Questions tagged with AWS Systems Manager

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

I have a script that is running in account A that updates the application in Beanstalk. I want to run the same script from account A to update the Beanstalk application in account B using SSM or any other tool that could accomplish this task. I need to know what SSM command to invoke for the cross-account in the script below: ``` #!/bin/bash for i in ${eb_env_vars[@]} do if [[ $i == *"parameter_store_path"* ]]; then parameter_store_path=$(echo $i | grep -Po "([^\=]*$)") fi done ``` Your help would be greatly appreciated!
1
answers
0
votes
17
views
Sam
asked 8 days ago
I have a t2.small instance (1CPU, 2GB RAM) that has been running smoothly for 18 months (averaging 20% CPU usage; see graph below) but became unresponsive today. After some investigation I found that ssm-agent-worker was running at 100%. I've switched to a t2.medium (2CPU, 4GB RAM) so that if that happens again I'll have another CPU that can handle my workload, but I'd prefer not to double my costs just to handle an AWS bug (if that is what it is). Any advice? ![CPU Usage for 7 days](/media/postImages/original/IMCB6IQlszRxy0Z4qlx_mwgA)
1
answers
0
votes
30
views
asked 11 days ago
We have an 'unauthorised API call' alarm that is being tripped by Amazon Inspector. It's attempting to download windows.zip from an AWS Public Bucket. Here is a snippet of the Cloudwatch log:- ``` "eventSource": "s3.amazonaws.com", "eventName": "GetObject", "awsRegion": "ap-southeast-2", "sourceIPAddress": "Redacted IP Address", "userAgent": "[aws-sdk-go/1.44.78 (go1.18.3; windows; amd64) amazon-ssm-agent/]", "errorCode": "AccessDenied", "errorMessage": "Access Denied", "requestParameters": { "bucketName": "aws-ssm-document-attachments-ap-southeast-2", "Host": "aws-ssm-document-attachments-ap-southeast-2.s3.ap-southeast-2.amazonaws.com", "key": "e89/810622359321/AmazonInspector2-InspectorSsmPlugin!d6f98620-d464-4b63-ab7c-e10b41c673c6/20/windows.zip" }, ``` We've setup an Instance role and attached permissions policy as specified here:- https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-minimum-s3-permissions.html In fact, I added GetBucket* and ListBuckets at the Bucket level as well just in case that was the issue. When I look in Systems Manager, Fleet Manager it showed failures invoking AmazonInspector2-ConfigureInspectorSsmPlugin and AmazonInspector2-InvokeInspectorSsmPlugin for the instance in question. ![AmazonInspector2-ConfigureInspectorSsmPlugin and AmazonInspector2-InvokeInspectorSsmPlugin Failure](/media/postImages/original/IMWMvCNigNQS-bPc3prIzs5g) We are getting quite a few of these 'Access Denied' errors, but I have allocated the listed permissions. I also checked that my VPC Endpoint Policy does not restrict access. The only issue might be there is a Service Control Policy that is denying access. Has anybody got any other insights as to what might be causing this?
1
answers
0
votes
21
views
asked 12 days ago
I have a Maintenance Window which runs a Lambda as one of the Tasks. Within the Task i have specified the Payload as "{{RESOURCE_ID}}". This is so that the Lambda can execute against the instance list within a defined Resource Group. This Resource Group is defined within the Maintenance Window Targets page. This all works fine.... I'm now trying to build this using a cloudformation template with the Lambda task details within "AWS::SSM::MaintenanceWindowTask". The problem i'm having is that i've tried various formats of entering the Payload information under... "TaskInvocationParameters: "MaintenanceWindowLambdaParameters:" ... but i'm not able to successfully load the template. It keeps failing with "The Payload parameter for Lambda must be valid JSON" The AWS docs specify that the Payload data needs to be converetd to Base64. I've tried the following formats which have all failed with the same message.... Payload: !Base64 '{"instanceId": ["{{RESOURCE_ID}}"]}' Payload: !Base64 {"instanceId": ["{{RESOURCE_ID}}"]} Payload: !Base64 '{{RESOURCE_ID}}' Payload: {"Fn::Base64" : "{{RESOURCE_ID}}"} Payload: "{{RESOURCE_ID}}" Payload: !Base64 '{"instanceId": "{{RESOURCE_ID}}"}' Any ideas where i'm going wrong?
