 |
 |
********************************************************************************
* Description: Send command from MSWIN AWS CLI to Linux server on cloud via SSM
* Date: 12:09 PM EST, 03/19/2018
********************************************************************************
<1> In some practical cases, a large company's IT environment could contain hundred or thousand servers on AWS Cloud needs to be patched:
|
|__ o. AWS provides an option that SYS admin can send Linux command within an API request to remote servers from Windows latop to remote servers, performing operation in batch.
<2> Step 1 - Download and install AWS CLI for Windows platform:
|
|__ The Windows 64-bits .msi installer attached as "Download" option with the itme.
|
|__ Reference: https://docs.aws.amazon.com/cli/latest/userguide/awscli-install-windows.html#awscli-install-windows-path
<3> Step 2 - Create AWS programatic access key pair:
|
|__ o. Login AWS Console
==> AMI
==> Users
==> Click on the choosen "username"
==> Security Credentials
==> Create access key
==> Save "Access key ID" [like username] and "Secret access key" [similar to password].
CAUTION: "Secert access key" only show up once when it got created. So, it needs to be saved properly somewhere.
<4> Step 3 - Configuring AWS CLI with "Access Key Pair" on local Windows laptop via CMD:
|
|__ CMD> aws configure
AWS Access Key ID: AKIOK8RM2WTOJ8J2HWSQ
AWS Secret Access Key: BYpos8lDuuKPpqmJdqIdOl2UYZglXfydKhlLwqI+
Default region name [us-east-1]: us-east-1
Default output format [json]: json
<5> Step 4 - Install Amazon Service System Manager[SSM Agent] on remote Cloud Linux servers:
|
|__ o. SSM is acting as an agent receiving commands from remote servers via AWS API to munipulate AWS services without log into console.
|
|__ o. Reference - https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html
|
|__ o. Different Linux Platform and version have various installation utility or method:
|
|
|__ a) Redhat [64-bit]:
|
|
| $ yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
| $ systemctl status amazon-ssm-agent ............ [RHEL 7.x]
| $ status amazon-ssm-agent ...................... [RHEL 6.x]
|
|
|__ b) Ubuntu [64-bit, either of below installation utility]:
$ wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
$ dpkg -i amazon-ssm-agent.deb
$ status amazon-ssm-agent ..................... [Ubuntu 14.x]
$ systemctl status amazon-ssm-agent ........... [Ubuntu 16.x]
<6> Step 5 - Grant SSM Policy to either AWS user or EC2 server IAM role:
|
|__ o. IAM Role:
| |
| |__ o. Login AWS console, and go to "IAM"
| | ==> "Roles"
| | ==> "Create Roles"
| | ==> "AWS Services"
| | ==> "EC2"
| | ==> "EC2 Role for Simple Systems Manager"
| | ==> "AmazonEC2RoleforSSM"
| | ==> Assign the role to target EC2 instance.
| |
| |__ o. CAUTION: One EC2 instance could have only one IAM role, but "AmazonEC2RoleforSSM" can be attached with existing role.
|
|
|__ o. AWS user:
|
|__ o. If the user have "Administor" permission, you can "add permission" and "attach existing policy directly" with "AmazonSSMFullAccess".
Your Comments