"machine identity" for AWS SSM hybrid (on-prem) endpoints

Hi,

You should first check the AWS-Managed AmazonSSM* policies in AWS IAM and choose the most appropriate one for your use case.

Then create your own policy(ies) for what's missing: typically s3 access in your use case to allow software download.

Then, add these policies (AWS-Managed and yours) to the execution role of your EC2 instances: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

It is not EC2 best practice to load identity credentials in an instance: execution role is.

If you work at scale, you will need Infra-as-Code with CloudFormation or CDK to manage this efficiently.

Update: if it's on-prem and not AWS Outposts (I thought it was...), then the preferred option should IAM Roles Anywhere, which are still better than permanent credentials on a machine. Roles remain temporary credentials. See https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html and https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

Best,

Didier

Hi, this tutorial describes the steps to create an IAM role for on-premises server, register the on-premises server to the Systems Manager, and install SSM Agent on on-premises server.

On the step you create the IAM role, you can attach an additional policy to access the S3 bucket. Alternatively, you can grant access to the bucket to the IAM role by modifying bucket policy.