In order to perform updates, patches, restart a particular process or running a particular powershell script in a Windows based EC2 instance we need to login to the machine and then make the required changes. Sometimes in a huge production environment this tends to be a cumbersome job for managing large fleet of machines. Therefore in order to make our lives easier AWS has introduced a new add-on feature for EC2 called as Command.
Features of Run Command
Using this feature we can perform system administrator tasks on Windows based EC2 machines. Currently the following actions are supported in Run Command.
Configuring Cloud Watch
Configuring Windows Update
Install an Application
Install PowerShell Module
Join an EC2 instance to Directory Service Domain
Run a PowerShell script
Update EC2 config
Security of Run Command
Since Run Command runs from the AWS console and no username and password is required to access the instances, questions may arise as to how safe this feature is? Run Command incorporates with IAM policies and roles. Each and every command which is run using Run Command is stored in CloudTrail and also remains in the Console for 30 days.
Run Command shows the output in the console for only 2500 characters and the rest of the output is truncated. In order to keep track of all the commands and their detailed output we can integrate it with S3 and store the output in form of logs in an S3 bucket.
Using Run Command to run a PowerShell Script
We shall see how we can use the Run Command feature to run a PowerShell script on an EC2 instances.
In order to setup the EC2 instance to user Run command these are the pre-requisites needed.
Sign into the AWS Management Console and open IAM.
In the left pane, choose Policies.
Beside create your own policy click on Select button.
Enter a Policy name (runcommand-policy) and description.
Write the following policy in the Policy Document field
Choose Validate Policy and if everything went fine and no error occurs. Click on Create Policy.
In the same way as mentioned above create a runcommand-trust policy for the user so that run command can view the instances.
Attach the User policy runcommand-trust policy to the required IAM user.
Create the Instance Role
In this task we shall create a role using which the Run Command can access the EC2 instance.
From the IAM dashboard, Select Roles > Create Role.
On the Set Role Name page enter a relevant role name and choose Next Step
On the Select Role Type page, choose the Next button beside Amazon EC2
On the Attach Policy page, select the runcommand-policy you created earlier.Choose Next Step
Review the role information and click Create Role
Launch an EC2 instance
Launch and EC2 instance and make sure you attach the IAM Role we created in the previous steps. Refer the Diagram and launch an EC2 instance.
Configuring Run Command
Open the Amazon Management Console and click on Commands in the navigation pane as shown in the figure below.
Click on Run a command.
You will get the following page. Click on the drop down menu in Command Document and select AWS-RunPowerShellScript.
In Target Instances select the instances which were launched using the IAM role of Run-Command
In the Commands text field type the following code to install IIS.
Give the appropriate S3 bucket name and the S3 key prefix for the folder inside the bucket to keep the log files in. (Note: S3 bucket and Run Command should be run in the same region) and click on Run button.
If everything is configured properly you will get the following screen. Click on view result.
You can see that there are two commands which have been executed in both of the instances.
Click on one of the commands and click on the output tab.
Click on view output to see the output after running this command.
The following output from the PowerShell command prompt is displayed in the console.
You can also see that the output is stored in S3 Bucket as well with both stdout and stderr.
Ping the Public IP of one of the EC2 instance and you can see the IIS Webserver installed.(Make sure port 80 is open to see the IIS Webserver).
The Run Command is available only in the following region.
There are also a few limitations to the EC2 run command as follows
The Run Command
Works only on Windows based EC2 instances.
Works only on instances launched with the Run Command Role
Does not work on Linux based instances.
Run Command does not have any charge beyond the standard usage charges for Amazon EC2, Amazon S3, and other AWS services that are used with this feature.