Discovering EC2 hosts by using AWS Systems Manager
Discovering EC2 hosts by using AWS Systems Manager (SSM) enables you to perform detailed discovery of EC2 hosts running in AWS, without the requirement for a direct ssh connection. BMC Discovery has previously been able to scan hosts in AWS without using SSM, but it has required a direct ssh connection from BMC Discovery. Also, it is limited to hosts with a public IP address and requires ssh ports, host credentials, and EC2 key pairs.
SSM uses an existing AWS credential to access AWS and SSM. SSM returns the EC2 hosts that can be accessed by using the AWS credential, and BMC Discovery creates implicit scans to discover those hosts. The advantages of using SSM to discover EC2 hosts are as follows:
- Your entire AWS estate can be discovered by using your existing AWS credentials; no additional credentials to manage.
- Irrespective of how your AWS deployment's network is segmented, the single AWS SSM credential enables you to discover all of it.
- No requirement for ssh configuration and EC2 key pairs.
Supported OS
Currently, Linux and BSD platforms are scanned, while Windows is not supported.
This section introduces AWS SSM and AWS Session Manager. The AWS Session Manager is a capability that BMC Discovery uses.
AWS Systems Manager overview
AWS Systems Manager
is an AWS service that enables you to view operational data from multiple AWS services.
AWS Session Manager
, which is a capability of AWS Systems Manager, enables you to establish secure connections to, and manage your EC2 instances by using the AWS CLI.
Setting up permissions in AWS
Before you can discover EC2 hosts by using AWS Systems Manager, you must configure the correct permissions in the AWS console. The following policy document lists the permissions for a user SSM session:
- access to all instances (
ssm:StartSession) - terminate their own sessions (
ssm:TerminateSession), and other sessions if they switched roles away from the session - list the instances that they are permitted to connect to (
"ec2:DescribeInstances", "ssm:DescribeInstanceInformation"):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Effect": "Allow",
"Action": "ssm:TerminateSession",
"Resource": "arn:aws:ssm:*:*:session/${aws:username}-*"
},
{
"Effect": "Allow",
"Action": "ssm:TerminateSession",
"Resource": "*",
"Condition": {
"StringLike": {
"ssm:resourceTag/aws:ssmmessages:session-id": [
"${aws:userid}"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ssm:DescribeInstanceInformation"
],
"Resource": "*"
}
]
}
To discover EC2 hosts by using AWS Systems Manager
To discover EC2 hosts by using AWS Systems Manager, you must enable Systems Manager Sessions when you add a new Amazon Web Services discovery run.
To discover EC2 hosts with KMS encryption enabled
Support for KMS encryption was added in Patch 2 (12.1.0.2) for version 20.08. You must be using patch 2 to discover EC2 hosts with KMS encryption enabled.
If you have
KMS encryption enabled
for an SSM session in a region, the IAM user or role needs additional permissions to establish a session. The following policy document lists the permissions for a user SSM session:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:GetPublicKey",
"kms:Decrypt",
"kms:GetKeyPolicy",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Verify",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:GenerateDataKeyPair",
"kms:ReEncryptFrom",
"kms:GetParametersForImport",
"kms:Encrypt",
"kms:GetKeyRotationStatus",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:Sign"
],
"Resource": "arn:aws:kms:*:accountID:key/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "kms:GenerateRandom",
"Resource": "*"
}
]
}
Scope
For IP addresses scanned through AWS SSM, the scope of an IP address is set as the AWS VPC identifier (vpc-xxxxxxxxxx).
Comments
Log in or register to comment.