Introducing Run Command in EC2

In order to perform updates, patches, restart a particular process or running a particular powershell script in a Windows based EC2 instance we need to login to the machine and then make the required changes. Sometimes in a huge production environment this tends to be a cumbersome job for managing large fleet of machines. Therefore in order to make our lives easier AWS has introduced a new add-on feature for EC2 called as Command.

Features of Run Command

Using this feature we can perform system administrator tasks on Windows based EC2 machines. Currently the following actions are supported in Run Command.

• Configuring Cloud Watch
• Configuring Windows Update
• Install an Application
• Install PowerShell Module
• Join an EC2 instance to Directory Service Domain
• Run a PowerShell script
• Update EC2 config

Security of Run Command

Since Run Command runs from the AWS console and no username and password is required to access the instances, questions may arise as to how safe this feature is? Run Command incorporates with IAM policies and roles. Each and every command which is run using Run Command is stored in CloudTrail and also remains in the Console for 30 days.

Run Command shows the output in the console for only 2500 characters and the rest of the output is truncated. In order to keep track of all the commands and their detailed output we can integrate it with S3 and store the output in form of logs in an S3 bucket.

Using Run Command to run a PowerShell Script

We shall see how we can use the Run Command feature to run a PowerShell script on an EC2 instances.

Pre-Requisites

In order to setup the EC2 instance to user Run command these are the pre-requisites needed.

1. Sign into the AWS Management Console and open IAM.
2. In the left pane, choose Policies.
3. Beside create your own policy click on Select button.
4. Enter a Policy name (runcommand-policy) and description.
5. Write the following policy in the Policy Document field
   
   runcommand-policy

   JavaScript

   { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeAssociation", "ssm:GetDocument", "ssm:ListAssociations", "ssm:UpdateAssociationStatus", "ssm:UpdateInstanceInformation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:SendReply" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceStatus" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads" ], "Resource": "*" } ] }

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

   {     "Version": "2012-10-17",     "Statement": [         {             "Effect": "Allow",             "Action": [                 "ssm:DescribeAssociation",                 "ssm:GetDocument",                 "ssm:ListAssociations",                 "ssm:UpdateAssociationStatus",                 "ssm:UpdateInstanceInformation"             ],             "Resource": "*"         },         {             "Effect": "Allow",             "Action": [                 "ec2messages:AcknowledgeMessage",                 "ec2messages:DeleteMessage",                 "ec2messages:FailMessage",                 "ec2messages:GetEndpoint",                 "ec2messages:GetMessages",                 "ec2messages:SendReply"             ],             "Resource": "*"         },         {             "Effect": "Allow",             "Action": [                 "ec2:DescribeInstanceStatus"             ],             "Resource": "*"         },         {             "Effect": "Allow",             "Action": [                 "logs:CreateLogGroup",                 "logs:CreateLogStream",                 "logs:DescribeLogGroups",                 "logs:DescribeLogStreams",                 "logs:PutLogEvents"             ],             "Resource": "*"         },         {             "Effect": "Allow",             "Action": [                 "s3:PutObject",                 "s3:GetObject",                 "s3:AbortMultipartUpload",                 "s3:ListMultipartUploadParts",                 "s3:ListBucketMultipartUploads"             ],             "Resource": "*"         }     ] }

   
    
6. Choose Validate Policy and if everything went fine and no error occurs. Click on Create Policy.
7. In the same way as mentioned above create a runcommand-trust policy for the user so that run command can view the instances.
   
   trust_policy

   JavaScript

   { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:*", "ec2:DescribeInstanceStatus" ], "Resource": "*" } ] }

   1 2 3 4 5 6 7 8 9 10 11 12 13

   {   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Action": [         "ssm:*",         "ec2:DescribeInstanceStatus"       ],       "Resource": "*"     }   ] }

   
    
8. Attach the User policy runcommand-trust policy to the required IAM user.

Create the Instance Role

In this task we shall create a role using which the Run Command can access the EC2 instance.

1. From the IAM dashboard, Select Roles > Create Role.
2. On the Set Role Name page enter a relevant role name and choose Next Step
3. On the Select Role Type page, choose the Next button beside Amazon EC2
4. On the Attach Policy page, select the runcommand-policy you created earlier.Choose Next Step
5. Review the role information and click Create Role

Launch an EC2 instance

Launch and EC2 instance and make sure you attach the IAM Role we created in the previous steps. Refer the Diagram and launch an EC2 instance.

Configuring Run Command

Open the Amazon Management Console and click on Commands in the navigation pane as shown in the figure below.

1. Click on Run a command.
2. You will get the following page. Click on the drop down menu in Command Document and select AWS-RunPowerShellScript.
3. In Target Instances select the instances which were launched using the IAM role of Run-Command 
4. In the Commands text field type the following code to install IIS.
5. Give the appropriate S3 bucket name and the S3 key prefix for the folder inside the bucket to keep the log files in. (Note: S3 bucket and Run Command should be run in the same region) and click on Run button.
6. If everything is configured properly you will get the following screen. Click on view result.
7. You can see that there are two commands which have been executed in both of the instances.
8. Click on one of the commands and click on the output tab.
9. Click on view output to see the output after running this command.
10. The following output from the PowerShell command prompt is displayed in the console.
11. You can also see that the output is stored in S3 Bucket as well with both stdout and stderr.
12. Ping the Public IP of one of the EC2 instance and you can see the IIS Webserver installed.(Make sure port 80 is open to see the IIS Webserver).

Regions

The Run Command is available only in the following region.

• North Virginia
• Oregon
• Ireland

Limitations

There are also a few limitations to the EC2 run command as follows

The Run Command

• Works only on Windows based EC2 instances.
• Works only on instances launched with the Run Command Role
• Does not work on Linux based instances.

Pricing

Run Command does not have any charge beyond the standard usage charges for Amazon EC2, Amazon S3, and other AWS services that are used with this feature.

WRITTEN BY CloudThat

CloudThat is a leading provider of cloud training and consulting services, empowering individuals and organizations to leverage the full potential of cloud computing. With a commitment to delivering cutting-edge expertise, CloudThat equips professionals with the skills needed to thrive in the digital era.