Create a Role for communicating with InfraGuard

  • Log on to your AWS account console
  • Go to IAM → Roles → Create Role
  • Choose 'EC2' as the service that will use this role
  • Click on 'Next:Permissions'
  • Attach Policy AmazonSSMFullAccess and skip to Review
  • Enter Role Name “Infraguard-aws” & Press “Create Role”
  • Again, click on the role “Infraguard-aws” from the list
  • Click on “Add Inline Policy”
  • Click on “JSON”
  • Replace the content with the JSON below:

    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Action": [
    				"ec2:DescribeInstances", 
    				"ec2:DescribeInstanceAttribute",
    				"ec2:DescribeTags",
    				"ec2:ModifyInstanceAttribute",
    				"ec2:StartInstances",
    				"ec2:StopInstances",
    				"ec2:rebootInstances",
    				"ec2:DescribeImages",
    				"ec2:CreateImage",
    				"ec2:DeregisterImage",
                    "iam:ListInstanceProfilesForRole"
    			],
    			"Resource": "*",
    			"Effect": "Allow",
    			"Sid": "Stmt1434989080227"
    		}
    	]
    }


  • Click on “Review Policy”

  • Enter the name “InfraGuard-aws-policy”
  • Click on “Create Policy”
  • Now, Click on “Trust Relationships” and replace Trust Relationship JSON with:

    {
      "Version": "2012-10-17",
      "Statement": [
      {
        "Sid": "foriamuser",
        "Effect": "Allow",
        "Principal": {
        "AWS": "arn:aws:iam::028197385767:role/infraguardswitchrole"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
        "StringEquals": {
          "sts:ExternalId": "InfraGuardApp"
        }
        }
      },
      {
        "Sid": "forssmec2",
        "Effect": "Allow",
        "Principal": {
        "Service": [
          "ec2.amazonaws.com",
          "ssm.amazonaws.com"
        ]
        },
        "Action": "sts:AssumeRole"
      }
      ]
    }
  • Click on “Update Trust Policy”

  • Copy your role ARN (you can also view this later by going to IAM -> Roles -> Infraguard-aws)
  • Go to EC2 Management Console and select your AWS instance
  • Go to Actions -> Instance Settings -> Attach/Replace IAM Role
  • From the drop-down, choose “Infraguard-aws” & press “Apply”

Ensure SSM is installed and active

  • Logon to your AWS console and click on “Run Command” under “AWS SYSTEMS MANAGER” service
  • Click on “Run a command”
  • Select “AWS-RunShellScript” for Linux or "AWS-RunPowerShellScript" for Windows from list of Command document
  • Now click on select instance button and select the instsnce from instance list
  • Enter sudo status amazon-ssm-agent for Linux and Get-Service -Name "AmazonSSMAgent" for Windows instance in commands text area and click 'Run'
  • Now click on command id and select 'Output' tab and then view output
  • Make sure the output is amazon-ssm-agent start/running

If SSM is not installed in your Linux Environment perform following steps:

  • Log on to a server or VM in your Linux environment
  • Copy and paste one of the following command blocks into SSH.

    Amazon Linux 2, RHEL7, and CentOS 7 (64 bit)

            #!/bin/bash
    cd /tmp
    sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
    sudo systemctl enable amazon-ssm-agent
    sudo systemctl start amazon-ssm-agent

    Amazon Linux, CentOS 6 (64 bit)

            #!/bin/bash
    cd /tmp
    sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
    sudo start amazon-ssm-agent

    Ubuntu 16 (Deb Installer), Debian 8 and 9

            #!/bin/bash
    mkdir /tmp/ssm
    cd /tmp/ssm
    wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
    sudo dpkg -i amazon-ssm-agent.deb
    sudo systemctl enable amazon-ssm-agent

    Ubuntu 14 (Deb installer)

            #!/bin/bash
    mkdir /tmp/ssm
    cd /tmp/ssm
    wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
    sudo dpkg -i amazon-ssm-agent.deb
    sudo start amazon-ssm-agent

    Suse 12

            #!/bin/bash
    mkdir /tmp/ssm
    cd /tmp/ssm
    wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
    sudo rpm --install amazon-ssm-agent.rpm
    sudo systemctl enable amazon-ssm-agent
    sudo systemctl start amazon-ssm-agent

Onboard your servers to InfraGuard

  • First, make sure that Managed Instances listed in the AWS Systems Manager for this server is in running state
  • Log onto app.infraguard.io account
  • Select CLUSTER from side-menu
  • Click on “Create AWS cluster”
  • Add Any relevant Name, your Role ARN (IAM -> Roles -> Infraguard-aws)
  • Add InfraGuardApp in ExternalID
  • Click ‘Sync’ to make your newly added server appear in list of servers
  • Wait for some time before you click on ‘Servers’ to get your list of servers for that role ARN