Managing Windows and Linux Without logging in — Bastion Free AWS SSM

Girish V P
Jun 20, 2018 · 4 min read

Are you patient enough to login to all of your systems and execute commands or prefer to do it from centralised web console ? Yes, I do it from my web console. Why should I open the port 22 every time I login to each server and close when it is done !!! AWS Systems Manager (AWS SSM) is a service that enables you to do automation without logging into the system. SSM can automate management tasks, may be it is collecting the system inventory, applying operating system (OS) patches or configuring operating systems (OSs). It is also possible to schedule the task. We see how to execute some scripts without logging to an instance both in Windows and Linux environment.

Traditionally, admin maintains a bastion instance using which they login to production servers. Bastion instance adds an extra operational and management overhead and also yet at times it takes lot of effort to get the security posture right in this scenario as we need to manage SSH keys and passwords etc. SSM gives an ability to set up bastion-free environment.

About Setup

We use Centos 7 and Windows 2016. Please note that for other version of the OSes you may have to do a little change in the configuration. You run this configuration as root account, else you have to give enough permission for the user and is not discussed here.

Simple Script to use the SSM for RPM package updation in CentOS

AMI: ami-11f0837ePlatform: AWSScript function: To update RPM packages
  1. Create AWS Role role-ssm ( or assign an arbitrary name). Assign AmazonEC2RoleforSSM AWS Policy permission to it

2) Launch CentOS instance and attach the Role role-ssm to it.

3) SSH to the instance and execute following commands after you switch to root. This will install SSM agent in the instance and start service.

4) Verify SSM agent status by executing the following command.

4) Login to AWS web console to access EC2 Dash board.

5) Under “Systems Manager Services” section click “Run Command”. In the right pane Click “Run a command” push button.

6) In “Command document” select “AWS-RunShellScript

7) “Select Targets by” and select the instance. If your configuration is correct till now, you should be able to see the instance names.

8) In “Commands” column type the text below.

9) Leave all other options default and click “Run”.

10) Once command is completed you can see the orange colour “In Progress” changes to green colour “Success”. You can login to your system and verify that the packages are updated. If kernel packages are involved you have to reboot the instance.

Simple Powershell Script use the SSM (Windows 2016)

AMI: ami-bd8daed2Platform: AWSScript function: To create a log file of previous one month

1) Launch Windows 2016 instance and attach AWS Role role-ssm( created the previous experiment). SSM Agent is installed by default in Windows 2016.

2) Login to AWS web console to access EC2 Dash board.

3) Under “Systems Manager Services” section click “Run Command” . In the right pane Click “Run a command” push button.

4) In “Command document” this time select “AWS-RunPowerShellScript”.

5) “Select Targets by” and select the instance. If your configuration is correct till now you should be able to see instances names.

6) In “Commands” column type the following text . Or replace with your own power shell script.

7) Leave all other options default and click “Run

8) Now logon to the Windows instance, open the directory C:\tensult and see the log file is created.

Conclusion

We have understood what is SSM and how it is helpful in automating the management tasks. It is possible to automate the task without logging on the system, a bastion-free environment. Now we know how to run the scripts with the help of SSM in windows and Linux environment.

Related Information

Tensult Blogs

Stories on Cloud computing, Analytics, Automation and Security

Girish V P

Written by

Tensult Blogs

Stories on Cloud computing, Analytics, Automation and Security