In this guide , We will learn How to automate the process of AMI Creation for the EC2 Instances using Systems Manager.

If you want to know more about Systems Manager (SSM) and How to Scan EC2 Instances and Run commands using Systems Manager , I have published a separate article and explained in detail there.

Check these articles related to Systems Manager:

RUN COMMANDS USING SYSTEMS MANAGER

SCAN EC2 INSTANCES FOR MALWARES USING SYSTEMS MANAGER

Process Involved

  • Registering EC2 Instances as Managed Instances.
  • Creating Maintenance Window using Systems Manager.
  • Register the Automation Tasks.
  • Adding EC2 Instances as Targets.

Supported Operating Systems

This process is applicable for both

  • Linux Operating System.
  • Windows Operating System.

Making EC2 Instances as Managed Instances

The EC2 Instances for which you want to create the AMI , Must be listed as Managed Instances under Systems Manager.

For that We have to setup SSM Agent on the EC2 Instances. Refer the below article for the same.

Installing SSM agent on EC2 Instances

Once you have the SSM agent installed on the EC2 Instances. We have to Create an IAM Role and attach with the EC2 Instance so that the Systems Manager’s maintenance window has the necessary permission to create AMI of the EC2 Instance.

Creating IAM Role

To Create an IAM Role ,Login to IAM Console

In the left pane , Choose Roles ,Click Create role

Choose AWS service and use case be EC2

ami

And Choose Next: Permissions

Search for AmazonSSMMaintenance , Check the AmazonSSMMaintenanceWindowRole,

ami

You can add Tags, And Next: Review , Specify a name for the IAM Role and Click Create role.

ami

Once the Role is created. Select the Role , Under Permissions , Click Add inline policy

You will see the below page.

ami

Choose the service as EC2 , Under Actions , In the write access level , Select CreateImage

Under List access level , Choose DescribeImages.

ami

Click Review policy , Specify a name for the policy and choose Create policy.

Again select the Role , Choose Trust relationships , Click Edit trust relationship

You will see the below policy ,

ami

We have to add ssm.amazonaws.com to the policy. Replace it with the below policy and click Update Trust Policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "", 
      "Effect": "Allow",
      "Principal": {
        "Service": [
	  "ec2.amazonaws.com",
	  "ssm.amazonaws.com"
	]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

If you want to know more about Creating IAM Roles , Attaching or Replacing Roles with EC2 Instances , Check this Article.

Attaching IAM Role with EC2 Instance

Next step is to attach the IAM Role with the EC2 Instances. To do so , Login to EC2 Console ,

Form the left pane , Choose Instances , Select the Instance ,

Under Actions –> Instance settings –> Attach/Replace IAM Role.

ami

IAM role , In the drop down menu , Select the Role and Click Apply.

Creating Maintenance Window

To create a Maintenance Window , Go to AWS Systems Manager

In the Next pane , Under Actions & change , Choose Maintenance Windows.

Choose Create Maintenance Window

ami

Provide a name for the Maintenance Window , Under the Schedule , Choose Cron Schedule builder

Window starts at Every Wednesday at 11 PM , You can modify the Cron expression as per your requirement.

ami

I am specifying the total maintenance window duration as 3 hours , And I stop scheduling the tasks 1 hour before the maintenance window ends.

ami

And click Create maintenance window

Registering Targets

Once the Maintenance window is created. Select the maintenance window and Under Actions , Choose Register targets

You can optionally give a name to the targets for identification.

Under Targets , Select Choose instances manually

Under the lists of EC2 Instances , Select the instance and Click Register target.

Registering Automation Task

Select the Maintenance window , Under Actions , Choose Register Automation task

You can optionally specify a name for the Automation task , Under Automation document ,

Choose AWS-CreateImage.

Under Targets , Select the registered target groups and choose the Window Target ID

Set the Concurrency and errors to 1.

ami

Under IAM Service role , Choose Use a custom service role ,Select the IAM Role which we have created in the Previous step.

Under Input parameters ,

For the Variable name InstanceId , Pass the Value as {{TARGET_ID}}

TARGET_ID is case sensitive and It passes the instances registered in the target as input to the Automation Document.

If the value for the NoReboot is false , The Instance will be shutdown before creating the AMI.

Pass the value as true to avoid rebooting instances.But Amazon wont guarantee the file system integrity for the created images.

Click Register Automation task.

Wrapping Up

By following the above process , We can automate the process of creating the AMI for the Running EC2 Instances using Systems Manager.

Hope It helps , Thanks for referring my article.

Please do check out my other publications.