Create a Role for communicating with InfraGuard

  • Log on to your AWS account console
  • Go to IAM → Roles → Create Role
  • Choose 'EC2' as the service that will use this role
  • Click on 'Next:Permissions'
  • Attach Policy AmazonSSMFullAccess and skip to Review
  • Enter Role Name “Infraguard-aws” & Press “Create Role”
  • Again, click on the role “Infraguard-aws” from the list
  • Click on “Add Inline Policy”
  • Click on “JSON”

  • Replace the content with the JSON below:

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"ec2:DescribeInstances", 
				"ec2:DescribeInstanceAttribute",
				"ec2:DescribeTags",
				"ec2:ModifyInstanceAttribute",
				"ec2:StartInstances",
				"ec2:StopInstances",
				"ec2:rebootInstances",
				"ec2:DescribeImages",
				"ec2:CreateImage",
				"ec2:DeregisterImage",
                "ec2:DescribeAvailabilityZones",
                "iam:ListInstanceProfilesForRole",
                "iam:GetInstanceProfile"
			],
			"Resource": "*",
			"Effect": "Allow",
			"Sid": "Stmt1434989080227"
		}
	]
}


  • Click on “Review Policy”

  • Enter the name “InfraGuard-aws-policy”
  • Click on “Create Policy”

  • Now, Click on “Trust Relationships” and replace Trust Relationship JSON with:

    {
      "Version": "2012-10-17",
      "Statement": [
      {
        "Sid": "foriamuser",
        "Effect": "Allow",
        "Principal": {
        "AWS": "arn:aws:iam::028197385767:role/infraguardswitchrole"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
        "StringEquals": {
          "sts:ExternalId": "InfraGuardApp"
        }
        }
      },
      {
        "Sid": "forssmec2",
        "Effect": "Allow",
        "Principal": {
        "Service": [
          "ec2.amazonaws.com",
          "ssm.amazonaws.com"
        ]
        },
        "Action": "sts:AssumeRole"
      }
      ]
    }

  • Click on “Update Trust Policy”

  • Copy your role ARN (you can also view this later by going to IAM -> Roles -> Infraguard-aws)
  • Go to EC2 Management Console and select your AWS instance
  • Go to Actions -> Instance Settings -> Attach/Replace IAM Role
  • From the drop-down, choose “Infraguard-aws” & press “Apply”

Ensure SSM is installed and active

  • Logon to your AWS console and click on “Run Command” under “AWS SYSTEMS MANAGER” service
  • Click on “Run a command”
  • Select “AWS-RunShellScript” for Linux or "AWS-RunPowerShellScript" for Windows from list of Command document
  • Now click on select instance button and select the instsnce from instance list
  • Enter sudo status amazon-ssm-agent for Linux and Get-Service -Name "AmazonSSMAgent" for Windows instance in commands text area and click 'Run'
  • Now click on command id and select 'Output' tab and then view output
  • Make sure the output is amazon-ssm-agent start/running

If SSM is not installed in your Linux Environment perform following steps:

  • Log on to a server or VM in your Linux environment

  • Copy and paste one of the following command blocks into SSH.

    Amazon Linux 2, RHEL7, and CentOS 7 (64 bit)

            #!/bin/bash
            cd /tmp
            sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
            sudo systemctl enable amazon-ssm-agent
            sudo systemctl start amazon-ssm-agent

    Amazon Linux, CentOS 6 (64 bit)

            #!/bin/bash
            cd /tmp
            sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
            sudo start amazon-ssm-agent

    Ubuntu 16 (Deb Installer), Debian 8 and 9

            #!/bin/bash
            mkdir /tmp/ssm
            cd /tmp/ssm
            wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
            sudo dpkg -i amazon-ssm-agent.deb
            sudo systemctl enable amazon-ssm-agent

    Ubuntu 14 (Deb installer)

            #!/bin/bash
            mkdir /tmp/ssm
            cd /tmp/ssm
            wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
            sudo dpkg -i amazon-ssm-agent.deb
            sudo start amazon-ssm-agent

    Suse 12

            #!/bin/bash
            mkdir /tmp/ssm
            cd /tmp/ssm
            wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
            sudo rpm --install amazon-ssm-agent.rpm
            sudo systemctl enable amazon-ssm-agent
            sudo systemctl start amazon-ssm-agent

Onboard your servers to InfraGuard

  • First, make sure that Managed Instances listed in the AWS Systems Manager for this server is in running state
  • Log onto app.infraguard.io account
  • Select CLUSTER from side-menu
  • Click on “Create AWS cluster”
  • Add Any relevant Name, your Role ARN (IAM -> Roles -> Infraguard-aws)
  • Add InfraGuardApp in ExternalID
  • Click ‘Sync’ to make your newly added server appear in list of servers
  • Wait for some time before you click on ‘Servers’ to get your list of servers for that role ARN