Defaul Host Mangement Confiuration and IMDSv2
I saw in below article stating that "Default Host Management Configuration allows Systems Manager to manage your Amazon EC2 instances automatically. After you've turned on this setting, all instances using Instance Metadata Service Version 2 (IMDSv2) in the AWS Region and AWS account with SSM Agent version 3.2.582.0 or later installed automatically become managed instances. Default Host Management Configuration doesn't support Instance Metadata Service Version 1. " https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html
But my instances all use IMDSv1 and they automatically appeared under Systems Manager -> Fleet Manager -> Managed Nodes.
Also "Instances registered using Default Host Management Configuration store registration information locally in the /lib/amazon/ssm or C:\ProgramData\Amazon directories." I checked my instances, there is no /lib/amazon/ssm directory on them.
So , does this mean I am not using Default Host Management Configuration properly or am I missing something?
Thank you.
- Más nuevo
- Más votos
- Más comentarios
If your EC2s already have the policy awsmanagedinstancecore assigned to the IAM role, access to the API endpoint and have the SSM Agent installed then they will automatically register with SSM without setting up the default host management.
Contenido relevante
OFICIAL DE AWSActualizada hace 3 años- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
- ¿Cómo puedo hacer referencia a los parámetros de Systems Manager en los diferentes servicios de AWS?OFICIAL DE AWSActualizada hace un año
Thank you Gary for the comment. I checked, my instance IAM roles do not include "awsmanagedinstancecore", some instance doesn't even have an IAM role attached to it
What I did was I enabled Default Host Management Configuration with the AWSSystemsManagerDefaultEC2InstanceManagementRole as the IAM role. Then After about 30 minuttes, almost all of my instances appeared under Systems Managers Managed Nodes list.
Could you please expand a bit more on as why this happens?
Thanks again.
Ec2 will first try to use the iam role attached then use the default iam role( default managed instance role ) that’s setup and they assume this role to register. You believe your using imdsv1?
What is the default managed instance role by the way? Are you referring to "AWSSystemsManagerDefaultEC2InstanceManagementRole"? :)
Yes, most of my instances are using IMDSv1 but I am trying to enable IMDSv2 at some stage. I was just confused why Default Host Management Configuration works for instances that are still using IMDSv1. The attached IAM role of my instances do not include the
awsmanagedinstancecorepolicy.