Questions tagged with AWS Systems Manager

1. Is there a possibility to add additional parameters for the AWS-Automation PatchInstanceWithRollback for SuSE SLES? 2. Why is AWS SSM using "zypper update" and not "zypper patch" to patching the System? (zypper patch is the recommende way to patch the system without braking dependencies, interative mode .....) **The Problem:** The document PatchInstanceWithRollback uses the "zypper update" command on SuSE SLES. Per default, SLES always asks for confirmation about the licenses. The call with the -"-non-interactive parameter" is not sufficient. **Here is an extract from the log:** 'zypper', '--non-interactive', 'update']", CLIInvokerException('Subprocess returned error code 4 for command [b\'zypper\', b\'--non-interactive\', b\'update\', b\...........Note: System reboot required.\nContinue? [y/n/v/...? shows all options] (y): y\nDo you agree with the terms of the license? [yes/no] (no): no\nAborting installation due to the need for license confirmation.\nPlease restart the operation in interactive mode and confirm your agreement with required licenses, or use the --auto-agree-with-licenses option.\n" During handling of the above exception, another exception occurred...: The Workaround at the moment is to set the parameter autoAgreeWithLicenses = yes in the zypper.conf but this is really bad.lg...

I defined a EventBridge Rule which targets a System Manager Automation I wrote. The Automation runs a Document that starts like: ``` schemaVersion: '0.3' assumeRole: "{{ AutomationAssumeRole }}" parameters: AutomationAssumeRole: type: String description: "(Required)" default: "" ``` For the EventBridge Rule, I define the Execution Role to be an IAM Role I created. I also configure an Input Transformer with some data about the event that triggered the Rule. I want to pass in the Execution Role into the Automation's "AutomationAssumeRole" parameter. If I manually trigger the Automation in the UI and select the Role from the dropdown, the Automation execution works as expected. I have not been able to figure out the right way to define the Input Transformer to have the EventBridge Rule trigger the Automation and populate the parameter "AutomationAssumeRole".lg...

Hi all, a bit of a strange one here. I've been trying to rework my environment so that we can enable seamless domain join for any and all instances created moving forward and up until now, we have been manually joining Linux EC2 instances using sssd. In following the documentation here (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/seamlessly_join_linux_instance.html) I came to find that the AWS-JoinDirectoryServiceDomain SSM Document instead uses winbind, which threw things for a bit of a loop as nearly every component we configured with sssd in the past was not applicable with winbind (limiting ssh access to the instance to specific groups, realm commands were slightly different, fsx for windows mounting commands, etc). After some reading, it seems that sssd is the preferred method as it is more modern and supports greater flexibility. Is there a reason winbind is being used here? Does AWS plan on updating this document to use sssd instead? Given all of the little challenges initially faced with my first seamless domain joined machine, I'm a little wary of continuing to use this document/method of seamlessly joining machines to my domain. Thanks!lg...

I'm guessing I just need to keep digging into this more, but it feels very complicated to get Systems Manager up and going. Between the different Quick Setup configurations and/or enabling the various OpsData sources it seems overly confusing but maybe it needs to be. But what I'd like to do seems straightforward, at least on the surface; I'd like to use the Node Manager functions, initially Fleet Manager across my whole Organization. I see the nodes when I'm in the individual accounts; I would just like a way to see them across the Organization in the main account or the account I've delagated. Anyway, if I'm missing something straightforward on how to do that please let me know. Otherwise I'll keep digging and trying things.lg...

Hi, I started using AWS-SSM, so I can use the SSO solution to connect to the EC2-instances using the SSM. But, as known; to connect to the SSM; should use the instance id. I am looking if there is a way to use the instance name instead of the instance id.lg...

