By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How does Default Host Management Configuration affect customer-managed EC2 instance profile permissions?

0

Hi everyone,

I have several EC2 instances - some already have an instance profile assigned, while others do not. I am planning to enable Default Host Management Configuration (DHMC), which uses AmazonSSMManagedEC2InstanceDefaultPolicy.

I am trying to understand how permissions are handled once DHMC is enabled. Specifically:

  • When an instance takes an action (e.g. via Systems Manager), will it use the permissions from its assigned instance profile, the DHMC default profile, or both?
  • If I want to switch between using the DHMC default profile and my custom instance profile, what steps do I need to take?

Thanks in advance for your help.

Topics
ComputeManagement & GovernanceSecurity, Identity, & Compliance
Tags
Amazon EC2AWS Systems ManagerIAM PoliciesAWS Systems Manager Fleet Manager
Language
English
AKMin
asked 12 days ago51 views
1 Answer
0

Default Host Management Configuration (DHMC) provides a way to manage EC2 instances automatically without manually creating IAM instance profiles. When DHMC is enabled, it creates and applies a default IAM role with permissions for Systems Manager to manage all instances in the AWS account and region where it's activated.

For instances that already have an assigned instance profile:

  • The existing instance profile permissions will remain in effect.
  • The DHMC default role permissions will be applied in addition to the existing instance profile permissions.

This means that when an instance takes an action (e.g., via Systems Manager), it will effectively have the combined permissions from both its assigned instance profile and the DHMC default profile.

If you want to switch between using the DHMC default profile and your custom instance profile:

  1. To use only the DHMC default profile:

    • Remove the custom instance profile from your EC2 instances.
    • Ensure DHMC is enabled for your account and region.

  2. To use only your custom instance profile:

    • Deactivate DHMC for your account and region.
    • Ensure your custom instance profile is attached to the EC2 instances.

It's important to note that any changes made to the IAM role used by DHMC will apply to all managed EC2 instances in the region and account. If the default permissions provided by DHMC are not sufficient for your use case, you can add policies to the default IAM role created by DHMC. Alternatively, if you don't need all the capabilities provided by the default IAM role, you can create your own custom role and policies.

When managing permissions, consider the principle of least privilege. Ensure that you grant only the necessary permissions required for your specific use case, whether you're using DHMC, custom instance profiles, or a combination of both.

Sources
Managing EC2 instances automatically with Default Host Management Configuration - AWS Systems Manager
Step 2: Verify or add instance permissions for Session Manager - AWS Systems Manager
Configure instance permissions required for Systems Manager - AWS Systems Manager

profile picture
re:Post Agent
answered 12 days ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 12 days ago
  • AKMin
    12 days ago

    If DHMC is enabled first and I assign a custom instance profile to the instance afterward, does the instance gain permissions from both the DHMC default profile and the custom profile, rather than just one? Thank you.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content