Create a Role for communicating with InfraGuard
- Log on to your AWS account console
- Go to IAM → Roles → Create Role
- Choose 'EC2' as the service that will use this role
- Click on 'Next:Permissions'
- Attach Policy AmazonSSMFullAccess and skip to Review
- Enter Role Name “Infraguard-aws” & Press “Create Role”
- Again, click on the role “Infraguard-aws” from the list
- Click on “Add Inline Policy”
- Click on “JSON”
Replace the content with the JSON below:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeTags", "ec2:ModifyInstanceAttribute", "ec2:StartInstances", "ec2:StopInstances", "ec2:rebootInstances", "ec2:DescribeImages", "ec2:CreateImage", "ec2:DeregisterImage", "ec2:DescribeAvailabilityZones", "iam:ListInstanceProfilesForRole", "iam:GetInstanceProfile" ], "Resource": "*", "Effect": "Allow", "Sid": "Stmt1434989080227" } ] }
Click on “Review Policy”
- Enter the name “InfraGuard-aws-policy”
- Click on “Create Policy”
Now, Click on “Trust Relationships” and replace Trust Relationship JSON with:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "foriamuser",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::028197385767:role/infraguardswitchrole"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "InfraGuardApp"
}
}
},
{
"Sid": "forssmec2",
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"ssm.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}Click on “Update Trust Policy”
- Copy your role ARN (you can also view this later by going to IAM -> Roles -> Infraguard-aws)
- Go to EC2 Management Console and select your AWS instance
- Go to Actions -> Instance Settings -> Attach/Replace IAM Role
- From the drop-down, choose “Infraguard-aws” & press “Apply”
Ensure SSM is installed and active
- Logon to your AWS console and click on “Run Command” under “AWS SYSTEMS MANAGER” service
- Click on “Run a command”
- Select “AWS-RunShellScript” for Linux or "AWS-RunPowerShellScript" for Windows from list of Command document
- Now click on select instance button and select the instsnce from instance list
- Enter
sudo status amazon-ssm-agent
for Linux andGet-Service -Name "AmazonSSMAgent"
for Windows instance in commands text area and click 'Run' - Now click on command id and select 'Output' tab and then view output
- Make sure the output is
amazon-ssm-agent start/running
If SSM is not installed in your Linux Environment perform following steps:
- Log on to a server or VM in your Linux environment
Copy and paste one of the following command blocks into SSH.
Amazon Linux 2, RHEL7, and CentOS 7 (64 bit)
#!/bin/bash
cd /tmp
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agentAmazon Linux, CentOS 6 (64 bit)
#!/bin/bash
cd /tmp
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo start amazon-ssm-agentUbuntu 16 (Deb Installer), Debian 8 and 9
#!/bin/bash
mkdir /tmp/ssm
cd /tmp/ssm
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
sudo dpkg -i amazon-ssm-agent.deb
sudo systemctl enable amazon-ssm-agentUbuntu 14 (Deb installer)
#!/bin/bash
mkdir /tmp/ssm
cd /tmp/ssm
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
sudo dpkg -i amazon-ssm-agent.deb
sudo start amazon-ssm-agentSuse 12
#!/bin/bash
mkdir /tmp/ssm
cd /tmp/ssm
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo rpm --install amazon-ssm-agent.rpm
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
Onboard your servers to InfraGuard
- First, make sure that Managed Instances listed in the AWS Systems Manager for this server is in running state
- Log onto app.infraguard.io account
- Select CLUSTER from side-menu
- Click on “Create AWS cluster”
- Add Any relevant Name, your Role ARN (IAM -> Roles -> Infraguard-aws)
- Add
InfraGuardApp
in ExternalID - Click ‘Sync’ to make your newly added server appear in list of servers
- Wait for some time before you click on ‘Servers’ to get your list of servers for that role ARN