×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Helix Discovery ... Using Configuring discovery of target systems

Discovering EC2 hosts by using AWS Systems Manager

Discovering EC2 hosts by using AWS Systems Manager (SSM) enables you to perform detailed discovery of EC2 hosts running in AWS, without the requirement for a direct ssh connection. BMC Helix Discovery has previously been able to scan hosts in AWS without using SSM, but it has required a direct ssh connection from BMC Helix Discovery. Also, it is limited to hosts with a public IP address and requires ssh ports, host credentials, and EC2 key pairs.

Related topics

Discovering cloud services

Discovering Amazon Web Services

Discovering EC2 hosts by using SSM uses an existing AWS credential to access AWS and SSM. SSM returns the EC2 hosts that can be accessed by using the AWS credential, and BMC Helix Discovery creates implicit scans to discover those hosts. The advantages of using SSM to discover EC2 hosts are as follows:

  • Your entire AWS estate can be discovered by using your existing AWS credentials; no additional credentials to manage.
  • Irrespective of how your AWS deployment's network is segmented, the single AWS SSM credential enables you to discover all of it.
  • No requirement for ssh configuration and EC2 key pairs.

When you discover EC2 hosts by using SSM, the target is known to be hosted in AWS, so cloud detection is disabled and only the appropriate AWS methods are used. In a normal IP scan of a host, cloud detection is used to determine whether the target is cloud hosted, and if so, to detect the cloud provider. 

This section introduces AWS SSM and AWS Session Manager. The AWS Session Manager is a capability that BMC Helix Discovery uses.

AWS Systems Manager overview

AWS Systems Manager Open link  is an AWS service that enables you to view operational data from multiple AWS services.  AWS Session Manager Open link , which is a capability of AWS Systems Manager, enables you to establish secure connections to, and manage your EC2 instances by using the AWS CLI.

Setting up permissions in AWS

Before you can discover EC2 hosts by using AWS Systems Manager, at a minimum you must apply the 'ReadOnlyAccess' AWS managed policy, and then configure the correct permissions in the AWS console. The following policy document lists the permissions to apply for a user SSM session:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:StartSession",
            "Resource": [
                "arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell",
                "arn:aws:ssm:*:*:document/AWS-StartNonInteractiveCommand",
                "arn:aws:ec2:*:*:instance/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:ResumeSession",
                "ssm:TerminateSession"
            ],
            "Resource": "*"
        }
    ]
}

Discovering EC2 hosts by using AWS Systems Manager

To discover EC2 hosts by using AWS Systems Manager, you must enable Systems Manager Sessions when you add a new Amazon Web Services discovery run

Discovering Windows hosts by using AWS Systems Manager

The discovery of Windows AWS EC2 hosts by using AWS Systems Manager is provided by using a currently undocumented, non-interactive mode. Support for undocumented features is not guaranteed by AWS, so there is a possibility it might change, or be removed.

The non-interactive command mode, runs individual scripts, as a single string, in separate sessions. As the script is executed as a single string, powershell.exe discovery_script, you must:

  • use semicolon statement delimiters
  • put comments on separate lines (not use end of line comments). 

To discover EC2 hosts with KMS encryption enabled

If you have KMS encryption enabled Open link for an SSM session in a region, the IAM user or role needs additional permissions to establish a session. The following policy document lists the permissions for a user SSM session:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:GetPublicKey",
                "kms:Decrypt",
                "kms:GetKeyPolicy",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:Verify",
                "kms:GenerateDataKeyPairWithoutPlaintext",
                "kms:GenerateDataKeyPair",
                "kms:ReEncryptFrom",
                "kms:GetParametersForImport",
                "kms:Encrypt",
                "kms:GetKeyRotationStatus",
                "kms:GenerateDataKey",
                "kms:ReEncryptTo",
                "kms:DescribeKey",
                "kms:Sign"
            ],
            "Resource": "arn:aws:kms:*:accountID:key/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "kms:GenerateRandom",
            "Resource": "*"
        }
    ]
}

Scope

For IP addresses scanned through AWS SSM, the scope of an IP address is set as the AWS VPC identifier (vpc-xxxxxxxxxx).


Was this page helpful? Yes No Submitting... Thank you
Last modified by Olha Horbachuk on Jun 20, 2023

Comments

Log in or register to comment.

User privileges and information access for Windows operating systems
Discovering hosts in GCP by using IAP
© Copyright 2004 - 2023 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.