Security of Run Command<\/h2>\n
Since Run Command runs from the AWS console and no username and password is required to access the instances, questions may arise as to how safe this feature is? Run Command\u00a0incorporates with IAM policies and roles. Each and every command which is run using Run Command is stored in CloudTrail and also remains in the Console for 30 days.<\/p>\n
Run Command shows the output in the console for only 2500 characters and the rest of the output is truncated.\u00a0In order to keep track of all the commands and their detailed output\u00a0we can integrate it with S3 and store the output in form of logs in an S3 bucket.<\/p>\n
Using Run Command to run a PowerShell Script<\/h2>\n
We shall see how we can use the Run Command feature to run a PowerShell script on an EC2 instances.<\/p>\n
Pre-Requisites<\/h4>\n
In order to setup the EC2 instance to user Run command these are the pre-requisites needed.<\/p>\n
- \n
- Sign into the AWS Management Console and open IAM<\/strong>.<\/li>\n
- In the left pane, choose Policies<\/strong>.<\/li>\n
- Beside create your own policy click on Select<\/strong> button.<\/li>\n
- Enter a Policy name (runcommand-policy) and description.<\/li>\n
- Write the following policy in the Policy Document field\n
{\r\n \"Version\": \"2012-10-17\",\r\n \"Statement\": [\r\n {\r\n \"Effect\": \"Allow\",\r\n \"Action\": [\r\n \"ssm:DescribeAssociation\",\r\n \"ssm:GetDocument\",\r\n \"ssm:ListAssociations\",\r\n \"ssm:UpdateAssociationStatus\",\r\n \"ssm:UpdateInstanceInformation\"\r\n ],\r\n \"Resource\": \"*\"\r\n },\r\n {\r\n \"Effect\": \"Allow\",\r\n \"Action\": [\r\n \"ec2messages:AcknowledgeMessage\",\r\n \"ec2messages:DeleteMessage\",\r\n \"ec2messages:FailMessage\",\r\n \"ec2messages:GetEndpoint\",\r\n \"ec2messages:GetMessages\",\r\n \"ec2messages:SendReply\"\r\n ],\r\n \"Resource\": \"*\"\r\n },\r\n {\r\n \"Effect\": \"Allow\",\r\n \"Action\": [\r\n \"ec2:DescribeInstanceStatus\"\r\n ],\r\n \"Resource\": \"*\"\r\n },\r\n {\r\n \"Effect\": \"Allow\",\r\n \"Action\": [\r\n \"logs:CreateLogGroup\",\r\n \"logs:CreateLogStream\",\r\n \"logs:DescribeLogGroups\",\r\n \"logs:DescribeLogStreams\",\r\n \"logs:PutLogEvents\"\r\n ],\r\n \"Resource\": \"*\"\r\n },\r\n {\r\n \"Effect\": \"Allow\",\r\n \"Action\": [\r\n \"s3:PutObject\",\r\n \"s3:GetObject\",\r\n \"s3:AbortMultipartUpload\",\r\n \"s3:ListMultipartUploadParts\",\r\n \"s3:ListBucketMultipartUploads\"\r\n ],\r\n \"Resource\": \"*\"\r\n }\r\n ]\r\n}<\/pre>\n<\/li>\n
- Choose Validate Policy\u00a0<\/strong>and if everything went fine and no error occurs. Click on Create Policy<\/strong>.<\/li>\n
- In the same way as mentioned above create a runcommand-trust <\/strong>policy for the user so that run command can view the instances.\n
{\r\n \"Version\": \"2012-10-17\",\r\n \"Statement\": [\r\n {\r\n \"Effect\": \"Allow\",\r\n \"Action\": [\r\n \"ssm:*\",\r\n \"ec2:DescribeInstanceStatus\"\r\n ],\r\n \"Resource\": \"*\"\r\n }\r\n ]\r\n}<\/pre>\n<\/li>\n
- Attach the User policy runcommand-trust <\/strong>policy to the\u00a0required IAM user.<\/li>\n<\/ol>\n
Create the Instance Role<\/h4>\n
In this task we shall create a role using which the Run Command can access the EC2 instance.<\/p>\n
- \n
- From the IAM <\/strong>dashboard, Select Roles\u00a0<\/strong>> Create Role.<\/strong><\/li>\n
- On the Set Role Name<\/strong> page enter a relevant role name and choose Next Step<\/strong><\/li>\n
- On the Select Role Type <\/strong>page, choose the Next <\/strong>button beside\u00a0Amazon EC2<\/strong><\/li>\n
- On the\u00a0<\/span>Attach Policy<\/span><\/strong>\u00a0page, select the\u00a0runc<\/span>ommand-<\/span>policy you created earlier.Choose\u00a0<\/span>Next Step<\/span><\/li>\n
- Review the role information and click\u00a0Create Role<\/strong><\/li>\n<\/ol>\n
Launch an EC2 instance<\/h4>\n
Launch and EC2 instance and make sure you attach the IAM Role we created in the previous steps. Refer the Diagram and launch an EC2 instance.