Is it possible to customize the widgets that show up on the AWS Management Console Home page (after authentication) in GovCloud? I saw announcements about new widgets (like Security Hub and Patch compliance reports) available for the AWS Console home but I've not seen anything for customizing nor references to GovCloud support. Please advise if this feature/capability exists in GovCloud and if not, when it might be? I'm looking for a capability to use custom CloudWatch Dashboard widgets (which seems similar to this console home widgets) outside of CloudWatch like on the AWS Management Console Home page. The capability offered by custom widgets for CloudWatch Dashboards go well beyond CloudWatch (when the purpose is not about metrics and alarms) so I'd prefer not to force users to CloudWatch for non-Cloudwatch related use cases.lg...

Scenario: I have a .bat script on a windows machine, which has 32 cores. It does a bunch of context setup and then calls a python script that runs 24 parallel threads via multiprocessing library. Each thread moves some data around a network and then does some calculations via a 3rd-party program by calling win32com.client. When I login to the machine and run this script - via CMD or powershell - it does exactly what is expected - I see 24 python instances spin up (in task manager) and eventually 24 instances of the 3rd party software. CPU usage trends towards 100% for a little while. RAM goes towards 25-30 GB. Eventually, it finishes and everything looks good. (I've also tested with different instance sizes and different numbers of threads, etc - the point is the code runs as expected) If I run the **exact same script** via a SSM "AWS-RunPowerShellScript" run command, I get different behavior: The context still gets setup and the python code still runs. I still see 24 python instances in task manager, b**ut never more than 10-12 instances of the 3rd party software**. The other threads get errors like this: File "C:\Users\Administrator\Anaconda3\envs\python_3x\lib\site-packages\win32com\client\dynamic.py", line 86, in _GetGoodDispatch IDispatch = pythoncom.connect(IDispatch) pywintypes.com_error: (-2147221008, 'CoInitialize has not been called.', None, None) or this: File "C:\Users\Administrator\Anaconda3\envs\python_3x\lib\site-packages\win32com\client\dynamic.py", line 86, in _GetGoodDispatch IDispatch = pythoncom.connect(IDispatch) pywintypes.com_error: (-2147221021, 'Operation unavailable', None, None) or this: File "C:\Users\Administrator\Anaconda3\envs\python_3x\lib\site-packages\win32com\client\dynamic.py", line 368, in _ApplyTypes_ result = self._oleobj_.InvokeTypes( pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, 'thirdparty app', "Access violation at address 0000000000625F98 in module 'thirdparty.exe'. Read of address 0000000000000460", None, 0, -2147418113), None) So what's different about running as systems manager? The user is different. The domain is different. There is not necessarily an active logic (though I get the same behavior whether I have an active RDP window the machine or not). But none of those explain why some threads would be able to get a com connection and some would not. Does anyone know anything that could be helpful here?lg...

