1. Assessment Phase: Gather All Required Inputs

  • Select AWS Region
  • Identify Target EC2 Instance
  • Check EC2 IAM Role
  • Subnet Routing Verification

2. Summary Phase: Confirm Configuration Path

  • Review Configuration Summary

3. Configuration Phase: Implement SSM Setup

  • Create EC2 SSM IAM Role
  • Attach Inline SSM Policy
  • Associate IAM Role
  • Create SSM VPC Endpoint
  • Create SSMMessages VPC Endpoint
  • Create EC2Messages VPC Endpoint
  • CloudWatch Logs VPC Endpoint

4. Validation Phase: Confirm Configuration Success

  • Validate SSM Agent
  • Initiate SSM Session
1 Credits

AWS Session Manager Setup for Secure EC2 Access

Overview

Configure AWS Systems Manager (SSM) to enable secure management of your EC2 instances. This plan ensures that all target instances are evaluated for region settings and their SSM capabilities, provides options for IAM configuration, subnet routing verification, and necessary VPC endpoints. Finally, it validates the configuration through testing of SSM connectivity and agent status.

Execution Details

Assessment Phase: Gather All Required Inputs

  • List AWS Regions: Present available AWS regions and guide the user to select one for configuration.
  • Set AWS Region: Update the AWS CLI default region and configure the environment variable to align with the user's selection.
  • Identify Target EC2 Instance: Retrieve and display key details of available EC2 instances, prompting the user to select one for SSM configuration.
  • Check EC2 IAM Role: Determine whether the selected EC2 instance has an attached IAM role with necessary SSM permissions.
  • Subnet Routing Verification: Evaluate the subnet routing for Internet/NAT gateway access or the necessity of VPC endpoints for SSM.

Summary Phase: Confirm Configuration Path

  • Review Configuration Summary: Consolidate and display IAM role and subnet routing details. The user must confirm if the setup is acceptable before proceeding.

Configuration Phase: Implement SSM Setup

  • Create EC2 SSM IAM Role: If necessary, create an IAM role for EC2 with a trust policy and attach the AmazonSSMManagedInstanceCore policy.
  • Attach Inline SSM Policy: Attach required SSM permissions via an inline policy to the IAM role.
  • Associate IAM Role: Associate the IAM role with the selected EC2 instance.
  • Create VPC Endpoints: Provision required VPC endpoints for SSM, SSMMessages, and optionally CloudWatch Logs, based on the subnet's connectivity status.

Validation Phase: Confirm Configuration Success

  • Validate SSM Agent: Confirm that the SSM agent is active (PingStatus: Online) on the target EC2 instance.
  • Initiate SSM Session: Launch a secure SSM session on the target instance to verify connectivity and proper SSM agent configuration.

This detailed configuration scheme ensures that your EC2 instances can efficiently and securely communicate through AWS Systems Manager, adapting to the network and IAM setup for optimized management.