Managing Windows and Linux Without logging in — Bastion Free AWS SSM
This Blog has moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.
Are you patient enough to log in to all of your systems and execute commands or prefer to do it from the centralized web console? Yes, I do it from my web console. Why should I open the port 22 every time I log in to each server and close when it is done !!! AWS Systems Manager (AWS SSM) is a service that enables you to do automation without logging into the system. SSM can automate management tasks, maybe it is collecting the system inventory, applying operating system (OS) patches or configuring operating systems (OSs). It is also possible to schedule the task. We see how to execute some scripts without logging to an instance both in Windows and Linux environment.
Traditionally, admin maintains a bastion instance using which they log in to production servers. Bastion instance adds extra operational and management overhead and also yet at times it takes a lot of effort to get the security posture right in this scenario as we need to manage SSH keys and passwords etc. SSM gives an ability to set up a bastion-free environment.
About Setup
We use Centos 7 and Windows 2016. Please note that for other versions of the OSes you may have to do a little change in the configuration. You run this configuration as the root account, else you have to give enough permission for the user and is not discussed here.
Simple Script to use the SSM for RPM package updation in CentOS
OS: Centos 7AMI: ami-11f0837ePlatform: AWSScript function: To update RPM packages
- Create AWS Role role-SSM ( or assign an arbitrary name). Assign AmazonEC2RoleforSSM AWS Policy permission to it
2) Launch CentOS instance and attach the Role role-SSM to it.
3) SSH to the instance and execute the following commands after you switch to root. This will install SSM agent in the instance and start service.
# mkdir /tmp/ssm
# cd /tmp/ssm
# yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
# systemctl enable amazon-ssm-agent
# systemctl start amazon-ssm-agent4) Verify SSM agent status by executing the following command.
# systemctl status amazon-ssm-agent4) Login to AWS web console to access the EC2 Dashboard.
5) Under the “Systems Manager Services” section click “Run Command”. In the right pane Click “Run a command” push button.
6) In “Command document” select “AWS-RunShellScript”
7) “Select Targets by” and select the instance. If your configuration is correct till now, you should be able to see the instance names.
8) In the “Commands” column type the text below.
# yum update -y9) Leave all other options default and click “Run”.
10) Once command is completed you can see the orange color “In Progress” changes to green color “Success”. You can log in to your system and verify that the packages are updated. If kernel packages are involved you have to reboot the instance.
Simple Powershell Script use the SSM (Windows 2016)
OS: Windows 2016AMI: ami-bd8daed2Platform: AWSScript function: To create a log file of previous one month
1) Launch Windows 2016 instance and attach AWS Role role-SSM( created the previous experiment). SSM Agent is installed by default in Windows 2016.
2) Login to AWS web console to access the EC2 Dashboard.
3) Under the “Systems Manager Services” section click “Run Command”. In the right pane Click “Run a command” push button.
4) In “Command document” this time select “AWS-RunPowerShellScript”.
5) “Select Targets by” and select the instance. If your configuration is correct till now you should be able to see instances names.
6) In the “Commands” column type the following text. Or replace with your power shell script.
if (!(test-path -path “c:\tensult” )){
new-item -itemtype directory “C:\tensult”
}
$YEAR=get-date -format yyyy
$MONTH=get-date -format MMM
$FNAME=”$MONTH-$YEAR.log”
get-eventlog -logname security -after (get-date).addmonths(-1) | format-list -property * | out-file C:\tensult\$FNAME7) Leave all other options default and click “Run”
8) Now login to the Windows instance, open the directory C:\tensult and see the log file is created.
Conclusion
We have understood what is SSM and how it helps automate management tasks. It is possible to automate the task without logging on the system, a bastion-free environment. Now we know how to run the scripts with the help of SSM in windows and Linux environments.
Related Information
