Tutorial / Cram Notes
Step 1: Verify IAM Role
Before installing the SSM Agent on an EC2 instance, ensure that the instance has an IAM role attached with the AmazonSSMManagedInstanceCore policy. This policy grants the instance the necessary permissions to communicate with the Systems Manager service.
Step 2: Installing the SSM Agent
The SSM Agent is pre-installed on many Amazon Machine Images (AMIs), such as Amazon Linux, Amazon Linux 2, and Ubuntu Server 16.04. However, if it’s not installed, you can manually install it as follows:
For Amazon Linux and RHEL:
sudo yum install -y amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
For Ubuntu:
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
sudo dpkg -i amazon-ssm-agent.deb
sudo systemctl start amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
Step 3: Configuring the SSM Agent
The SSM Agent does not typically require manual configuration, as it uses IAM role credentials by default. Nonetheless, if needed, you can find its configuration file at /etc/amazon/ssm/amazon-ssm-agent.json.
Installing and Configuring the CloudWatch Agent
With the CloudWatch agent, you can collect detailed metrics and logs from the EC2 instances, which can then be viewed within the AWS Management Console.
Step 1: Verify IAM Role
The EC2 instance should have an IAM role with the CloudWatchAgentServerPolicy policy attached to allow the CloudWatch agent to send metrics and logs to Amazon CloudWatch.
Step 2: Download and Install the CloudWatch Agent
AWS provides a unified CloudWatch agent that you can install manually using SSM Run Command or through the command line.
Using SSM Run Command:
In the AWS Management Console, navigate to the AWS Systems Manager console, then choose Run Command, and run the AWS-ConfigureAWSPackage document. Specify AmazonCloudWatchAgent for the package name.
For manual installation:
wget https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip
unzip AmazonCloudWatchAgent.zip
sudo ./install.sh
Step 3: Configure the CloudWatch Agent
To configure the CloudWatch agent, you need to create a JSON file with the required metrics and settings. You can use the amazon-cloudwatch-agent-config-wizard to generate this file interactively.
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
This wizard will ask various questions regarding the metrics and logs you want to collect, and it will output the configuration file typically located at /opt/aws/amazon-cloudwatch-agent/bin/config.json.
Step 4: Start the CloudWatch Agent
After configuring the agent, you can start it by running:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json -s
Step 5: Verify the CloudWatch Agent Operation
To ensure the CloudWatch agent is operating as expected, run:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status
Comparison of the SSM Agent and the CloudWatch Agent
| Feature | SSM Agent | CloudWatch Agent |
|---|---|---|
| Pre-installation | Many AMIs | No |
| Main Functionality | Instance management | Metrics & logs collection |
| Config File Location | /etc/amazon/ssm/ |
/opt/aws/amazon-cloudwatch-agent/ |
| Required IAM Policy | AmazonSSMManagedInstanceCore | CloudWatchAgentServerPolicy |
| Start Command | sudo systemctl start |
amazon-cloudwatch-agent-ctl -a fetch-config |
| Configuration Necessity | Rare | Yes, initial setup |
| AWS Service Integration | AWS Systems Manager | Amazon CloudWatch |
In conclusion, both the SSM Agent and CloudWatch agent are essential tools for AWS EC2 instances management and monitoring. Correctly installing and configuring these agents will enhance the security, scalability, and reliability of your AWS infrastructure. Regularly updating the agents and ensuring that the necessary IAM roles are properly configured are best practices for maintaining operational efficiency and compliance with the AWS Certified DevOps Engineer – Professional (DOP-C02) exam requirements.
Practice Test with Explanation
True or False: The AWS Systems Manager Agent (SSM Agent) is automatically installed on all Amazon EC2 instances.
- A) True
- B) False
Answer: B) False
Explanation: The SSM Agent is pre-installed on many Amazon EC2 AMIs and can also be installed manually, but it is not automatically installed on all EC2 instances.
The CloudWatch agent can be used to:
- A) Monitor EC2 instance memory usage
- B) Manage instance patches
- C) Automate instance startup and shutdown
- D) Collect system-level logs
Answer: A) Monitor EC2 instance memory usage, D) Collect system-level logs
Explanation: The CloudWatch agent allows you to collect detailed metrics such as memory usage and system-level logs from your EC2 instances, which are not available through the basic CloudWatch metrics.
Which feature allows you to run commands on your EC2 instances without logging in to the instance via SSH?
- A) AWS Systems Manager Run Command
- B) Amazon EC2 console
- C) AWS Config
- D) AWS Identity and Access Management (IAM)
Answer: A) AWS Systems Manager Run Command
Explanation: AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances at scale without logging in to each instance.
