Start or Stop services in multiple Windows EC2 Instances using AWS Systems Manager

By

image

Use Case

You are the admin over a large amount of EC2 instances and managing different AWS accounts under Organization and you have to start/stop/disable a service for all Windows EC2 Instances in the Organization. Rather than wasting labor hours to perform this activity in each instance manually, you want to automate the process using AWS Systems Manager. Recently Windows had a flaw in Print Spooler Remote Code Execution Vulnerability and Microsoft recommended to stop until the patch is applied, in order to apply this immediately, we can make use of this design

Systems Manager

Systems Manager (SSM) gives you visibility and control over your AWS infrastructure. Automation, a capability of AWS Systems Manager, simplifies common maintenance and deployment tasks of Amazon Elastic Compute Cloud (Amazon EC2) instances and other AWS resources. Automation helps you to do the following: Build automations to configure and manage instances and AWS resources.
In this project we will be focusing on the how to stop a service in multiple Windows EC2 instances centrally from master account. Let’s get started.

Design Overview

image

AWS Systems Manager Automation supports multi-account and multi-Region actions enabling you to centrally manage your AWS resources. This feature reduces the time and overhead needed for enterprise-wide configuration, operational actions, and compliance remediation.

Implementation

In this blog, I will walk through the below steps to set up your management account and target accounts for multi-account Automation tasks, here we will take print spooler as a service which we will stop in all Windows EC2 instances across the platform which are reporting to Systems manager

First you need to pick any one account as your management account and Region as your management Region. From this management location (management account and Region), you can execute Automation tasks targeting other AWS accounts and Regions.

Step 1 : Setup the IAM role in management/master AWS account

In the management account, provision the administrator automation IAM role, which can be created using the following AWS CloudFormation template available here in my Github repository
  • Clone the repo in your local
  • Login to management account and go to CloudFormation service
  • Create Stack by uploading the AWS-SystemManager-AutomationAdministrationRole.json template
    image
  • Click Next and provide any readable name for the stack
    image
  • Leave default in next page, considering the user you logged into the master account has previlege to create IAM role from CloudFormation
  • Acknowledge IAM capabilities and click on create stack
    image
  • Validate the Stack completion
    image
  •  Here is an example of the IAM policy that will be created in master account: 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "sts:AssumeRole"
                ],
                "Resource": "arn:aws:iam::*:role/AWS-SystemsManager-AutomationExecutionRole",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "organizations:ListAccountsForParent"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }


Step 2 : Setup the IAM role in all member AWS accounts

Here we are going to deploy AWS-SystemsManager-AutomationExecutionRole.json role in all member accounts in an OU by deploying through stacksets. For more details on Stacksets, please refer official AWS document for stackset.
  • Clone the repo in your local, template available here in my Github repository
  • Login to management account and go to CloudFormation service
  • Go to Stacksets and Create Stackset by uploading the AWS-SystemsManager-AutomationExecutionRole.json template
    image
  • Click Next and provide any readable name for the stackset and enter master account ID in the parameter
    stackset
  • Click Next and select the deployment Targets, Region (Any one region, since role is global) and Options as per your requirement and acknowledge for IAM capabilities and create the stackset
    image
  • Once Operation is complete, you can validate a role will be created across all the accounts
  • Here is an example of the IAM policy that will be created in member accounts: 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "ec2:*",
                    "ssm:*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "iam:PassRole"
                ],
                "Resource": "arn:aws:iam::60**********:role/AWS-SystemsManager-AutomationExecutionRole",
                "Effect": "Allow"
            }
        ]
    }
trust

Step 3 : Execute Automation to stop a service in Windows for target accounts

  • In the management account, Go to  AWS Systems Manager console, select Automation from the left navigation pane and filter for Document AWSSupport-ManageWindowsService and select the document and click Next
    image
  • Select Multi-account and Region
    image
  • Select the Target accounts and Regions as per your requirement
    tempsnip
  • Select Targets as shown below
    image
  • Select Input Parameters, for this example I have taken Spooler service to stop and disable
    image
  • Enter the Rate control and tags as per your requirement and execute the Automation
    image
  • You can view the execution results as below
    output

Conclusion

In this blog post, I have shown you how to stop a service in AWS Systems Manager Managed Windows Instances across multiple AWS accounts using Automation. I started by showing you how to create the required IAM service roles used by Automation in the management and target accounts. Following this, I showed you how to execute AWSSupport-ManageWindowsService Document that targeted your managed instances
You can customize your workflow further by using different Automation Document. For more details, Please refer official AWS SSM Automation Documents.

Thank you for reading!

