2

I am trying to create an EC2 instance (Amazon Linux, so I shouldn't have to configure the SSM agent as it should be autoconfigured) in a private subnet, and want to be able to SSH into it. According to this post I have to use AWS Systems Manager for this. I've done quite a bit with codestar/beanstalk before, but now simply want to be able to create and delete everything via the AWS CLI manually for learning purposes.

Here are the commands I'm able to run fine (the ec2 instance is created succesfully with my role)

aws iam create-role --role-name ec2-role --assume-role-policy-document file://roles/ec2-role.json
aws iam attach-role-policy --role-name ec2-role --policy-arn "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
aws iam create-instance-profile --instance-profile-name ssm-instance-profile-for-ec2-instances
aws iam add-role-to-instance-profile --instance-profile-name ssm-instance-profile-for-ec2-instances --role-name ec2-role

// Creating the EC2 instance
aws ec2 run-instances --image-id ami-0db9040eb3ab74509 --count 1 --instance-type t2.micro --key-name key-pair-for-instance1 --subnet-id <my_valid_subnet_id> --iam-instance-profile Name=ssm-instance-profile-for-ec2-instances

I took parts of these commands from this post.

My json file for ec2-role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "ec2.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }
  ]
}

Unfortunately this instance isn't visible in the SSM (Systems Manager):

aws ssm describe-instance-information
{
    "InstanceInformationList": []
}

I have been following the main documentation on SSM and from what I understand from the page below is that all you would need is the AmazonSSMManagedInstanceCore policy: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-instance-profile.html

The web console hasn't been any help so far, according to this page it treats roles and instance-profiles as the same thing.

What am I missing here to be able to use the aws ssm command to start an ssh session?

Leejjon
  • 139
  • 7
  • 1
    Does your EC2 instance's subnet have egress? I.E. a NAT gateway? I believe it needs to be able to connect outbound to the AWS system manager service. – Taylor Reece Apr 18 '21 at 02:14
  • Right now it doesn't have a nat gateway. I have a private and public subnet and an internet gateway. When putting the ec2 in my public subnet it gets an ip and I can add a security group that allows ssh (I was able to ssh that way). Whenever I put it in a private it has no ip. I'll try configuring a nat gateway then. – Leejjon Apr 18 '21 at 07:23
  • 1
    This can be quite fiddly to set up. It definitely needs outbound access to the internet on port 443, I don't think it needs inbound access. You can use VPC endpoints but that cost something like $0.01 per hour and from memory you need 2 or 3 endpoints. Via NAT gateway or internet gateway is more cost effective. I've automated the setup with CloudFormation but within a fairly complex VPC so it would be difficult to share. – Tim Apr 18 '21 at 07:59

2 Answers2

3

SSM needs access to ssm and ssmmessages aws endpoints to work. If your ec2 instance don't have access to internet (private subnet without natgateway), you need enable vpc private endpoints for this services.

https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html

mclavel
  • 31
  • 3
1

I managed to solve it by following this picture from the AWS Networking Fundamentals video: enter image description here

Things I needed to do:

  • Add an internet gateway to the VPC
  • Add a NAT gateway to the public subnet and allocate an elastic IP for it
  • Configure two routing tables, one for the public subnet that has a route to the internet gateway and one for the private tables that has a route to the NAT gateway.
  • Create a security group and add the EC2 instance to it. Security groups have 0.0.0.0/0 outbound access by default and from that moment I could access the instance and start an SSH session in the Session Manager under AWS Systems Manager. Funny how it doesn't require a rule for allowing inbound SSH traffic on port 22. enter image description here

Thanks @Taylor and @Tim for the suggestions.

Edit: Full tutorial on how I build a simple VPC with subnets and ec2 interfaces that are reachable via SSM: https://dpgmedia-engineering.medium.com/applying-basic-networking-fundamentals-in-aws-d8ffdc4ad537

Leejjon
  • 139
  • 7
  • 1
    Glad you got it figured out! I'll add an addendum about needing outbound internet access to the first blog post you linked. – Taylor Reece Apr 18 '21 at 14:18