Lab Prerequisites

Pre-Requisites

Automation Service (Assume) Role

During this session, you will be launching an instance using the aws:executeScript action. When a step in an Automation document includes the aws:executeScript action, an IAM service role (Assume role) is always required if the Python (or PowerShell) script specified for the action is calling any AWS API actions.

Note: You can use Systems Manager Quick Setup (see below for more information on Quick Setup) to quickly create an Automation assume role. However, you must add the AmazonSSMAutomationRole IAM policy to the Automation assume role. For more information, see Task 1: Create a Service Role for Automation.

For more information on creating the Automation Service Role manually, see Configuring a Service Role (Assume Role) Access for Automation Workflows.

In addition to the above, you must create an in-line policy for the Automation service role that grants access to create an S3 bucket as referenced in Step 3. An example IAM policy that you can add to your Automation service role can be found below. For information on how to add inline policy permissions, see the section labeled To embed an inline policy for a user or role (console) in the topic Adding IAM Identity Permissions (Console).

EC2 IAM Instance Profile Role

During this session, you will be launching an EC2 instance using an Automation document. By default, AWS Systems Manager doesn't have permission to perform actions on your instances. You must grant access by using an AWS Identity and Access Management (IAM) instance profile. You can create an instance profile for Systems Manager by attaching one or more IAM policies that define the necessary permissions to a new role or to a role you already created.

Note: You can use Systems Manager Quick Setup to quickly configure an instance profile on all instances in your AWS account. Quick Setup can also create an assume role, which enables Systems Manager to securely run commands on your instances on your behalf. For more information, see AWS Systems Manager Quick Setup.

In addition to the above, you must create an in-line policy for the EC2 IAM Instance profile role that grants access to the S3 bucket created in Step 3. An example IAM policy that you can add to your EC2 Instance IAM profile role can be found below. For information on how to add permissions, see Task 2: Add Permissions to a Systems Manager Instance Profile (Console) .

Quick Setup

If you choose to use Quick Setup to create the EC2 IAM Instance Profile role and the Automation service role, you can choose to have Systems Manager create the required IAM roles or you can choose to have Systems Manager add the appropriate permissions to an existing role. Additionally, you can optionally enable or disable the options under Quick Setup options.

Note: If you use Quick Setup, you will want to deselect the options under Quick Setup options. Additionally, in the Targets section, choose Specify instance tags and enter NYCLoft for the tag key and Builders as the tag value.

Default VPC

The Automation document created launches an EC2 instance into the default VPC within the region that you initiate the automation workflow. The default VPC must be configured to allow access to AWS Systems Manager. This can be accomplished in a variety of ways, including:

  • Using a public IPv4 address and Internet Gateway
  • Using a NAT Gateway
  • Using VPC Endpoints for ssm, ec2messages, and s3

For more information, see Systems Manager Prerequisites.

If you do not have a default VPC that meets the above requirements, please inform your instructor as you will need to add an additional parameter for specifying the appropriate subnet ID.

Automation Service Role Create S3 Bucket Access

As described in the Hands-On Instructions section, the Automation service role (assume role) must be granted access to create an S3 bucket which will be used to store patching execution logs. An example IAM policy that you can add to the Automation service IAM role is as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket"
            ],
            "Resource": [
                "arn:aws:s3:::nycloft-builders-*" 
            ]
        }
    ]
}

EC2 IAM Instance Profile Role S3 Access

As described in the Hands-On Instructions section, the EC2 instance launched by Automation must be granted access to the S3 bucket created in Step 3 in order to export log information related to patching. An example IAM policy that you can add to the EC2 instance IAM role is as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl", 
                "s3:GetEncryptionConfiguration" 
            ],
            "Resource": [
                "arn:aws:s3:::nycloft-builders-*/*",
                "arn:aws:s3:::nycloft-builders-*" 
            ]
        }
    ]
}

Important

As the name of the S3 bucket is dynamic and utilizes the execution ID of the Automation workflow, we are including an asterik value in the name. For standard usage outside of this demo environment, it is recommended to specify the full name of the bucket.