1 個回答
- 最新
- 最多得票
- 最多評論
0
When you launch the EC2 instance are you choosing to join the domain? If you are using the new EC2 launch wizard you will find this option at the bottom of the screen under "Advanced details" - you get to pick which domain it will join.
Opening security groups is not the right path to making this work. You MUST make sure that the EC2 has an IAM instance role that has at least the following permission:
arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess
For example here is an IAM instance role definition in CloudFormation that grants Domain join permission and also SSM managed instance permission:
EC2SsmIamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
- arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess
已回答 2 年前
相關內容
- 已提問 6 個月前
- 已提問 6 個月前
- AWS 官方已更新 10 個月前
- AWS 官方已更新 7 個月前