AWS/SSM-Systems-Manager
sudo /etc/init.d/docker start
- docker ps
docker build -t ssm-agent-build-image .
docker run -it --rm --name ssm-agent-build-container -v pwd:/amazon-ssm-agent ssm-agent-build-image make build-release
Conditions for AWS SSM to work on instance
- Must be running the SSM agent, e.g. use Amazon image with it pre-loaded
- The Instance must have a Instance Profile/Policy with "AmazonSSMManagedInstanceCore"
The SSM endpoint must be reachable for the instance, out to internet or PrivateLink.
- ssm.region.amazonaws.com
- ssmmessages.region.amazonaws.com
- ec2messages.region.amazonaws.com
AWS SSM port forward windows RDP 3389 to local
Install the AWS system manager plugin
- Install aws cli v2
- Login to aws.
- Using ~/.aws/config keys
- aws configure sso / aws sso login
Connect and port forward
aws ssm start-session --profile ssoMyProfile --target i-0abcdefgh --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"], "localPortNumber":["3389"]}'
- RDP with client e.g. Remina to localhost:3389
Setup Instance Profile -> role for ec2 ssm access
terraform example
resource "aws_iam_instance_profile" "ssm-profile" { name = "AmazonSSMManagedInstanceCore" role = aws_iam_role.AmazonSSMManaged.name } resource "aws_iam_role" "AmazonSSMManaged" { name = "AmazonSSMManagedInstance" #path = "/" assume_role_policy = data.aws_iam_policy_document.ssm-ec2.json } data "aws_iam_policy_document" "ssm-ec2" { statement { principals { type = "Service" identifiers = [ "ec2.amazonaws.com", ] } actions = [ "sts:AssumeRole", ] } } resource "aws_iam_role_policy_attachment" "SSM" { role = aws_iam_role.AmazonSSMManaged.name policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" }