AWS, Cloud Computing, Tutorials, Windows

5 Mins Read

Introducing Run Command in EC2

In order to perform updates, patches, restart a particular process or running a particular powershell script in a Windows based EC2 instance we need to login to the machine and then make the required changes. Sometimes in a huge production environment this tends to be a cumbersome job for managing large fleet of machines. Therefore in order to make our lives easier AWS has introduced a new add-on feature for EC2 called as Command.

Features of Run Command

Using this feature we can perform system administrator tasks on Windows based EC2 machines. Currently the following actions are supported in Run Command.

Security of Run Command

Since Run Command runs from the AWS console and no username and password is required to access the instances, questions may arise as to how safe this feature is? Run Command incorporates with IAM policies and roles. Each and every command which is run using Run Command is stored in CloudTrail and also remains in the Console for 30 days.

Run Command shows the output in the console for only 2500 characters and the rest of the output is truncated. In order to keep track of all the commands and their detailed output we can integrate it with S3 and store the output in form of logs in an S3 bucket.

Using Run Command to run a PowerShell Script

We shall see how we can use the Run Command feature to run a PowerShell script on an EC2 instances.


In order to setup the EC2 instance to user Run command these are the pre-requisites needed.

  1. Sign into the AWS Management Console and open IAM.
  2. In the left pane, choose Policies.
  3. Beside create your own policy click on Select button.
  4. Enter a Policy name (runcommand-policy) and description.
  5. Write the following policy in the Policy Document field

  6. Choose Validate Policy and if everything went fine and no error occurs. Click on Create Policy.
  7. In the same way as mentioned above create a runcommand-trust policy for the user so that run command can view the instances.

  8. Attach the User policy runcommand-trust policy to the required IAM user.

Create the Instance Role

In this task we shall create a role using which the Run Command can access the EC2 instance.

  1. From the IAM dashboard, Select Roles > Create Role.
  2. On the Set Role Name page enter a relevant role name and choose Next Step
  3. On the Select Role Type page, choose the Next button beside Amazon EC2
  4. On the Attach Policy page, select the runcommand-policy you created earlier.Choose Next Step
  5. Review the role information and click Create Role

Launch an EC2 instance

Launch and EC2 instance and make sure you attach the IAM Role we created in the previous steps. Refer the Diagram and launch an EC2 instance.

Configuring Run Command

Open the Amazon Management Console and click on Commands in the navigation pane as shown in the figure below.


  1. Click on Run a command.3
  2. You will get the following page. Click on the drop down menu in Command Document and select AWS-RunPowerShellScript.4
  3. In Target Instances select the instances which were launched using the IAM role of Run-Command 5
  4. In the Commands text field type the following code to install IIS.6
  5. Give the appropriate S3 bucket name and the S3 key prefix for the folder inside the bucket to keep the log files in. (Note: S3 bucket and Run Command should be run in the same region) and click on Run button.7
  6. If everything is configured properly you will get the following screen. Click on view result.8
  7. You can see that there are two commands which have been executed in both of the instances.9
  8. Click on one of the commands and click on the output tab.10
  9. Click on view output to see the output after running this command.11
  10. The following output from the PowerShell command prompt is displayed in the console.12
  11. You can also see that the output is stored in S3 Bucket as well with both stdout and stderr.13
  12. Ping the Public IP of one of the EC2 instance and you can see the IIS Webserver installed.(Make sure port 80 is open to see the IIS Webserver).14


The Run Command is available only in the following region.


There are also a few limitations to the EC2 run command as follows

The Run Command


Run Command does not have any charge beyond the standard usage charges for Amazon EC2, Amazon S3, and other AWS services that are used with this feature.





  1. Sanket

    Dec 31, 2015


    Well explained..!!!!

  2. Shaan

    Dec 21, 2015


    Good one.

  3. Niko

    Dec 16, 2015


    Hi Ravi, great post and overview of Run command! We just launched Linux support today, so check out our blog post and documentation and feel free to update your post with the new examples and Linux support. Thanks

  4. Rainder singh

    Dec 12, 2015


    Usefull information

  5. Arman

    Dec 9, 2015


    Nice one dude. Cheers. Well explained.

  6. Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!