MultiCloud Classroom notes 03/May/2026

AWS System Manager

  • AWS system manager is a central operations hub for managing aws and on-premises

Architecture — How SSM Agent Communicates

┌──────────────────────────────────────────────────────────────┐
│                        AWS Cloud                             │
│                                                              │
│   ┌──────────────────┐        ┌───────────────────────────┐  │
│   │  Systems Manager │◄──────►│  EC2 Instance             │  │
│   │  Service (Cloud) │        │  ┌─────────────────────┐  │  │
│   └──────────────────┘        │  │  SSM Agent (waits   │  │  │
│                               │  │  for instructions)  │  │  │
│   ┌──────────────────┐        │  └─────────────────────┘  │  │
│   │  Fleet Manager   │        │                           │  │
│   │  (Dashboard)     │        │  IAM Role: EC2-SSM-Role   │  │
│   └──────────────────┘        └───────────────────────────┘  │
└──────────────────────────────────────────────────────────────┘

Example:

  • You Company has 50 Ec2 instance , Security audit happend , We need install nginx install & Create dev user by tomarrow

Manually: login ec2 instance and run cmd to install nignx and dev user (SSH)

SSM: AWS SSM RUN command ==> one scrpit run all 50 ec2 instance

Create Iam Role for EC2 to Communicate SSM

  1. Iam role Name: EC2-SSM-Role
  2. Attach permissions policy : AmazonSSMManagedInstanceCore

permissions for AmazonSSMManagedInstanceCore

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeAssociation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:DescribeDocument",
                "ssm:GetManifest",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:ListAssociations",
                "ssm:ListInstanceAssociations",
                "ssm:PutInventory",
                "ssm:PutComplianceItems",
                "ssm:PutConfigurePackageResult",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        }
    ]
}

Attach role to Ec2 Instance

  1. add when you create Ec2 instance
  2. add role for existing Instance

EC2 Need a Role for SSM

┌─────────────────────────────────────────────────────────────┐
│                   Without IAM Role                          │
│                                                             │
│  AWS Systems Manager ──X──► EC2 Instance                    │
│                    (Access Denied!)                         │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│                    With IAM Role                            │
│                                                             │
│  AWS Systems Manager ──✅──► EC2 Instance                   |
│         (Role: AmazonSSMManagedInstanceCore attached)       │
└─────────────────────────────────────────────────────────────┘

Now create 2 amazon linux and attach ssm Role

previw

SSM Agent

Linux

windows

#!/bin/bash

set -e # exist if any command failled 

echo "started installation nginx"

sudo dnf update -y

sudo dnf install nginx -y

sudo systemctl start nginx

sudo systemctl enable nginx

sudo systemctl status nginx

run AWS cli

aws ssm send-command --document-name "AWS-RunShellScript" --document-version "1" --targets '[{"Key":"InstanceIds","Values":["i-0bd547218cfa660e4","i-0077a912aa250d368"]}]' --parameters '{"workingDirectory":[""],"executionTimeout":["3600"],"commands":["#!/bin/bash","","set -e # exist if any command failled ","","echo \"started installation nginx\"","","sudo dnf update -y","","sudo dnf install nginx -y","","sudo systemctl start nginx","","sudo systemctl enable nginx","","sudo systemctl status nginx"]}' --timeout-seconds 600 --max-concurrency "50" --max-errors "0" --output-s3-bucket-name "demo-aws-s3-qt-123" --cloud-watch-output-config '{"CloudWatchOutputEnabled":false}' --region us-east-1

Activity:

  1. create 2 instance (ubuntu) and create ssm role and attach to Ec2 instance

  2. create s3 bucket use for you activity

  3. RUN cmd chose shell scrpit

#!/bin/bash

set -e # exist if any command failled 

echo "started installation nginx"

sudo apt update -y

sudo apt install nginx -y

sudo systemctl start nginx

sudo systemctl enable nginx

sudo systemctl status nginx
  1. create patch policy for 1 hour and check status patch and logs.
cron(0 * ? * * *)
  1. Delete all ec2 instance & Patch policy

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Media Icons Powered by Acurax Web Design Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube