Run Commands Using Systems Manager
This blog post explains us on how to Run commands using Systems Manager on the remote EC2 Instance and On-premise servers.
What Is Systems Manager?
Systems Manager is an automation tool in Amazon Web Services.It helps you to execute commands in Remote servers on both AWS as well as On-premise servers by simply installing a package called ssm-agent.
It takes care of automating OS patches,creating images,Make configuration changes for Windows and Linux Operating systems.
You can manage the servers by creating a tasks and running them on target instances by registering it in Systems Manager Console.
Pre-Requisites:
- SSM-AGENT on target servers
- IAM Role
- Attach IAM Role to EC2 Instances
In order to bring the EC2 instances into Systems manager, We have to install SSM agent in all the machines.Once the ssm-agent is installed it will be called as Managed Instances in Systems Manager console.
Installing SSM Agent:
ssm-agent is the software which can be installed on all the servers for the systems manager to update , configure and run commands remotely.
For Instances such as Amazon Linux , Ubuntu 16.x & Ubuntu 18.x SSM agent will be available by default.
SSM agent will be installed based on the Operating systems.You can install either using debian installer packages or using snap packages on Ubuntu servers.
To install using snap:
You can check if ssm-agent is already installed using snap using the below command:
Here is the lists of commands to install and start the ssm-agent service.
snap list amazon-ssm-agent
snap install amazon-ssm-agent --classic
sudo systemctl start amazon-ssm-agent
sudo systemctl services amazon-ssm-agent
To install install using debian installer package:
Download the .deb package and install using the below command,
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
dpkg -i amazon-ssm-agent.deb
systemctl start amazon-ssm-agent
systemctl status amazon-ssm-agent
Once you have ssm-agent installed on the EC2 instances , Lets go ahead and create necessary IAM role and attach it with the EC2 Instances.
If you want to configure the same in Amazon Linux 2 , RHEL 7 , Centos 7 Instances,Use the below commands.
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
sudo systemctl status amazon-ssm-agent
Lets create an IAM role for the Systems manager to grant privileges to manage EC2 Intances.
Configuring IAM Role:
Open the IAM Console,
https://console.aws.amazon.com/iam/
In the left navigation panes , Choose Roles and then click Create role.
On select the type of identity page , Choose EC2 service , click Next:Permissions
On Attach permissions policy page , Choose SSMFullaccess role and then add a tag.
and then give a name to the role and click Create role.
We have created a role for the EC2 instance to communicate with SSM Manager.
Attach IAM Role To EC2 Instance:
Once the role is created, We have attach the IAM role with the respective EC2 Instance.
Go to EC2 console,
https://console.aws.amazon.com/ec2/v2/home
Refer these articles to create EC2 instance using Console and Terraform.
CREATE EC2 INSTANCE USING CONSOLE
CREATE EC2 INSTANCE USING TERRAFORM
Choose the instance , Under Actions , Click Instance settings,
Choose Attach / replace IAM role.
Select the role which you have created and click apply.
Now we have an IAM role attached to the EC2 Instance.
Now the Systems Manager has the ability to run tasks in the EC2 instances and automate the process using the maintenance window.
Systems Manager (SSM):
Lets go to Systems Manager console,
https://ap-southeast-1.console.aws.amazon.com/systems-manager/home
Under Instances and Nodes in the left navigation pane , You should see Managed Instances.
Managed Instances is nothing but a server / EC2 instance that is configured to be managed by Systems Manager.
And you should see the instances which you have configured with systems manager agent (SSM Agent).
Lets test this by manually running a Run command.
Choose Run command in the left pane ,
Choose Run a command , You will see the lists of pre-defined documents based on the tasks and the operating systems.
You should see AWS-RunShellScript , This is the document we are going to use to execute commands in the remote servers. Select that.
You can keep the document version as default.
Under command paramaters , We should pass the linux commands here.
Pass the command as shown below , You can change the folders as per your requirement.
And the path for saving the output should present in the ec2 instance.
For testing , I am syncing all the files from html to ubuntu folder.
rsync -avrP /var/www/html/ /home/ubuntu
Working directory and Execution Timeout set let is be as it is.
Under Targets , select Choose instances manually and select your instance.
Under Other paramaters, If your folders have huge data , It will obviously takes lot of time to scan each files and folders.
Max allowed execution time : 2,592,000 seconds.
Set the timeout as per your requirement.
Under output options , If you want the clamscan output to store in the S3 bucket , You can Enable writing to S3 bucket , then choose the bucket form the list.
And click Run.
And You can see that the process is completed.
But We should automate this process That is the reason we have come to Systems Manager.
SSM Maintenance Window:
First we need to create a Maintenance Window,
Under Actions and change in the left pane , choose Maintenance windows.
Click Create Maintenance Window
Give a name for the maintenance window,
You can select the schedule as per your needs, For example If I want to run the scanner everyday at 01:00 AM.
Configure Cron schedule builder,
For example , If you’re running tasks on multiple servers , Based on the server count we have to provide the time for the whole process to be completed.which is nothing by Duration.
And Stop initiating task , Lets say your maintenance window is 5 hours and you will ask SSM not to run any tasks before 1 of maintenance window.
Then add tag and click Create Maintenance window.
Click the maintenance window, Choose targets , click register targets ,
Give a name for the target and choose the instance manually , select the number of instance as you need.
Click register target.
Now the target is registered in Maintenance windows.
Lets create a task for the Targets.
Click Tasks , Under Register tasks , select register run command tasks.
Give a name to the task , select AWS-RunShellScript document
Under targets, Select the registered targets ,
Under Rate control , mention the number of target instance to which you want to run commands at a time and also If the error count is 10 the task will be stopped.
Use the service-linked role for systems manager.
Under Parameters , provide the clamscan command.
Maximize the execution timeout as per the count of the target instances and click Register Run command tasks.
If you want to send the output to S3 bucket. We need to attach an S3Fullaccess/S3putobject role to the role which we have created and attached with the EC2 Instances.
Now that We have successfully configured a setup to automatically perform tasks in EC2 instances based on the maintenance window and store the output in S3 bucket.
Hope this article helped you to mitigate the issues related to malwares and vulnerabilities using clamscan with the help of Systems Manager.
Please do check out my other publications.