Hello everyone, I'm using ssm patch manager Scan task (AWS-RunPatchBaseline) once a week on some EC2 instances, some Ubuntu 20 and some AmazonLinux2. Everything was fine since the 16th of January, as the task would complete successfully for every instance. Starting from the 23th of January, the task fails on every Ubuntu instance with the following error on the standardError result: "/var/log/amazon/ssm/patch-baseline-operations/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning)\nfailed to run commands: exit status 1". Fun fact: the same identical warning is also there on the AmazonLinux instances, but the command does not fail with exit code 1. I don't think anything changed on those Ubuntu instances in the meantime, but, maybe some unattended upgrades. I already tried the last SSM-agent available version 3.2.532.0, and re-do the Scan, but the outcome is the same. What could it be the problem, and how could it be to solved? I leave here the ssm-agent logs, thanks in advance. ```2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] sending reply for plugin update: PatchLinux 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] Done 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [CommandProcessorWrapper] received plugin: PatchLinux result from Processor 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received reply for RunCommandResult aws.ssm.aeb48a17-5e94-4c8a-be85-ef64685132dc.i-0b1836a486824d20d with message id 1219c4ea-3561-49ad-952a-5f3336a36f1e 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Got reply msg Id 1219c4ea-3561-49ad-952a-5f3336a36f1e for RunCommandResult aws.ssm.aeb48a17-5e94-4c8a-be85-ef64685132dc.i-0b1836a486824d20d, starting reply thread 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] started reply processing - 1219c4ea-3561-49ad-952a-5f3336a36f1e 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Sending reply { "additionalInfo": { "agent": { "lang": "en-US", "name": "amazon-ssm-agent", "os": "", "osver": "1", "ver": "" }, "dateTime": "2023-02-01T13:52:42.872Z", "runId": "", "runtimeStatusCounts": { "Failed": 1, "Skipped": 1 } }, "documentStatus": "InProgress", "documentTraceOutput": "", "runtimeStatus": { "PatchLinux": { "status": "Failed", "code": 1, "name": "aws:runShellScript", "output": "/usr/bin/python3\n/usr/bin/python2.7\n/usr/bin/python2\n/usr/bin/python\n/usr/bin/apt-get\nReading package lists...\nBuilding dependency tree...\nReadingstate information...\npython3-apt is already the newest version (1.6.6).\nThe following packages were automatically installed and are no longer required:\n linux-aws-5.4-headers-5.4.0-1085 linux-headers-4.15.0-197\n linux-headers-4.15.0-197-generic linux-headers-5.4.0-1085-aws\n linux-image-4.15.0-197-generic linux-image-5.4.0-1085-aws\n linux-modules-4.15.0-197-generic linux-modules-5.4.0-1085-aws\n linux-modules-extra-4.15.0-197-generic\nUse 'apt autoremove' to remove them.\n0 upgraded, 0 newly installed, 0 to remove and 55 not upgraded.\nUsing python binary: 'python3'\nUsing Python Version: Python 3.6.9\n02/01/2023 14:52:35 root [INFO]: Downloading payload from https://s3.dualstack.eu-south-1.amazonaws.com/aws-patch-manager-eu-south-1-c52f3f594/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.100.tar.gz\n02/01/2023 14:52:35 root [INFO]: Attempting to import entrance file os_selector\n02/01/2023 14:52:36 root [INFO]: Running with snapshot id = 2b11b799-73e8-4567-9dc6-9e8c40101338 and operation = Scan\n02/01/2023 14:52:36 botocore.credentials [INFO]: Found credentials in shared credentials file: /var/lib/amazon/ssm/credentials\n02/01/2023 14:52:36 root [INFO]: Instance Id: i-0b1836a486824d20d\n02/01/2023 14:52:36 root [INFO]: Region: eu-south-1\n02/01/2023 14:52:36 root [INFO]: Product: Ubuntu18.04\n02/01/2023 14:52:36 root [INFO]: Patch Group: \n02/01/2023 14:52:36 root [INFO]: Operation type: Scan\n02/01/2023 14:52:36 root [INFO]: Snapshot Id: 2b11b799-73e8-4567-9dc6-9e8c40101338\n02/01/2023 14:52:36 root [INFO]: Patch Baseline: {'accountId': '237742590236', 'baselineId': 'pb-04615267655bfc0f4', 'name': 'InxUbuntu', 'globalFilters': {'filters': []}, 'approvalRules': {'rules': [{'filterGroup': {'filters': [{'key': 'PRODUCT', 'values': ['*']}, {'key': 'SECTION', 'values': ['*']}, {'key': 'PRIORITY', 'values': ['Required', 'Important']}]}, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False, 'approveAfterDays': 0, 'approveUnti\n---Output truncated---\n----------ERROR-------\n/var/log/amazon/ssm/patch-baseline-operations/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning)\nfailed to run commands: exit status 1", "startDateTime": "2023-02-01T13:52:34.232Z", "endDateTime": "2023-02-01T13:52:42.870Z", "outputS3BucketName": "", "outputS3KeyPrefix": "", "stepName": "", "standardOutput": "/usr/bin/python3\n/usr/bin/python2.7\n/usr/bin/python2\n/usr/bin/python\n/usr/bin/apt-get\nReading package lists...\nBuilding dependency tree...\n ------------------------------------- ---- LIST OF LOTS OF APT PACKAGES ------------------------------------- -dev.amd64', 'installedTime': 1654041792.6328669, 'state': 'InstalledOther'}, 'dsniff.amd64:2.4b1+debian-28.1~build1': {'id': 'dsniff.amd64', 'installedTime': 1616790243.0 63162, 'state': 'InstalledOther'}, 'eatmydata.amd64:105-6': {'id': 'eatmydata.amd64', 'installedTime': --output truncated--", "standardError": "/var/log/amazon/ssm/patch-baseline-operations/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n InsecureRequestWarning)\nfailed to run commands: exit status 1" } } } 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] successfully sent reply message id: 30104615-d7cc-4428-a4ca-ffb807869dac 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] [BasicExecuter] [aeb48a17-5e94-4c8a-be85-ef64685132dc] Executer closed 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] execution of aws.ssm.aeb48a17-5e94-4c8a-be85-ef64685132dc.i-0b1836a486824d20d is over. Removing interimState from current folder 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [EngineProcessor] [BasicExecuter] [aeb48a17-5e94-4c8a-be85-ef64685132dc] mast** listener stopped on path: /var/lib/amazon/ssm/i-0b1836a486824d20d/channels/aeb48a17-5e94-4c8a-be85-ef64685132dc 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received message through control channel 0c3f8974-f99c-4cc7-8903-a23481a9acd3 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Processing AgentMessage: MessageType - agent_job_reply_ack, Id - 0c3f8974-f99c-4cc7-8903-a23481a9acd3 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received ack id 1219c4ea-3561-49ad-952a-5f3336a36f1e for message id 0c3f8974-f99c-4cc7-8903-a23481a9acd3 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] ended reply processing - 1219c4ea-3561-49ad-952a-5f3336a36f1e 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received message through control channel 61b0e48d-417c-44b0-96d5-1e53236f95af 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Processing AgentMessage: MessageType - agent_job_reply_ack, Id - 61b0e48d-417c-44b0-96d5-1e53236f95af 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received ack id 2687a09b-afb7-46cc-bb13-8e85d4aa1d61 for message id 61b0e48d-417c-44b0-96d5-1e53236f95af 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] ended reply processing - 2687a09b-afb7-46cc-bb13-8e85d4aa1d61 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received message through control channel c25083f2-6323-4a90-8c26-23677122c48f 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] Processing AgentMessage: MessageType - agent_job_reply_ack, Id - c25083f2-6323-4a90-8c26-23677122c48f 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] received ack id 30104615-d7cc-4428-a4ca-ffb807869dac for message id c25083f2-6323-4a90-8c26-23677122c48f 2023-02-01 14:52:42 INFO [ssm-agent-worker] [MessageService] [MGSInteractor] ended reply processing - 30104615-d7cc-4428-a4ca-ffb807869dac```lg...

