How to enable Amazon SSM for Group access and EC2 management | Cloud Resolve LLC

If you’re running a group of Amazon EC2 instances, or just a single instance, you may want to take advantage of Amazon SSM (Systems Manager). This service can help automate the management of your instances, and it’s available for free to all AWS customers. In this article, I’ll show you how to enable Amazon SSM for your group or individual EC2 instances. Let’s get started!

 

Login

Login to your AWS account

Access AWS IAM

 

Proceed to Services –> All Services.

Alternatively, just type in ‘IAM’ in the search field then hit Enter.

Click on the “Access Management” button from within Identity and Access Management (IAM) menu.
From there, click onto Policies to view a list of all available policies.

 

 

Create a Group that allows Amazon Systems Manager access

 

Select Access Management –>Policies

You should now see a list of policies. Instead of parsing this entire list we can search for the required policy.
Enter the following policy name in the search field ‘AmazonSSMManagedInstanceCore’ then hit Enter.

Select the “AmazonSSMManagedInstanceCore” policy in the search results.

Located on the right side of your screen you will notice a button labeled ‘Actions’.
Select the ‘Actions’ button and a drop-down list appears. From the drop-down list, select the ‘Attach’ option. 

Select Actions –>Attach

The previous ‘Attach’ action will open a new page allowing you to attach your policy to users, groups, or roles in your account. From this list, select the group or user you wish to attach your policy to. 
Note: Best Practice suggests that policies should be attached to groups instead of users.

From the list of policies, select the Group or User of your choice.

Once you have made your selection, select the “Attach Policy” button.

You will then see a message stating the policy attachment was successful. 

You can now use this group to control who has access to manage Amazon Systems Manager.
Place IAM users into this newly created group. They will have access to AWS Systems Manager unless explicitly denied in another policy.

 

 

Create a Role for your EC2 instances

 

If you are not already there, return to the Identity and Access Management (IAM) screen.
This time we wlll select the “Roles” option from the Access management menu.

 

Select Access management –> Roles

 

 

Located on the right side of your screen you will notice a button labeled ‘Create role’.

Select the Create role button. A new page will load with the following options:

  1. AWS Service
  2. AWS Account
  3. Web Identity
  4. SAML 2.0 federation
  5. Custom trust policy

The next step requires selecting the appropriate AWS service. For our purposes, we will choose ‘AWS Service’ then select ‘EC2’ from its list of options in the ‘Common use cases’ section.

Select AWS Service then EC2 from the Use case, Common use cases section.

 

 

Select the Next button located on the bottom-right side of your screen to apply the selections.

 

 

After the previous section a new “Add permissions” page loads.
From the list of Permission policies search for the policy named “AmazonSSMManagedInstanceCore”

Once found, select the Policy “AmazonSSMManagedInstanceCore”

 

Select the Next button located on the right side of your screen to apply the selections.

Supply a name for the new Role in Role details, Role name field.
Note: The json content in ‘Select trusted entities’ should not be modified

 

Find the “Create Role” button in the lower-right portion of the page.
Select Create Role to apply changes

 

The new Role is now created and may be added to your EC2 instances for management in AWS Systems Manager.
From the EC2 console you will Select Actions–>Security–>Modify IAM role

From the “Modify IAM role” page you will select your IAM role then select Save.

If the Amazon SSM Agent has been properly configured, instances will be accessible from AWS Systems Manager.

Cloud Resolve LLC is now on Upwork!

Did you know that we can also be found on Upwork?

We are a cloud-based software company that specializes in providing solutions for small businesses. Our main focus is on helping businesses resolve their IT issues quickly and efficiently. When your business is down, you need to get back up and running as soon as possible.

You may not have the time or bandwidth for negotiating a long contract. That’s why we are excited to announce that we are now offering our services as a freelance provider on Upwork. Contact us today to learn more about our offerings and how we can help you take your business to the next level!

Profile: https://www.upwork.com/freelancers/~013eb6a0fe3915391b

Cloud Resolve has a long history in the IT industry and our core values are honesty, fairness and treating customers with utmost respect – so you can continue trusting us for your projects!

Cloud Resolve LLC is on AWS IQ!

Find out how Cloud Resolve leverages the power of AWS to provide you with the best freelance experience possible.

AWS IQ is a marketplace that helps you find and connect with freelance consultants who are experts in AWS. You can use AWS IQ to search for consultants who have the skills and experience you need to help you with your project. With AWS IQ, you can get started quickly and easily find the right consultant for your project.

Please be sure to visit our profile at https://iq.aws/e/cloudresolvesupport

While Cloud Resolve is a new business, my experience spans 20+ years in the IT industry and I have a long history of working with some of the biggest names in the business.

What this means for you is that you can trust us to provide you with skill to help deliver on your projects. We’re excited to be a part of AWS IQ and we hope you’ll take advantage of this marketplace.

Our core values are honesty, fairness and treating customers with the utmost respect. We never fear saying “I don’t know” when asked a question that we have no answer for – it’s part of what makes us different from other companies! However, we will remain committed to helping find a solution.

Setup a one-way sFTP connection | Cloud Resolve

The following instructions show how to set up a one-way secure ftp connection from your computer. The process is simple and only takes about 3 minutes!

 

Actions performed on the Local Host

1. Select the user account you wish to receive the connection then create the ssh key
       a. ssh-keygen
       b. When prompted, enter a filename such as /home/$USER/.ssh/sftpTransfer

2. Two files will be created in the following locations
      a. /home/$USER/.ssh/sftpTransfer
      b. /home/$USER/.ssh/sftpTransfer.pub

3. Copy the public key to the recipient account on the remote host who will make the connection
      a. /home/$USER/.ssh/sftpTransfer.pub

 

Actions performed on the Remote Host

Please ensure you have already received the public key from the client machine

4. Create authorized_keys file on remote server. (this server will initiate the connection)
      a. mkdir -p /home/$USER/.ssh/authorized_keys

5. Create a backup then copy the contents of the public key to the authorized keys.
      a. cp /home/$USER/.ssh/authorized_keys /home/$USER/.ssh/authorized_keys.ORG
b. cat /home/$USER/.ssh/sftpTransfer.pub >> /home/$USER/.ssh/authorized_keys

6. Secure the authorized_keys file
      a. chmod 400 /home/$USER/.ssh/authorized_keys

TEST the connection

1. Attempt to establish a connection using the following command
      a. sftp -o IdentityFile=/home/$USER/.ssh/sftpTransfer user@remotehostname
      b. Once the connection has established you should be able to securely browse folders and directories.

How do I create a Pre-signed S3 URL? | Cloud Resolve LLC

In this article, we show you how to generate a pre-signed URL using the AWS CLI. This is an important step in providing secure access to your S3 bucket contents.

Use the AWS CLI get a list of your buckets:

aws s3 ls
Locate the correct bucket
aws s3 s3://bucketname
Find the correct object within that bucket
aws s3 s3://bucketname/objectname
Share that object using the presigned URL format giving a timeout number in seconds (e.g –expires-in 60)
aws s3 presign s3://bucketname/objectname –expires-in 60
Share the generated URL with client.
Note: you may want to shorten the URL using a service such as tinyurl or bit.ly
Also note that you must download the object within the specified time. Otherwise the object will timeout and your session will be denied.
The AWS CLI reference document will provide more information for those who are interested in learning more about this process.