AWS SSM Agent registration call cannot be proxied?

Question

How do I proxy the amazon-ssm-agent -register call?

I want to proxy all the amazon-ssm-agent traffic in a local VM instance through a squid proxy.

When the SSM agent is running, it seems to proxy all traffic (as expected) through squid. However, the initial registration call seems to not be proxied.

Example:

Given a squid proxy server with the following rules ( /etc/squid/squid.conf )

acl whitelist dstdomain example.com
http_access allow whitelist

And having configured (systemctl edit amazon-ssm-agent) the proxy settings for aws-ssm-agent:

[Service]
Environment="http_proxy=http://localhost:3128"
Environment="https_proxy=http://localhost:3128"
Environment="no_proxy=169.254.169.254"

Then I would expect the following to fail because the proxy does not allow access to anything except for example.com

> amazon-ssm-agent -register -code "abcdefghijklmnop" -id "aaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaa" -region "eu-west-2"

But actually it bypasses the proxy and registers with AWS successfully (/var/log/amazon/ssm/amazon-ssm-agent.log):

2019-01-11 14:44:57 DEBUG Start File Watcher On: /etc/amazon/ssm/seelog.xml
2019-01-11 14:44:57 DEBUG Start Watcher on directory: /etc/amazon/ssm
2019-01-11 14:45:55 INFO Successfully registered the instance with AWS SSM using Managed instance-id: mi-0000aa00000a0aaaa0

How can I ensure that the amazon-ssm-agent -register call is proxied through squid?

Answer 1

The amazon-ssm-agent -register call is not run as a service by systemd, so to proxy the register call itself, you will have to set/export the proxy properties the usual way.

> http_proxy="http://localhost:3128"
> https_proxy="http://localhost:3128"
> amazon-ssm-agent -register -code "abcdefghijklmnop" -id "aaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaa" -region "eu-west-2"

Simple. Once you know that that's the case :)