I’ve been doing a lot of work recently with Linux VMs that are hosted on Amazon Web Services‘ EC2 service. As part of this work, I’ve been working on two problems in parallel:
- Enabling automation of certain management commands for the VMs
- Securing SSH
Part of the issue was that I thought I needed to have SSH available to enable remote administration. If that was true, I also needed to secure SSH access so that I could use it and malicious third parties couldn’t. However, whatever method I chose also needed to be easily accessible to my team so that they could access the AWS-hosted VMs in case of an emergency where I wasn’t available.
I went through a few iterations of SSH solutions, including investigating multi-factor authentication and setting up SSH bastions. In the end though, I discovered a surprising solution that fixed both of my problems: AWS’s EC2 Systems Manager
Systems Manager allowed me to do the following:
- Manage my Linux VMs on EC2 without using SSH
- Block SSH access on my Linux VMs
- Run commands on multiple VMs at once
- Create a library of frequently used tasks and run those commands without needing to re-enter the scripts used to run those tasks.
- Not spend extra money on a management solution because AWS makes Systems Manager available at no cost to AWS customers.
For more details, please see below the jump.
To get started with EC 2 Systems Manager, the first thing you need to do is create an IAM role that you can associate the following policy with:
AmazonEC2RoleforSSM
This AWS policy enables an EC2-hosted instance to communicate with Systems Manager.
Note: If you have an existing role associated with your EC2 instance, you can add the AmazonEC2RoleforSSM policy to that existing role.
Once you have your IAM role created, it needs to be associated with the instance. This can be done by either:
A. Assigning the role to the instance at the time of the instances’ creation
B. Assigning the role to an existing instance.
Once the role is associated with the appropriate instances, the next thing to do is install the Systems Manager agent on the EC2 instance. Once all the needed role and agent setup work is done, your VMs in a particular AWS region should register themselves with the EC2 Systems Manager for that region and you should be ready to go.
To access EC2 Systems Manager, please use the procedure shown below:
1. Log into the AWS web console
2. Select EC2
3. Select Managed Instances
A list of all managed instances for that AWS region will be displayed.
To see more detailed information, click on an instance.
To see inventory information, click on the Inventory tab.
Running commands
To run commands on an instance, use the procedure shown below.
1. Select the Run a command button.
2. Click the AWS-RunShellScript selection.
3. Select one or more instances.
4. Enter the command you want to run.
For this example, the uptime command is being run.
5. Once the command is entered, click the Run button.
6. If the command succeeded, you will see a Success message. To view the command’s run, click the link on the status message.
7. You’ll be taken to a command list that’s been filtered to just show that command. To see the result of the command, click the Output tab.
8. Under the Output tab, click the View Output link.
The output of the command is shown in a new window.
Note: The output available here is limited to 2500 characters.
9. Once finished viewing the command output, click the Close button.
In addition to commands, you can also run shell scripts in the Commands entry.
To build a library of commands to run, you can use EC2 Systems Manager Documents. These are JSON files that can be used to run commands, including Unix shell scripts. As an example, please see below for two Systems Manager Documents that I created for managing Jamf Pro’s Tomcat:
Stop Jamf Pro Tomcat EC2 Systems Manager Document:
Restart Jamf Pro Tomcat EC2 Systems Manager Document:
Both of these Documents are available on GitHub via the links below:
https://github.com/rtrouton/ec2_systems_manager/tree/master/restart_jamf_pro_tomcat
https://github.com/rtrouton/ec2_systems_manager/tree/master/stop_jamf_pro_tomcat