Which of the following are required to enable an EC2 instance for AWS Systems Manager?
- A) An IAM role with SSM permissions attached
- B) A running SSM Agent on the instance
- C) A security group allowing all outbound traffic
- D) An Elastic IP address associated with the instance
Answer: A) An IAM role with SSM permissions attached, B) A running SSM Agent on the instance
Explanation: For an EC2 instance to be managed by AWS Systems Manager, it needs an IAM role with the necessary permissions for SSM operations and the SSM Agent running on the instance.
True or False: CloudWatch Logs can collect logs from EC2 instances without the CloudWatch agent installed.
- A) True
- B) False
Answer: B) False
Explanation: CloudWatch Logs requires the CloudWatch agent to be installed on EC2 instances to collect and push logs to CloudWatch Logs.
To install the latest version of the SSM Agent on an Amazon Linux EC2 instance, which command would you use?
- A) sudo yum install -y https://amazon-ssm-${region}.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm
- B) sudo apt-get install amazon-ssm-agent
- C) sudo yum update -y
- D) sudo rpm -ivh https://amazon-ssm-${region}.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm
Answer: A) sudo yum install -y https://amazon-ssm-${region}.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm
Explanation: For Amazon Linux, you would use the yum package manager to install the latest RPM package for the SSM Agent from the AWS repository.
Which of the following IAM policies provides the necessary permissions for an EC2 instance to interact with Systems Manager service?
- A) AmazonSSMManagedInstanceCore
- B) AmazonSSMReadOnlyAccess
- C) AmazonEC2FullAccess
- D) AmazonSSMFullAccess
Answer: A) AmazonSSMManagedInstanceCore
Explanation: The AmazonSSMManagedInstanceCore managed policy provides the minimum permissions necessary for EC2 instances to be managed by Systems Manager.
True or False: You can use the Systems Manager console to install the SSM Agent on an EC2 instance.
- A) True
- B) False
Answer: B) False
Explanation: You cannot install the SSM Agent directly from the Systems Manager console. It must be installed on the EC2 instance using a manual installation process or by launching instances with an AMI that includes the agent.
For the CloudWatch agent to successfully send metrics to Amazon CloudWatch, what is required?
- A) The instance must have a public IP address.
- B) The CloudWatch agent configuration file must be present.
- C) The instance needs to be in a public subnet.
- D) The instance must have an associated Elastic Load Balancer.
Answer: B) The CloudWatch agent configuration file must be present.
Explanation: The CloudWatch agent requires a configuration file to specify what metrics to collect and how to send them to CloudWatch.
True or False: You need to stop your EC2 instance before installing the SSM Agent.
- A) True
- B) False
Answer: B) False
Explanation: You do not need to stop your EC2 instance to install the SSM Agent. It can be installed on a running instance.
True or False: You can use AWS Systems Manager Session Manager to establish a secure connection to an EC2 instance’s operating system without opening an inbound port.
- A) True
- B) False
Answer: A) True
Explanation: AWS Systems Manager Session Manager lets you manage your EC2 instances through an interactive shell or through scripts, without the need to open any inbound ports, maintain bastion hosts, or manage SSH keys.
Which of the following is a prerequisite for an EC2 instance to send custom metrics to CloudWatch?
- A) The EC2 instance must be in a VPC.
- B) The instance must have an attached IAM role with CloudWatch permissions.
- C) The instance must have a specific tag assigned.
- D) The SSM Agent must be running on the instance.
Answer: B) The instance must have an attached IAM role with CloudWatch permissions.
Explanation: To publish custom metrics to CloudWatch, the EC2 instance needs an IAM role with the necessary permissions to interact with the CloudWatch service.
Interview Questions
What is the AWS Systems Manager Agent (SSM Agent), and why is it important for EC2 instances?
The AWS Systems Manager Agent (SSM Agent) is software that can be installed on EC2 instances to enable integration with AWS Systems Manager services. SSM Agent allows you to remotely manage and configure these instances, including patch management, running scripts, and automating common maintenance tasks. Its importance lies in its ability to provide centralized control over your infrastructure, improving security and compliance, simplifying operations, and reducing operational overhead.
Can you explain the steps to install the SSM Agent on an EC2 instance for both Linux and Windows operating systems?
For Linux:
a) Connect to the instance and run a command to download the SSM Agent package.
b) Use package management tools to install the downloaded package.
For Windows:
a) Connect to the instance and download the SSM Agent installer from AWS.
b) Run the installer, which is an executable file that installs the agent.