Hello, we currently face some failure during AWS-SSM-Patchbaseline operation, only on some servers such as this one : OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation OS Configuration: Member Server OS Build Type: Multiprocessor Free System Model: Virtual Machine System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2095 Mhz BIOS Version: Microsoft Corporation Hyper-V UEFI Release v4.0, 12/17/2019 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume2 System Locale: fr;French (France) Input Locale: en-us;English (United States) Time Zone: (UTC+01:00) Brussels, Copenhagen, Madrid, Paris Total Physical Memory: 8,095 MB SSM patchbaseline is failing, Command description and status :  Output : Invoke-PatchBaselineOperation : The find operation did not complete successfully.Additional failure information from Windows Update: HResult: -2145107924 | Message: At C:\ProgramData\Amazon\SSM\InstanceData\mi-05e7367b9c83f5cad\document\orchestration\0be5a4ac-cd73-439a-a928-5917a61e8 587\awsrunPowerShellScript\0.awsrunPowerShellScript\_script.ps1:195 char:13 + $response = Invoke-PatchBaselineOperation -Operation Install -Snapsho ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (Amazon.Patch.Ba...UpdateOperation:InstallWindowsUpdateOperation) [Inv oke-PatchBaselineOperation], Exception + FullyQualifiedErrorId : Exception Level 1: Error Message: The find operation did not complete successfully.Additional failure information from Windows Updat e: HResult: -2145107924 | Message: Stack Trace: at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.WindowsUpdateOperation.OperationDidN otSucceed(String operation, IUpdateExceptionCollection exceptions) at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.WindowsUpdateOperation.FilterWindowsUpdateSearch( List`1 filteringMethods) at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.InstallWindowsUpdateOperation.GetBaselineFiltered Updates() at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.InstallWindowsUpdateOperation.GetFilteredUpdates( ) at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.InstallWindowsUpdateOperation.InstallUpdates() at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.InstallWindowsUpdateOperation.DoWindowsUpdateOper ation() ,Amazon.Patch.Baseline.Operations.PowerShellCmdlets.InvokePatchBaselineOperation failed to run commands: exit status 0xffffffff Any help is appreciated.lg...

