{SystemsManager}Session Manager のセットアップ

AWS



https://dev.classmethod.jp/articles/session-manager-with-aws-cli/

https://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/session-manager-getting-started.html

https://dev.classmethod.jp/articles/execution-log-in-aws-ssm-to-s3/

 

 

-- 1. コマンド等のインストール

-- 1.1 aws cli version 2 インストール

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version

-- 1.2 jqインストール
sudo yum -y install jq

 


-- 2. S3 バケットを作成する

aws s3 ls

aws s3 mb s3://bucket123


-- 3. IAMポリシー作成
vim policy01.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket123/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetEncryptionConfiguration"
            ],
            "Resource": "*"
        }
    ]
}


aws iam create-policy \
--policy-name policy01 \
--policy-document file://policy01.json

 


-- 4. IAMロール作成
vim role01.json

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "ec2.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
}

 

aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json


-- 5. ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01 \
--role-name role01

 

-- 6. インスタンスプロファイルを作成
aws iam create-instance-profile --instance-profile-name profile01

aws iam list-instance-profiles | grep InstanceProfileName

-- 7. インスタンスプロファイルにロールを追加
aws iam add-role-to-instance-profile --instance-profile-name profile01 --role-name role01

aws iam list-instance-profiles-for-role --role-name role01

 


-- 8. IAM ロールを使用したEC2インスタンス起動

aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--key-name key1 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=instance01}]' \
--instance-market-options '{"MarketType": "spot","SpotOptions": {"SpotInstanceType": "one-time"}}' \
--iam-instance-profile Name="profile01"

aws ec2 describe-instances


-- 9. 作業端末(Amazon Linux2)にSession Manager プラグインをインストール


curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm"

sudo yum install -y session-manager-plugin.rpm

session-manager-plugin

 


-- 10. CLI を使用してセッションを開始する

aws ssm start-session \
--target i-11111111111111111

別ターミナルを開く

aws ssm describe-sessions \
--state Active

 

 

-- 11. セッションを終了する

aws ssm terminate-session \
--session-id iamuser-22222222222222222

aws ssm describe-sessions \
--state Active

 

-- 12. セッション履歴を表示する

aws ssm describe-sessions \
--state History

 


-- 13. S3操作ログ保存の設定


aws ssm list-documents | grep SSM-SessionManagerRunShell

 

aws ssm describe-document \
--name SSM-SessionManagerRunShell \
--document-version '$LATEST'


aws ssm get-document \
--name SSM-SessionManagerRunShell \
--document-version '$LATEST' | jq -r .Content | jq .


vim ssm01.json

{
  "schemaVersion": "1.0",
  "description": "Document to hold regional settings for Session Manager",
  "sessionType": "Standard_Stream",
  "inputs": {
    "s3BucketName": "bucket123",
    "s3KeyPrefix": "",
    "s3EncryptionEnabled": false,
    "cloudWatchLogGroupName": "",
    "cloudWatchEncryptionEnabled": false,
    "cloudWatchStreamingEnabled": false,
    "idleSessionTimeout": "20",
    "maxSessionDuration": "",
    "kmsKeyId": "",
    "runAsEnabled": false,
    "runAsDefaultUser": "",
    "shellProfile": {
      "windows": "",
      "linux": ""
    }
  }
}


aws ssm update-document \
--name "SSM-SessionManagerRunShell" \
--content file://ssm01.json \
--document-version '$LATEST'

 

 

 

-- 14. 動作確認

aws s3 ls s3://bucket123 --recursive

aws s3 cp s3://bucket123/iamuser-33333333333333333.log -

 


-- 15. クリーンアップ

-- Session Manager 設定もどし

vim ssm01.json

{
  "schemaVersion": "1.0",
  "description": "Document to hold regional settings for Session Manager",
  "sessionType": "Standard_Stream",
  "inputs": {
    "s3BucketName": "",
    "s3KeyPrefix": "",
    "s3EncryptionEnabled": false,
    "cloudWatchLogGroupName": "",
    "cloudWatchEncryptionEnabled": false,
    "cloudWatchStreamingEnabled": false,
    "idleSessionTimeout": "20",
    "maxSessionDuration": "",
    "kmsKeyId": "",
    "runAsEnabled": false,
    "runAsDefaultUser": "",
    "shellProfile": {
      "windows": "",
      "linux": ""
    }
  }
}


aws ssm update-document \
--name "SSM-SessionManagerRunShell" \
--content file://ssm01.json \
--document-version '$LATEST'

aws ssm get-document \
--name SSM-SessionManagerRunShell \
--document-version '$LATEST' | jq -r .Content | jq .

 

 


-- EC2インスタンスの削除

aws ec2 describe-instances

aws ec2 terminate-instances --instance-ids i-11111111111111111


-- インスタンスプロファイルの削除

aws iam remove-role-from-instance-profile --instance-profile-name profile01 --role-name role01


aws iam delete-instance-profile --instance-profile-name profile01

aws iam list-instance-profiles | grep InstanceProfileName

 

-- IAMロールの削除
aws iam list-roles | grep role01

aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::999999999999:policy/policy01

aws iam delete-role --role-name role01


-- IAMポリシーの削除
aws iam list-policies | grep policy01

aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01


-- バケットの削除

aws s3 ls

aws s3 rb s3://bucket123 --force