted instance to communicate with Systems Manager.

Screen Shot 2017 05 29 at 2 04 49 PM

Screen Shot 2017 05 29 at 2 06 24 PM

Note: If you have an existing role associated with your EC2 instance, you can add the AmazonEC2RoleforSSM policy to that existing role.

Once you have your IAM role created, it needs to be associated with the instance. This can be done by either:

A. Assigning the role to the instance at the time of the instances’ creation

Screen Shot 2017 05 29 at 2 07 45 PM

B. Assigning the role to an existing instance.

Once the role is associated with the appropriate instances, the next thing to do is install the Systems Manager agent on the EC2 instance. Once all the needed role and agent setup work is done, your VMs in a particular AWS region should register themselves with the EC2 Systems Manager for that region and you should be ready to go.

To access EC2 Systems Manager, please use the procedure shown below:

1. Log into the AWS web console

2. Select EC2

Screen Shot 2017 05 29 at 1 55 13 PM

3. Select Managed Instances

Screen Shot 2017 05 29 at 2 10 51 PM

 

A list of all managed instances for that AWS region will be displayed.

Screen Shot 2017 05 29 at 2 12 31 PM

To see more detailed information, click on an instance.

Screen Shot 2017 05 29 at 2 12 37 PM

To see inventory information, click on the Inventory tab.

Screen Shot 2017 05 29 at 2 12 38 PM

Screen Shot 2017 05 29 at 2 13 32 PM

Screen Shot 2017 05 29 at 2 13 48 PM

Running commands

To run commands on an instance, use the procedure shown below.

1. Select the Run a command button.

Screen Shot 2017 05 29 at 2 18 24 PM

2. Click the AWS-RunShellScript selection.

Screen Shot 2017 05 29 at 2 18 25 PM

3. Select one or more instances.

Screen Shot 2017 05 29 at 2 18 55 PM

4. Enter the command you want to run.

For this example, the uptime command is being run.

Screen Shot 2017 05 29 at 2 19 06 PM

5. Once the command is entered, click the Run button.

Screen Shot 2017 05 29 at 2 19 12 PM

6. If the command succeeded, you will see a Success message. To view the command’s run, click the link on the status message.

Screen Shot 2017 05 29 at 2 19 21 PM

7. You’ll be taken to a command list that’s been filtered to just show that command. To see the result of the command, click the Output tab.

Screen Shot 2017 05 29 at 2 19 50 PM

8. Under the Output tab, click the View Output link.

Screen Shot 2017 05 29 at 2 19 54 PM

The output of the command is shown in a new window.

Note: The output available here is limited to 2500 characters.

Screen Shot 2017 05 29 at 2 19 58 PM

9. Once finished viewing the command output, click the Close button.

Screen Shot 2017 05 29 at 2 19 59 PM
In addition to commands, you can also run shell scripts in the Commands entry.

Screen Shot 2017 05 29 at 2 21 22 PM

Screen Shot 2017 05 29 at 2 21 46 PM

To build a library of commands to run, you can use EC2 Systems Manager Documents. These are JSON files that can be used to run commands, including Unix shell scripts. As an example, please see below for two Systems Manager Documents that I created for managing Jamf Pro’s Tomcat:

Stop Jamf Pro Tomcat EC2 Systems Manager Document:

Restart Jamf Pro Tomcat EC2 Systems Manager Document:

Both of these Documents are available on GitHub via the links below:

https://github.com/rtrouton/ec2_systems_manager/tree/master/restart_jamf_pro_tomcat

https://github.com/rtrouton/ec2_systems_manager/tree/master/stop_jamf_pro_tomcat

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: