01 By default, Systems Manager (SSM) doesn't have permission to communicate with or perform actions on your Amazon EC2 instances, therefore you must grant access by using an Identity and Access Management (IAM) instance profile and an IAM service role (or assume role). You can start by creating the trust relationship policy for the required IAM service role. To create the required trust relationship policy for the new role, save the following policy document to a JSON file named cc-ssm-role-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
02 Run create-role command (OSX/Linux/UNIX) to create the required Amazon IAM role using the trust relationship policy defined at the previous step (i.e. cc-ssm-role-trust-policy.json):
aws iam create-role
--role-name cc-ssm-role-for-managed-instances
--assume-role-policy-document file://cc-ssm-role-trust-policy.json
03 The command output should return the information available for the new IAM role:
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
},
"RoleId": "AAAABBBBCCCCDDDDEEEE",
"CreateDate": "2024-07-21T11:00:00Z",
"RoleName": "cc-ssm-role-for-managed-instances",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/cc-ssm-role-for-managed-instances"
}
}
04 Run attach-role-policy command (OSX/Linux/UNIX) to attach the specified AWS-managed policy to the newly created IAM role. The "AmazonSSMManagedInstanceCore" managed policy is required to enable Systems Manager service core functionality on target Amazon EC2 instances (the command does not produce an output):
aws iam attach-role-policy
--role-name cc-ssm-role-for-managed-instances
--policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
05 Create the instance profile that needs to integrate with the new IAM role. Run create-instance-profile command (OSX/Linux/UNIX) to create the required IAM instance profile:
aws iam create-instance-profile
--region us-east-1
--instance-profile-name cc-ssm-core-instance-profile
06 The command output should return the information available for the newly created instance profile:
{
"InstanceProfile": {
"InstanceProfileId": "ABCDABCDABCDABCDABCDA",
"Roles": [],
"CreateDate": "2024-07-21T12:00:00Z",
"InstanceProfileName": "cc-ssm-core-instance-profile",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:instance-profile/cc-ssm-core-instance-profile"
}
}
07 Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the IAM role created at step no. 2 with the instance profile created at step no. 5 (the command does not produce an output):
aws iam add-role-to-instance-profile
--role-name cc-ssm-role-for-managed-instances
--instance-profile-name cc-ssm-core-instance-profile
08 Run associate-iam-instance-profile command (OSX/Linux/UNIX) to associate the new IAM instance profile with the running Amazon EC2 instance that you want to manage with AWS Systems Manager (SSM):
aws ec2 associate-iam-instance-profile
--region us-east-1
--iam-instance-profile Name=cc-ssm-core-instance-profile
--instance-id i-01234abcd1234abcd
09 The output should return the associate-iam-instance-profile command request information:
{
"IamInstanceProfileAssociation": {
"InstanceId": "i-01234abcd1234abcd",
"AssociationId": "iip-assoc-01234abcd1234abcd",
"IamInstanceProfile": {
"Id": "ABCDABCDABCDABCDABCDA",
"Arn": "arn:aws:iam::123456789012:instance-profile/cc-ssm-core-instance-profile"
}
}
}
10 Now that Systems Manager (SSM) has permission to communicate with or perform actions on your target Amazon EC2 instances, you can implement the Systems Manager core capabilities for managing EC2 instances. To enable the commonly used Systems Manager capabilities that allows you to securely manage your Amazon EC2 instances, perform the following commands:
- Run create-association command (OSX/Linux/UNIX) to create an association that automatically updates the SSM Agent according to a schedule that you specify, for the Amazon EC2 instance that you want to manage with Systems Manager. By default, once the association is successfully implemented, the system runs it immediately after it is created and then according to the specified schedule. For example, the --schedule-expression parameter sets a schedule to run the association every Sunday morning at 5:00 AM (UTC time):
aws ssm create-association
--region us-east-1
--name "AWS-UpdateSSMAgent"
--targets "Key=instanceids,Values=i-01234abcd1234abcd"
--schedule-expression "cron(0 5 ? * SUN *)"
- The command output should return the "AWS-UpdateSSMAgent" association information:
{
"AssociationDescription": {
"ScheduleExpression": "cron(0 5 ? * SUN *)",
"Name": "AWS-UpdateSSMAgent",
"Overview": {
"Status": "Pending",
"DetailedStatus": "Creating"
},
"AssociationId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
"DocumentVersion": "$DEFAULT",
"LastUpdateAssociationDate": 1608877877.549,
"Date": 1608877877.549,
"AssociationVersion": "1",
"Targets": [
{
"Values": [
"i-01234abcd1234abcd"
],
"Key": "instanceids"
}
],
"ApplyOnlyAtCronInterval": false
}
}
- Run create-association command (OSX/Linux/UNIX) to create a Systems Manager (SSM) Inventory association for the specified Amazon EC2 instance. The system collects metadata from your instance according to the schedule configured for the association:
aws ssm create-association
--region us-east-1
--name "AWS-GatherSoftwareInventory"
--targets "Key=instanceids,Values=i-01234abcd1234abcd"
--schedule-expression "rate(1 day)"
--parameters applications=Enabled,awsComponents=Enabled,customInventory=Enabled,instanceDetailedInformation=Enabled,networkConfig=Enabled,services=Enabled,windowsRoles=Enabled,windowsUpdates=Enabled
- The command output should return the "AWS-GatherSoftwareInventory" association configuration information:
{
"AssociationDescription": {
"ScheduleExpression": "rate(1 day)",
"Name": "AWS-GatherSoftwareInventory",
"Parameters": {
"windowsUpdates": [
"Enabled"
],
"awsComponents": [
"Enabled"
],
"customInventory": [
"Enabled"
],
"networkConfig": [
"Enabled"
],
"applications": [
"Enabled"
],
"instanceDetailedInformation": [
"Enabled"
],
"services": [
"Enabled"
],
"windowsRoles": [
"Enabled"
]
},
"Overview": {
"Status": "Pending",
"DetailedStatus": "Creating"
},
"AssociationId": "1234abcd-1234-abcd-1234-abcd1234abcd",
"DocumentVersion": "$DEFAULT",
"LastUpdateAssociationDate": 1608877877.126,
"Date": 1608877877.126,
"AssociationVersion": "1",
"Targets": [
{
"Values": [
"i-01234abcd1234abcd"
],
"Key": "instanceids"
}
],
"ApplyOnlyAtCronInterval": false
}
}
- Run create-association command (OSX/Linux/UNIX) to create an SSM association that scans the specified Amazon EC2 instance for missing patch updates by using the "AWS-RunPatchBaseline" document. "AWS-RunPatchBaseline" performs patching operations on Amazon EC2 instances for security related and other types of updates:
aws ssm create-association
--region us-east-1
--name "AWS-RunPatchBaseline"
--targets "Key=instanceids,Values=i-01234abcd1234abcd"
--parameters "Operation=Scan,RebootOption=NoReboot"
- The command output should return the "AWS-RunPatchBaseline" association information:
{
"AssociationDescription": {
"Name": "AWS-RunPatchBaseline",
"Parameters": {
"Operation": [
"Scan"
],
"RebootOption": [
"NoReboot"
]
},
"Overview": {
"Status": "Pending",
"DetailedStatus": "Creating"
},
"AssociationId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
"DocumentVersion": "$DEFAULT",
"LastUpdateAssociationDate": 1608877877.845,
"Date": 1608877877.845,
"AssociationVersion": "1",
"Targets": [
{
"Values": [
"i-01234abcd1234abcd"
],
"Key": "instanceids"
}
],
"ApplyOnlyAtCronInterval": false
}
}
11 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 8 – 10 to perform the Remediation process for other cloud regions.