Comments

Post a Comment

Popular posts from this blog

Connect to Linux EC2 Instance if Key pair is lost after Initial Launch

By
Use Case We know that EC2 Linux instances are accessible through the private keys by default. However, SSH is allowed but you cannot use SSH password authentication to access Linux instance as it is disabled by default. So, what would happen if you lose the private key of your Linux instance? In this blog, I will walk you through the easiest ways to login when you lost the Key pair What is a key-pair file? Key-pair is a combination of a public and private key. Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. Private key is only the way to get access to the instance, what if you lost the key? Is your servers lost in black hole? Thankfully nothing is lost you still can access your server, let me show you how can you solve this problem. Things that you should know before to proceed to this topic This procedure will requires s
Read more

Setup Grafana on AWS EKS and integrate with AWS Cloudwatch

By
What is Grafana? Grafana is open-source visualization and analytics software. It allows you to query, visualize, alert on, and explore your metrics no matter where they are stored. In plain English, it provides you with tools to turn your time-series database (TSDB) data into beautiful graphs and visualizations. Setup Grafana on Amazon Elastic Kubernetes Service This blog explains on how to run Grafana on Amazon Elastic Kubernetes cluster and adding cloudwatch as datasource to Grafana. Using Grafana you can simplify Kubernetes monitoring dashboards from Clo
Read more

Concourse CI Installation and Configuration in Windows

By
Introduction to Concourse Concourse is an open source CI/CD system with integration supported to Resource types in the outside world. Concourse's principles reduce the risk of switching to and from Concourse, by encouraging practices that decouple your project from your CI's little details, and keeping all configuration in declarative files that can be checked into version control. Install and Configure Concourse in Windows Follow the below Steps to Install Installing Docker Desktop is pretty simple, download the exe file and install the docker desktop Modify Docker daemon configuration file as below
Read more

Install SSM Agent in Amazon EC2 Instance

By
What is SSM Agent AWS Systems Manager Agent is a Amazon software which can be installed on Amazon EC2 Instances. If SSM Agent is Installed in the servers then it will be easy to manage the EC2 Instances through AWS Systems manager.  By default SSM agent is pre installed for below Amazon Machine Images Amazon Linux Amazon Linux 2 Amazon Linux 2 ECS-Optimized Base AMIs macOS 10.14.x (Mojave), 10.15.x (Catalina), and 11.x (Big Sur) SUSE Linux Enterprise Server (SLES) 12 and 15 Ubuntu Server 16.04, 18.04, and 20.04 Windows Server 2008-2012 R2 AMIs published in November 2016 or later Windows Server 2016 and 2019 In this blog, I will walk you through on the ways to Install SSM Agent in the Instances which will not get SSM Agent by default. Steps to Install S
Read more

Deploy AWS infrastructure using Terraform and GitHub Actions

By
Terraform being an Infrastructure as a Code helps us to manage a lot of infrastructure for several platforms in a consistent manner.  In this blog, I will walkthrough on deploying a terraform code using  Github actions Terraform code to create S3 bucket In this blog, I will walkthrough each blocks in terraform to create an S3 bucket in AWS in automated workflow using GitHub Actions. Lets look into the Terraform files. To understand easily, I have created separate tf files for each purpose, but you can still use all in one tf file as per your convenient. You can use any name with tf extension, for better understanding I used following names. versions.tf
Read more

Automate Permission Boundary Attachment to IAM roles and Users

By
When we are managing multiple AWS Accounts in an Organization and each accounts will have their own requirement but as a centralized admin, we should be having a certain governance and compliance framework. IAM is a widely used AWS service and IAM roles/users are common used entity in AWS. As a centralized Admin, when we provide access to create IAM roles, cloud consumers in the landing zone accounts would create Users and Roles and attach Administrative policy and bypass the governance framework. In this blog, I will be briefing on restricting this scenario using IAM permission boundary and also deploying this setup through automation. AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows
Read more

AWS Route 53 Inbound Resolver to resolve DNS for Multi Account Organization

By
Amazon Route53 Resolver The route 53 resolvers are contactable IP addresses (endpoints) where the DNS queries from different sources can be directed. There are two types of resolvers that administrators can deploy. Inbound Resolver As the name says inbound (DNS Resolutions coming in) which will enable your resources in the on-prem network to resolve AWS resource domain names or records in a Route 53 private hosted zone by allowing your on-prem network DNS resolvers to forward queries to Route 53 Resolver. Outbound Resolver As the name says Outbound (DNS Resolutions going out) which will enable your AWS resources to resolve the domain names of your on-prem network resources using resolver rules, which would forward selected queries to the on-prem network DNS resolvers On-prem to AWS DNS Resolution for
Read more

Import Existing Resources using Terraform

By
In this blog, I will walk you through the ways to import pre-existing cloud resources in terraform. Why Import is required? There will be a scenario, where you will have a stringent timeline to setup a cloud Infrastructure and it can lead to situations where infrastructure needs to be created manually due to time pressures, emergency releases or just the fact that the infrastructure exists, and terraform was never used in the first instance. In a worst case scenario, you can lose the terraform.tfstate file. Terraform import will be essential in most of all these scenarios. Let's Import With an understanding of why Import is required, let us begin by importing a simple AWS resource S3. Firstly, we need to setup the Terraform and AWS credentials locally, we will not go into the details of installing and setting AWS credentials in
Read more

Hosting AWS VPC Interface Endpoints in Shared Model

By
What is VPC Endpoint A VPC endpoint enables private connections between your VPC and supported AWS services. Endpoints are classified as Interface and Gateways endpoints. In this blog, I will be showing how to host interface endpoints in shared model Do you have Multi AWS Accounts in Organization? When you have multi accounts structure in your Organization then creating endpoints in each accounts will increase the costs and IPs, in this blog I will explain how you can deploy endpoints in Shared Services Account and associate the member accounts VPCs with Private Hosted zone. Below is the Architectural diagram which I will be showing in detail on how to setup and also how the flow works Architecture Design AWS Services/Components required VPC Subnets Endpoints Hosted zone and Record set Transit Gateway I
Read more