Differences between revisions 4 and 5

AWS/SSM-Systems-Manager

sudo /etc/init.d/docker start

docker ps

docker build -t ssm-agent-build-image .

docker run -it --rm --name ssm-agent-build-container -v pwd:/amazon-ssm-agent ssm-agent-build-image make build-release

Conditions for AWS SSM to work on instance

Must be running the SSM agent, e.g. use Amazon image with it pre-loaded
The Instance must have a Instance Profile/Policy with "AmazonSSMManagedInstanceCore"
The SSM endpoint must be reachable for the instance, out to internet or PrivateLink.
- ssm.region.amazonaws.com
- ssmmessages.region.amazonaws.com
- ec2messages.region.amazonaws.com

AWS SSM port forward windows RDP 3389 to local

Install the AWS system manager plugin
Install aws cli v2
Login to aws.
1. Using ~/.aws/config keys
2. aws configure sso / aws sso login

Connect and port forward

aws ssm start-session --profile ssoMyProfile --target i-0abcdefgh --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"], "localPortNumber":["3389"]}'

RDP with client e.g. Remina to localhost:3389

Setup Instance Profile -> role for ec2 ssm access

terraform example

resource "aws_iam_instance_profile" "ssm-profile" {
  name = "AmazonSSMManagedInstanceCore"
  role = aws_iam_role.AmazonSSMManaged.name
}

resource "aws_iam_role" "AmazonSSMManaged" {
  name = "AmazonSSMManagedInstance"
  #path = "/"
  assume_role_policy = data.aws_iam_policy_document.ssm-ec2.json
}

data "aws_iam_policy_document" "ssm-ec2" {
  statement {
      principals  {
          type = "Service"
          identifiers = [ "ec2.amazonaws.com", ]
      }
      actions = [ "sts:AssumeRole", ]
  }
}

resource "aws_iam_role_policy_attachment" "SSM" {
  role       = aws_iam_role.AmazonSSMManaged.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}