Support Automation Workflow (SAW) Runbook: Troubleshoot AWS Systems Manager Session Manager

5분 분량
콘텐츠 수준: 중급
0

How can I use the AWSSupport-TroubleshootSessionManager to troubleshoot issues that prevent me from connecting to managed Amazon Elastic Compute Cloud ( Amazon EC2 ) instances using AWS System Manager Session Manager?

In this article, I will show you how to use the AWSSupport-TroubleshootSessionManager, an AWS Systems Manager automation runbook, to troubleshoot common issues that prevent you from connecting to managed Amazon Elastic Compute Cloud (Amazon EC2) instances using Session Manager. Session Manager is a capability of AWS Systems Manager.

Learn more about Support Automation Workflows >>

How it works?

AWSSupport-TroubleshootSessionManager automation runbook performs the following checks:

  • Checks whether the instance is running and reporting as managed by Systems Manager.
  • Runs the AWSSupport-TroubleshootManagedInstance runbook if the instance is not reporting as managed by Systems Manager.
  • Checks the version of the SSM Agent installed on the instance.
  • Checks whether an instance profile containing a recommended AWS Identity and Access Management (IAM) policy for Session Manager is attached to the Amazon EC2 instance.
  • Collects SSM Agent logs from the instance.
  • Analyzes your Session Manager preferences.
  • Runs the AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2 runbook to analyze the instance's connectivity to the endpoints for Session Manager, AWS Key Management Service (AWS KMS), Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs (CloudWatch Logs).

Consideration

  • Hybrid managed nodes are not supported.
  • This runbook only checks whether a recommended managed IAM policy is attached to the instance profile. It does not analyze IAM or AWS KMS permissions contained in your instance profile.
  • The AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2 runbook uses VPC Reachability Analyzer to analyze the network connectivity between a source and a service endpoint. You are charged per analysis run between a source and destination. For more details, see Amazon VPC Pricing.

Prerequisites

Before running the automation make sure your IAM user or the role has the permissions listed in the Required IAM permissions section.

Instructions

  1. Navigate to the Systems Manager console .
  2. In the navigation pane, choose Documents.
  3. In the search bar, type the following AWSSupport-TroubleshootSessionManager.
  4. Select AWSSupport-TroubleshootSessionManager document.
  5. Click on Execute automation.
  6. For the input parameters enter the following:
    • AutomationAssumeRole (optional): This is the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation will use the permissions of the user that starts this runbook.
    • InstanceId (required): The ID of the Amazon EC2 instance that you are unable to connect to using Session Manager.
    • SessionPreferenceDocument (optional): The name of your session preferences document. If you don't specify a custom session preferences document when starting sessions, use the default value SSM-SessionManagerRunShell.

The following example demonstrates how to use the AWSSupport-TroubleshootSessionManager automation runbook to troubleshoot issues that prevent you from connecting to managed Amazon EC2 instance using default name of your session preferences document.

The runbook input parameters

  1. Click on Execute.
  2. You should see that the automation has been initiated.
  3. Document will perform the following steps:
  • aws:waitForAwsResourceProperty: Waits up to 6 minutes for your target instance to pass status checks.
  • aws:executeScript: Parses the session preference document.
  • aws:executeAwsApi: Gets the ARN of the instance profile attached to your instance.
  • aws:executeAwsApi: Checks whether your instance is reporting as managed by Systems Manager.
  • aws:branch: Branches based on whether your instance is reporting as managed by Systems Manager.
  • aws:executeScript: Checks whether the SSM Agent installed on your instance supports Session Manager.
  • aws:branch: Branches based on the platform of your instance to collect ssm-cli logs.
  • aws:runCommand: Collects logs output from ssm-cli from a Linux or macOS instance.
  • aws:runCommand: Collects logs output from ssm-cli from a Windows instance.
  • aws:executeScript: Parses the ssm-cli logs.
  • aws:executeScript: Checks whether a recommended IAM policy is attached to the instance profile.
  • aws:branch: Determines whether to evaluate ssmmessages endpoint connectivity based on ssm-cli logs.
  • aws:executeAutomation: Evaluates whether the instance can connect to an ssmmessages endpoint.
  • aws:branch: Determines whether to evaluate Amazon S3 endpoint connectivity based on ssm-cli logs and your session preferences.
  • aws:executeAutomation: Evaluates whether the instance can connect to an Amazon S3 endpoint.
  • aws:branch: Determines whether to evaluate AWS KMS endpoint connectivity based on ssm-cli logs and your session preferences.
  • aws:executeAutomation: Evaluates whether the instance can connect to an AWS KMS endpoint.
  • aws:branch: Determines whether to evaluate CloudWatch Logs endpoint connectivity based on ssm-cli logs and your session preferences.
  • aws:executeAutomation: Evaluates whether the instance can connect to an CloudWatch Logs endpoint.
  • aws:executeAutomation: Runs the AWSSupport-TroubleshootManagedInstance runbook.
  • aws:executeScript: Compiles the output of the previous steps and outputs a report.
  1. Once completed, you can review the Outputs section for the detailed results of the execution in text format:
  • generateReport.EvalReport - The results of the checks performed by the runbook in plain text.

Output of the runbook execution

Conclusion

In this article, I demonstrated how to troubleshoot common issues that prevent you from connecting to managed Amazon EC2 instance using the automation runbook AWSSupport-TroubleshootSessionManager, available in the AWS System Manager.

References

Systems Manager Automation

Run this Automation (console)

Running a simple automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-working-executing.html

Setting up Automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html

Documentation related to the AWS service

For more information how to run this runbook, please see the AWS public document: AWSSupport-TroubleshootSessionManager.

To help you troubleshoot, remediate, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the AWS provided predefined runbooks . These runbooks are prefixed with “AWSSupport-“ or “AWSPremiumSupport-“.

댓글 없음

관련 콘텐츠