Note: AWS also provides Systems Manager Run Command and State Manager policies for automating the installation process.
Is it possible to automatically install the SSM Agent on EC2 instances upon launch, and if so, how?
Yes, it is possible to install SSM Agent automatically upon EC2 instance launch by using an EC2 user data script that runs when the instance starts. The script should contain the commands to download and install the SSM Agent for the specific operating system of the instance.
How can you verify that the SSM Agent is properly installed and running on an EC2 instance?
You can verify the SSM Agent’s installation and status by logging into the instance and using the appropriate command to check the service status. For example, on Linux systems, you could use sudo systemctl status amazon-ssm-agent, and on Windows systems, you can check the Services management console or use PowerShell/CMD to check the service status.
Which IAM roles and permissions are necessary for the SSM Agent to function properly on EC2 instances?
The EC2 instance should be associated with an IAM role that grants it the necessary permissions to communicate with AWS Systems Manager. This role should have a policy attached that includes permissions like ssm:UpdateInstanceInformation, ssm:ListInstanceAssociations, ssm:DescribeInstanceProperties, and ssm:GetDocument. AWS provides the AmazonSSMManagedInstanceCore managed policy that has the required permissions for SSM Agent.
What is the CloudWatch agent, and how does it differ from the SSM Agent?
The CloudWatch agent is a monitoring service that allows you to collect and track metrics, collect log files, and set alarms for AWS resources and applications. Unlike the SSM Agent, which is used for management and configuration, the CloudWatch agent focuses on monitoring and observability. It enables detailed system and application metrics from EC2 instances and other AWS resources.
Explain how you can install the CloudWatch agent on an EC2 instance and how you would configure it to monitor custom metrics.
To install the CloudWatch agent on an EC2 instance, you can either download the agent manually and install it or use Systems Manager to automate the installation process. Once installed, you must create a configuration file that details the metrics and logs to collect, then use the amazon-cloudwatch-agent-ctl utility to apply the configuration and start the agent. Custom metrics require specifying additional details in the configuration file to define what data to collect.
Describe how you can use AWS Systems Manager to update an agent on multiple EC2 instances at once.
AWS Systems Manager Run Command allows you to execute commands across multiple EC2 instances simultaneously. To update an agent, you would use the AWS Management Console, AWS CLI, or AWS SDKs to issue a command through Run Command, specifying the command script for updating the agent. This can be used to update the SSM Agent or CloudWatch agent across a fleet of instances.
How can you ensure that agents on EC2 instances always stay updated with the latest version?
To ensure agents stay updated, you can use AWS Systems Manager State Manager to automate the process of updating agents. You would create an association for the instances targeting a document that handles agent updates and configure a schedule for when these updates should occur. The association ensures compliance by checking and applying the necessary updates according to the specified schedule.
Can you set up the SSM Agent to work with instances that are not hosted on AWS?
Yes, you can install the SSM Agent on on-premises servers or virtual machines in other cloud environments, allowing those resources to be managed by AWS Systems Manager. The non-AWS-hosted instances must have outbound internet access to communicate with the AWS service endpoints and need to be configured with an IAM role or user providing the necessary permissions.
What should you do if the SSM Agent on an EC2 instance is not communicating with AWS Systems Manager?
You should check the instance’s network configuration to ensure it can reach the SSM service endpoints, verify that the IAM role associated with the instance has the correct permissions, check that the SSM Agent service is running on the instance, and consult the SSM Agent logs for any error messages or issues. If necessary, update the agent to the latest version and restart the service.
How can you grant an external system the ability to leverage SSM Agent functionality on an EC2 instance for automation purposes?
To let an external system use SSM Agent functionality, an IAM user or service role with the appropriate Systems Manager permissions must be created. This IAM entity’s credentials should then be securely provided to the external system to make API calls to Systems Manager, thus allowing it to leverage the agent on the EC2 instance for automation tasks. Additionally, you should apply granular permissions and policies to control access and actions that external systems can perform.
Great blog post! Really helped me understand how to install the CloudWatch agent on EC2 instances.
Thanks for the detailed guide. I was having issues with SSM Agent installation, but this cleared things up.
Does anyone know if there are any compatibility issues between SSM Agent and different Linux distributions?
Can someone explain the differences between the SSM Agent and the CloudWatch agent?
Appreciate the step-by-step explanation, especially the IAM roles setup part.
One question, do I always need to manually install agents, or is there an automated way?
This is a lifesaver! I was stuck at configuring the CloudWatch agent.
I think more troubleshooting tips could have been added. Faced some issues while configuring on Windows instances.