0
answers
0
votes
14
views
Kal
asked 12 days ago
Hello! I am trying to remove some EC2 instances off the fleet manager. I found some documentation stating the way to remove it is to deregister from the portal. However, when I follow these instructions, the "Deregister This Managed Node" is grayed out and I unable to click on it. I am not sure on next steps to troubleshoot this. If anyone has idea, I appreciate it! Thanks!
0
answers
0
votes
12
views
asked 16 days ago
When using the RDP session of fleet manager, I get strange errors when trying to type into certain windows. For example, I can type into the search bar and notepad, but when I open a PowerShell window, it doesn't respond to key inputs. The Command window works but the PowerShell window is what I use for a lot of admin tasks. Its making fleet manager almost unusable now. Is there a way to fix this?
1
answers
0
votes
25
views
asked 16 days ago
I created a SecureString parameter in AWS Systems Manager Parameter Store. It uses the default KMS key for encryption/decryption. I also created an association in State Manager to run "AWS-RunPowerShellScript" using the command "Net.exe user administrator {{ssh:<name of my parameter>}}" to have State Manager update the password across all of my associated Windows EC2 instances. However, the update only works when I reference a String parameter but does NOT work when I reference a SecureString parameter. Any ideas why I can't reference a SecureString parameter? How do I reference a SecureString parameter in this State Manager association?
1
answers
0
votes
31
views
asked 18 days ago
Hi, I am new to use SSM alternative of SSH connection. So, I am trying to create a permissions for users to be used when using SSM. For example: I don't need all users to act as an (ec2-user), I need user to check the specific file only, or had a user without ability to reboot the services at instances.
1
answers
0
votes
34
views
asked 18 days ago
What security group inbound rule do I need to add that will allow AWS Systems Manager State Manager to run the AWS-RunPowerShellScript document on an association of EC2 Windows instances?
2
answers
0
votes
45
views
asked 19 days ago
Hi Team, I'm trying to use AWS Batch service with ECS Fargate. It's basically a python script to fetch the db password stored as secret from AWS SSM Parameter and run an ETL function. I have ensured networking(internet access with NAT Gateway) and the required iam permission(Full Access) to fetch the secrets or ecr image. It is scheduled to run on an hourly basis. Sometimes, it is working fine but some other time it is failing with the below message. > "Resourceinitializationerror: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 5 time(s): RequestCanceled: request context canceled caused by: context deadline exceeded" This seems to be a strange issue. I'm happy to fix if any changes to be done from my side but i'm little worried on why it is unstable. Can some clarify on this issue please?
0
answers
0
votes
42
views
asked 22 days ago
Hi everyone, I have been following the documentation for setting up the AWS SDK, however after having the packages installed I am getting error messages when trying to compile and run a cpp file which just prints "hello", and has the headers for aws/core and aws/s3 included. I am just trying to verify everything is linked correctly. Actually connecting to S3 can be a separate task. Can someone provide **exact step by step solution for setting up the AWS SDK on a Ubuntu EC2 instance?** Starting from cloning the repo, to compiling the cpp file and running the executable. Thank you very much. I am relatively new to CPP so I'm using this as a side project to gain some experience, sorry if my question seems nooby.
0
answers
0
votes
15
views
asked 23 days ago
Was trying to start a session[terminal] via ssm on an instance in another account. using command "aws ssm start-session --target i-yyyaf4692d801d1xx --region ap-south-1" but it was failing with response as Target is not connected. - we get this response when the instance is usually not found in the inventory of Systems Manager. which i can't add, as the instance is in another account Also - my user has appropriate permissions have verified it through IAM Simulator - it seems instance IDs are unique and associated to one account only. - the instance is accessible by local users in that account. END Goal: I wish to use users created in Account A to be able to start sessions on instances on Account B. both part of same organization.
2
answers
0
votes
63
views
asked 24 days ago