\n![\"1\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/1118.png\")
<\/a><\/p>\nConfiguring Run Command<\/h2>\n
Open the Amazon Management Console and click on Commands<\/strong>\u00a0in the navigation pane as shown in the figure below.<\/p>\n
![\"2\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/210-1024x566.png\")
<\/a><\/p>\n- \n
- Click on Run a command.
![\"3\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/1312.png\")
<\/a><\/strong><\/li>\n- You will get the following page. Click\u00a0<\/strong>on the drop down menu in Command Document\u00a0<\/strong>and select AWS-RunPowerShellScript.
![\"4\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/44.png\")
<\/a><\/strong><\/li>\n- In Target Instances\u00a0<\/strong>select the instances which were launched using the IAM role of Run-Command\u00a0<\/strong>
![\"5\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/53.png\")
<\/a><\/li>\n- In the Commands text\u00a0field type the following code to install IIS.
![\"6\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/165.png\")
<\/a><\/li>\n- Give the appropriate S3 bucket name and the S3 key prefix for the folder inside the bucket to keep the log files in. (Note: S3 bucket and Run Command should be run in the same region) and click on Run <\/strong>button.
![\"7\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/75.png\")
<\/a><\/li>\n- If everything is configured properly you will get the following screen. Click on view result.
![\"8\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/85.png\")
<\/a><\/li>\n- You can see that there are two commands which have been executed in both of the instances.
![\"9\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/96-1024x159.png\")
<\/a><\/li>\n- Click on one of the commands and click on the output tab.
![\"10\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/104-1024x189.png\")
<\/a><\/li>\n- Click on view output to see the output after running this command.
![\"11\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/119.png\")
<\/a><\/li>\n- The following output from the PowerShell command prompt is displayed in the console.
![\"12\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/126-1024x513.png\")
<\/a><\/li>\n- You can also see that the output is stored in S3 Bucket as well with both stdout and stderr.
![\"13\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/136-1024x540.png\")
<\/a><\/li>\n- Ping the Public IP of one of the EC2 instance and you can see the IIS Webserver installed.(Make sure port 80 is open to see the IIS Webserver).
![\"14\"](\"https:\/\/content.cloudthat.com\/resources\/wp-content\/uploads\/2022\/11\/144-1024x577.png\")
<\/a><\/li>\n<\/ol>\nRegions<\/h2>\n
The Run Command is available only in the following region.<\/p>\n
- \n
- North Virginia<\/li>\n
- Oregon<\/li>\n
- Ireland<\/li>\n<\/ul>\n
Limitations<\/h2>\n
There are also a few limitations to the EC2 run command as follows<\/p>\n
The Run Command<\/p>\n
- \n
- Works only on Windows based EC2 instances.<\/li>\n
- Works only on instances launched with the Run Command Role<\/li>\n
- Does not work on Linux based instances.<\/li>\n<\/ul>\n
Pricing<\/h2>\n
Run Command does not\u00a0have any charge\u00a0beyond the standard usage charges for Amazon EC2, Amazon S3, and other AWS services\u00a0that are used with this feature.<\/p>\n
<\/p>\n","protected":false},"author":219,"featured_media":0,"parent":0,"comment_status":"open","ping_status":"open","template":"","blog_category":[3606,3607,3665,3818],"user_email":"prarthitm@cloudthat.com","published_by":"324","primary-authors":"","secondary-authors":"","acf":[],"_links":{"self":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/4018"}],"collection":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/users\/219"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/comments?post=4018"}],"version-history":[{"count":1,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/4018\/revisions"}],"predecessor-version":[{"id":45695,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/4018\/revisions\/45695"}],"wp:attachment":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/media?parent=4018"}],"wp:term":[{"taxonomy":"blog_category","embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog_category?post=4018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- You will get the following page. Click\u00a0<\/strong>on the drop down menu in Command Document\u00a0<\/strong>and select AWS-RunPowerShellScript.
- On the Set Role Name<\/strong> page enter a relevant role name and choose Next Step<\/strong><\/li>\n
- In the left pane, choose Policies<\/strong>.<\/li>\n