I have a script that is running in account A that updates the application in Beanstalk. I want to run the same script from account A to update the Beanstalk application in account B using SSM or any other tool that could accomplish this task. I need to know what SSM command to invoke for the cross-account in the script below: ``` #!/bin/bash for i in ${eb_env_vars[@]} do if [[ $i == *"parameter_store_path"* ]]; then parameter_store_path=$(echo $i | grep -Po "([^\=]*$)") fi done ``` Your help would be greatly appreciated!lg...

I have a t2.small instance (1CPU, 2GB RAM) that has been running smoothly for 18 months (averaging 20% CPU usage; see graph below) but became unresponsive today. After some investigation I found that ssm-agent-worker was running at 100%. I've switched to a t2.medium (2CPU, 4GB RAM) so that if that happens again I'll have another CPU that can handle my workload, but I'd prefer not to double my costs just to handle an AWS bug (if that is what it is). Any advice? lg...

We have an 'unauthorised API call' alarm that is being tripped by Amazon Inspector. It's attempting to download windows.zip from an AWS Public Bucket. Here is a snippet of the Cloudwatch log:- ``` "eventSource": "s3.amazonaws.com", "eventName": "GetObject", "awsRegion": "ap-southeast-2", "sourceIPAddress": "Redacted IP Address", "userAgent": "[aws-sdk-go/1.44.78 (go1.18.3; windows; amd64) amazon-ssm-agent/]", "errorCode": "AccessDenied", "errorMessage": "Access Denied", "requestParameters": { "bucketName": "aws-ssm-document-attachments-ap-southeast-2", "Host": "aws-ssm-document-attachments-ap-southeast-2.s3.ap-southeast-2.amazonaws.com", "key": "e89/810622359321/AmazonInspector2-InspectorSsmPlugin!d6f98620-d464-4b63-ab7c-e10b41c673c6/20/windows.zip" }, ``` We've setup an Instance role and attached permissions policy as specified here:- https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-minimum-s3-permissions.html In fact, I added GetBucket* and ListBuckets at the Bucket level as well just in case that was the issue. When I look in Systems Manager, Fleet Manager it showed failures invoking AmazonInspector2-ConfigureInspectorSsmPlugin and AmazonInspector2-InvokeInspectorSsmPlugin for the instance in question.  We are getting quite a few of these 'Access Denied' errors, but I have allocated the listed permissions. I also checked that my VPC Endpoint Policy does not restrict access. The only issue might be there is a Service Control Policy that is denying access. Has anybody got any other insights as to what might be causing this?lg...