Questions tagged with AWS Systems Manager

Hello, i try to use AWS Config Rule with Auto Remediation, the rule should detect security groups with open SSH and remove the ingress. I Use "INCOMING_SSH_DISABLED" (restricted-ssh) managed rule and AWS-DisablePublicAccessForSecurityGroup SSM document, the remediation is configured with terraform: ``` target_id = "AWS-DisablePublicAccessForSecurityGroup" target_type = "SSM_DOCUMENT" resource_type = "AWS::EC2::SecurityGroup" target_version = "1" parameter { name = "AutomationAssumeRole" static_value = aws_iam_role.ssh-remediation-role.arn } parameter { name = "GroupId" resource_value = "RESOURCE_ID" ``` The role is: ``` data "aws_iam_policy_document" "ssm-automation-assume-role" { version = "2012-10-17" statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { identifiers = ["ssm.amazonaws.com"] type = "Service" } condition { test = "StringEquals" variable = "aws:SourceAccount" values = [local.account-id] } condition { test = "ArnLike" variable = "aws:SourceArn" values = ["arn:aws:ssm:*:${local.account-id}:automation-execution/*"] } } } resource "aws_iam_role" "ssh-remediation-role" { assume_role_policy = data.aws_iam_policy_document.ssm-automation-assume-role.json managed_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole", "arn:aws:iam::aws:policy/AmazonEC2FullAccess" ] ``` When i create such security group AWS Config detects it, runs remediation, the Automation finishes with result 'Success' (and the security group is properly updated, so the remediation works) but AWS Config shows "Failed", when i try to see some details with `aws configservice describe-remediation-execution-status ` i get: ``` "State": "FAILED", "StepDetails": [ { "Name": "GetAutomationExecution", "State": "FAILED", "ErrorMessage": "AccessDeniedException while calling STS for execution: SsmExecutionId(value=d69b27e5-da83-43de-b563-9d9040c2cf03)" } ], ``` I tried to google this error but i have not found anything. How can i solve this issue? Thank you for your help.lg...

Hi, Following from this article: [Get record count for all tables in mysql database](https://www.tutorialspoint.com/get-record-count-for-all-tables-in-mysql-database#:~:text=To%20get%20the%20count%20of,The%20syntax%20is%20as%20follows.&text=mysql%3E%20SELECT%20SUM(TABLE_ROWS)%20%2D%3EFROM%20INFORMATION_SCHEMA.), is there an Athena on Presto version of the following MySQL query? ``` SELECT table_name , table_rows FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = schema_name; ```lg...

The [AWS documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html#sample-commands-ps) for the Parameters and Secrets Lambda Extension states: ``` To make a call using the Amazon Resource Name (ARN) for a parameter, make an HTTP GET call similar to the following. GET http://localhost:port/systemsmanager/parameters/get?name=arn:aws:ssm:us-east-1:123456789012:parameter/MyParameter ``` however these requests return a 400 stating the parameter name is invalid. Here's a quick example to demonstrate the successful request using the parameter name, and the failed request using the parameter ARN: ```py import json import os from botocore.vendored import requests def lambda_handler(event, context): name_url = 'http://localhost:2773/systemsmanager/parameters/get?name=test-param' arn_url = 'http://localhost:2773/systemsmanager/parameters/get?name=arn:aws:ssm:us-east-2:{ACCOUNT_ID}:parameter/test-param' headers = {'X-Aws-Parameters-Secrets-Token': os.environ['AWS_SESSION_TOKEN']} name_resp = requests.get(name_url, headers=headers) print(f'NAME RESPONSE: {name_resp.status_code} > {name_resp.text}') arn_resp = requests.get(arn_url, headers=headers) print(f'ARN RESPONSE: {arn_resp.status_code} > {arn_resp.text}') ``` and the output: ``` NAME RESPONSE: 200 > {"Parameter":{"ARN":"arn:aws:ssm:us-east-2:{ACCOUNT_ID}:parameter/test-param","DataType":"text","LastModifiedDate":"2022-11-26T02:25:14.669Z","Name":"test-param","Selector":null,"SourceResult":null,"Type":"SecureString","Value":"AQICAH....=","Version":2},"ResultMetadata":{}} ARN RESPONSE: 400 > an unexpected error occurred while executing request [AWS Parameters and Secrets Lambda Extension] 2022/11/26 18:09:36 ERROR GetParameter request encountered an error: operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: {REQUEST_ID}, api error ValidationException: Invalid parameter name. Please use correct syntax for referencing a version/label <name>:<version/label> ``` The docs also state: ``` When using GET calls, parameter values must be encoded for HTTP to preserve special characters. ``` however the error still occurs whether the ARN colons and/or slash are URL-encoded or not like so: ``` http://localhost:2773/systemsmanager/parameters/get?name=arn%3Aaws%3Assm%3Aus-east-2%3A{ACCOUNT_ID}%3Aparameter/test-param http://localhost:2773/systemsmanager/parameters/get?name=arn%3Aaws%3Assm%3Aus-east-2%3A{ACCOUNT_ID}%3Aparameter%2Ftest-param ``` Am I missing something here or is the documentation incorrect in that an ARN can be used for these requests?lg...

I have a SSM Maintenance Window with instance targets linked via a Resource Group. So the tasks associated with this Maintenance Window make use of the {{RESOURCE_ID}} parameter. Applying the {{RESOURCE_ID}} to a task which calls an AWS document works fine. Such as AWS-StartEC2Instance and AWS-StopEC2Instance. I'm now trying to use the {{RESOURCE_ID}} with a new document which executes a powershell script. When i build a new document there is the option to specify the "InputPayload" which i am setting as " InstanceIds : "{{RESOURCE_ID}}", but when i execute the document i get the error... " Step fails when it is validating and resolving the step inputs. Failed to resolve input: RESOURCE_ID to type Integer or Boolean or String or StringList or StringMap or MapList. RESOURCE_ID is not defined in the Automation Document " The document content looks like this.... description: TEST schemaVersion: '0.3' mainSteps: - name: Main action: 'aws:executeScript' inputs: Runtime: PowerShell Core 6.0 Script: |- Write-Host 'hello world'; $inputPayload = $env:InputPayload | ConvertFrom-Json; <#$parameter = $inputPayload.events.parameter;#> Write-Host $inputPayload.context; return @{message='hello'} InputPayload: InstanceIds: '{{RESOURCE_ID}}' Any ideas where i'm going wrong with this?lg...

Hi, I am currently using session manager to provide access to all servers via session manager which is working as intended. The issue comes where I got another set of users who require access to certain servers. Is there anyway, only the servers that is required will be shown up in the session manager. I tried to edit the ec2:DescribeInstances but I just can't get it working. Would require assistance with this.lg...

very weird thing happening in AWS SSM Parameter Input. The pasted input below gets modified in AWS SSM Automation Documents. Can anyone tell me why this happens? It breaks my script and i can't work with this. here's my code ``` schemaVersion: "2.2" description: "Check HANA DB and stop it LINUX" mainSteps: - action: "aws:runShellScript" name: "HANA_DB_STOP" inputs: runCommand: - '#### errocodes' - '#### 0 = SCRIPT RAN OK' - '#### 10 = SCRIPT FAILED' - '' - '# stop hana db' - 'echo "Stopping Hana DB"' - 'sudo /usr/sap/hostctrl/exe/sapcontrol -nr 00 -function Stop' - '' - '# check hana db state' - 'echo "Checking if Hana DB is running."' - 'HANADBSTATUS=`sudo /usr/sap/hostctrl/exe/sapcontrol -nr 00 -function GetProcessList`' - 'sleep 20' - 'if [[ "$HANADBSTATUS" =~ "GRAY" ]]' - 'then' - ' echo "Hana DB is stopped."' - ' exit 0' - 'else' - 'i=1' - 'while [[ ! "$HANADBSTATUS" =~ "GRAY" ]] && [[ "$i" -lt 11 ]]' - ' do' - ' echo "Warning: HANA DB is running. Checking 10 times with 20 second intervalls until script aborts. This is check $i." ' - ' sudo /usr/sap/hostctrl/exe/sapcontrol -nr 00 -function Stop' - ' sleep 20' - ' # check db state again' - ' HANADBSTATUS=`sudo /usr/sap/hostctrl/exe/sapcontrol -nr 00 -function GetProcessList`' - ' ((i++))' - ' if [ "$i" = 10 ]' - ' then' - ' echo "Error: retried $i-Times. Couldnt stop DB. Exiting Script."' - ' echo "Script aborts with Error 0"' - ' exit 10' - ' fi' - ' done' - ' if [[ "$HANADBSTATUS" =~ "GRAY" ]]' - ' then' - ' echo "Hana DB is stopped."' - ' exit 0' - ' fi' - 'fi' ``` This is the output AWS gives me ``` schemaVersion: '2.2' description: Check HANA DB and stop it LINUX mainSteps: - action: 'aws:runShellScript' name: HANA_DB_STOP inputs: runCommand: - '#### errocodes' - "#### 0\t= SCRIPT RAN OK" - "#### 10\t= SCRIPT FAILED" - '' - '# stop hana db' - echo "Stopping Hana DB" - sudo /usr/sap/hostctrl/exe/sapcontrol -nr 00 -function Stop - '' - '# check hana db state' - echo "Checking if Hana DB is running." - HANADBSTATUS=`sudo /usr/sap/hostctrl/exe/sapcontrol -nr 00 -function GetProcessList` - sleep 20 - 'if [[ "$HANADBSTATUS" =~ "GRAY" ]]' - then - ' echo "Hana DB is stopped."' - ' exit 0' - else - i=1 - 'while [[ ! "$HANADBSTATUS" =~ "GRAY" ]] && [[ "$i" -lt 11 ]]' - "\tdo" - "\t\techo \"Warning: HANA DB is running. Checking 10 times with 20 second intervalls until script aborts. This is check $i.\" " - "\t\tsudo /usr/sap/hostctrl/exe/sapcontrol -nr 00 -function Stop" - "\t\tsleep 20" - "\t\t# check db state again" - "\t\tHANADBSTATUS=`sudo /usr/sap/hostctrl/exe/sapcontrol -nr 00 -function GetProcessList`" - "\t\t((i++))" - "\t\tif [ \"$i\" = 10 ]" - "\t\t\tthen" - "\t\t\t\techo \"Error: retried $i-Times. Couldnt stop DB. Exiting Script.\"" - "\t\t\t\techo \"Script aborts with Error 0\"" - "\t\t\t\texit 10" - "\t\tfi" - "\tdone" - "\tif [[ \"$HANADBSTATUS\" =~ \"GRAY\" ]]" - ' then' - ' echo "Hana DB is stopped."' - ' exit 0' - "\tfi" - fi ``` I know why \t gets added, but i still don't understand why and how it removes the ' in my scriptslg...

In AML1 we could easily modify the file(/opt/elasticbeanstalk/deploy/configuration/containerconfiguration) and store variables from SSM(system manager) in the former file and the beanstalk automatically updates the environment properties.but in AML2 this feature is removed and the file doesnt exist.Also we tried getting data from SSM and running export command but still properties dont change.so how do we change environment properties from SSM parameters in this case?lg...

I just started a t3a.nano instance it's normal at stat up but it's not stable later. The ssm agent service ran as cron and made my server crashed almost. Right now I can not connect to SSH. I have tried Stop and Start also, nothing help to solve it up to now. Anyone meet this issue? P/s: I have tried read old topic and wait 1-2 hours to ssm update but no change. For AWS Support you can check my instance i-0d8bcd6234b2d9ac6lg...

How can i use ssm patch manager to patch servers from other cloud vendors?lg...

Is it possible to pass a value to a script which asks for input via the RunShellScript SSM document? For example, if I execute a shell script on a node, using run command, which asks for input, is there some way to pass that input from the SSM console?lg...

Hello, I'm looking to add node names to my managed nodes but I can't find how/where to do solg...

IHAC who is using windows faster launch feature is seeing issues with the launch once out of 5 launches. When the AMI launch fails, SSM service is not activated and User data scripts are not executed. They are not able to find out the reason for AMI launch failure. Customer is also having challenges as with SSM service not coming up they can’t log into the EC2 instance (RDP is locked down due to the InfoSec security requirements) to download log files. Is there any other option to offload the logslg...