Run the following AWS CLI commands:
$ aws ec2 run-instances --image-id <Id-of-AMI-with-SSM-Agent-pre-installed> --subnet-id <subnet-id> --instance-type <instance-type> --associate-public-ip-address
$ aws iam create-role --role-name <role-name> --assume-role-policy-document '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}}'
Note: The command above has inline JSON. Run such commands only from bash (not from cmd/powershell).
$ aws iam attach-role-policy --role-name <role-name> --policy-arn <ARN-of-AmazonSSMManagedInstanceCore-Policy>
$ aws iam create-instance-profile --instance-profile-name <instance-profile-name>
$ aws iam add-role-to-instance-profile --role-name <role-name> --instance-profile-name <instance-profile-name>
$ aws ec2 associate-iam-instance-profile --instance-id <ec2-instance-id> --iam-instance-profile Name=<instance-profile-name>
$ aws ec2 describe-iam-instance-profile-associations
$ aws ssm start-session --target <ec2-instance-id>
Note: Install Session Manager - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#install-plugin-debian
If the EC2 instances are in a private subnet, you can do the following:
- Route traffic to internet through a NAT GW
- If you don't want to use NAT GW, add the following Interface VPC endpoints:
com.amazonaws.eu-west-2.ssm
com.amazonaws.eu-west-2.ssmmessages
com.amazonaws.eu-west-2.ec2messages
Link the subnets and Security Groups to these VPC endpoints. The Security Groups linked to these VPC endpoints should allow outbound HTTPS traffic to SSM.
Comments
Post a Comment