You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

This article provides guidance to the user on how to install AWS SSM agent on a CentOS 8 & CentOS 7 EC2 Linux instances.

SSM stands for Systems Manager. It is a management service used to manage servers on AWS. Specific Use cases for System Manager are:

Suppose a user wants to configure several servers/ec2 instances with the same configuration. Instead of doing so on each instance at a time, the user can use system manager to run commands concurrently on all the servers at once.

It is also an excellent tool to automate tasks you want to do on your ec2 instances. For example, updating the operating system versions or ensuring your ec2 instances are compliant to some governance policies.

Systems Manager also allows users to connect to instances without the need of using ssh or having KeyPairs. This is good for security because now we don’t have to open up port 22 for ssh access.

SSM Agent on CentOS 8 | CentOS 7 Installation Prerequisites

The setup requirements are:

  • An AWS Account.
  • A user with permissions to create resources on AWS.
  • An IDE to write and edit your CloudFormation Template.

Step 1: Create EC2 Instance, Profile, and Role

Instead of creating the individual resources manually, I used a single CloudFormation template. The Template will create;

  • An SSM Role.
  • EC2 Instance Profile that will use the role created above.
  • The EC2 Instance Security Group
  • And finally, the EC2 Instance with SSM agent Installed.

This is my CloudFormation template:

AWSTemplateFormatVersion: "2010-09-09"
Description: "Template to create Centos ec2 instance and install SSM on it"
Parameters:
    VPC:
        Type: String
        Description: The vpc to launch the service
        Default: vpc-ID

    PublicSubnet1:
        Type: String
        Description: The subnet where to launch the ec2
        Default: subnet-ID

Resources:
    IAMInstanceRole:
        Type: 'AWS::IAM::Role'
        Properties:
          Description: The SSM Instance Profile
          RoleName: AWSEC2SSMtest
          AssumeRolePolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                  - ec2.amazonaws.com
                Action:
                  - 'sts:AssumeRole'
          ManagedPolicyArns:
            - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
            - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
          Tags: 
            - 
              Key: "Project"
              Value: "test-blog"
            - 
              Key: "Environment"
              Value: "test"
            - 
              Key: "createdBy"
              Value: "Maureen Barasa"
            - 
              Key: "Name"
              Value: "AWSEC2SSMtest"

    IAMInstanceProfile:
        Type: AWS::IAM::InstanceProfile
        Properties: 
            InstanceProfileName: AWSEC2SSMtest
            Roles: 
             - !Ref IAMInstanceRole
                
    CentosServer:
        Type: "AWS::EC2::Instance"
        Properties:
            ImageId: "ami-ID"
            InstanceType: "t2.micro"
            KeyName: "test-key"
            AvailabilityZone: !Sub "${AWS::Region}a"
            Tenancy: "default"
            DisableApiTermination: true
            SubnetId: !Ref PublicSubnet1
            EbsOptimized: false
            SecurityGroupIds: 
              - !Ref CentosSecurityGroup
            SourceDestCheck: true
            BlockDeviceMappings: 
              - 
                DeviceName: "/dev/xvda"
                Ebs: 
                    Encrypted: false
                    VolumeSize: 20
                    VolumeType: "gp2"
                    DeleteOnTermination: true
            UserData: 
                "Fn::Base64":
                    !Sub |
                       #!/bin/bash
                       cd /tmp
                       sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
                       sudo systemctl enable amazon-ssm-agent
                       sudo systemctl start amazon-ssm-agent
            IamInstanceProfile: !Ref IAMInstanceProfile
            Tags: 
              - 
                Key: "Project"
                Value: "test-blog"
              - 
                Key: "Environment"
                Value: "test"
              - 
                Key: "createdBy"
                Value: "Maureen Barasa"
              - 
                Key: "Name"
                Value: "Test-Centos"
                
    CentosSecurityGroup:
        Type: "AWS::EC2::SecurityGroup"
        Properties:
            GroupDescription: "Security Group to control access to the test Centos server"
            GroupName: "Test-Centos-SG"
            VpcId: !Ref VPC
            SecurityGroupIngress: 
              - 
                CidrIp: 0.0.0.0/0
                FromPort: 22
                IpProtocol: "tcp"
                ToPort: 22
              - 
                CidrIp: 0.0.0.0/0
                FromPort: 443
                IpProtocol: "tcp"
                ToPort: 443                    
Outputs:
  Server1:
    Description: The created studio server
    Value: !Ref CentosServer
    
  SecurityGroup:
    Description: The server sg
    Value: !Ref CentosSecurityGroup   

The Parameter Section allows the user to input their own values. For our case The user should replace the VPC and subnet ID’s with their own ID’s from their AWS account.

In the resources section, The template first creates an instance role. The instance role has a trust policy that allows an ec2 instance to assume the role. Also, the role will have two policies attached to it. The AmazonEC2RoleforSSM and AmazonSSMManagedInstanceCore. The user can customize the role name and tags to their choices.

Next, the template will create an instance profile and attach the role created above to it. Here again, the user can customize the name of the role. N/B: The instance profile and role name should be the same. Otherwise, the ec2 instance will not see your role.

Finally, the template will create the ec2 instance security group and the ec2 instance. The SSM agent is installed using the user-data property of the resource. The user can customize the names and tags to suitable options for them. Also, ensure that you replace the AMI-ID with a Centos AMI associated with your AWS account.

Step 2: Execute the CloudFormation Template

One can deploy the Template using either a CodePipeline or Deploy it manually on the CloudFormation console. For this tutorial, we will use the CloudFormation Console.

On the CloudFormation Console, click on create stack.

Create Stack

Then, select create stack with new template and resources.

Create Stack with New Resources

Next choose your template. For, our case we will upload the template we have created.

Upload Our Template

On the tab that opens, you will be required to give the name of your stack and input the template parameters. Enter the details of your customized values and click next.

Input Template Parameters and Stack Name

The next tab allows the user to add tags for their stack. It also gives a user the option to configure policies and notifications for their stack. When done click next. It will provide you with a review tab where the user can have an overall view of all the configurations they made. If the user is ok with what is displayed they can then click create stack. CloudFormation will then start creating your resources for you.

Manual SSM Agent Installation

If you prefer manual installation of SSM agent after creation of the Role with CloudFormation and attachment to EC2 instance, run the commands below in your VM console.

sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

Watch out for my next tutorial where I will explain how to use CodePipeline to deploy CloudFormation Templates.

Below are some good WS Learning materials.

Books:

Amazon Web Services in Action

$54.99
$31.34  in stock
32 new from $31.34
16 used from $31.30
Buy Now
Amazon.com
as of October 28, 2020 3:20 am

AWS: The Most Complete Guide to Amazon Web Services from Beginner to Advanced Level

$21.99  in stock
3 new from $21.99
1 used from $22.11
Free shipping
Buy Now
Amazon.com
as of October 28, 2020 3:20 am

AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam

$60.00
$30.00  in stock
37 new from $19.94
35 used from $13.92
Free shipping
Buy Now
Amazon.com
as of October 28, 2020 3:20 am

Video courses:

$15.38
$153.80
in stock
Udemy.com
$20.11
$177.47
in stock
Udemy.com
$15.38
$153.80
in stock
Udemy.com
$15.38
$153.80
in stock
Udemy.com

Happy Building!!

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

LEAVE A REPLY

Please enter your comment!
Please enter your name here