AWS system manager : Verify that the IAM instance profile attached to the instance includes the required permissions

amazon ec2amazon-iamamazon-web-servicesaws-systems-manager

I am trying to access an ec2 instance using AWS systems manager for that I've created a role attached to the following policies.

AmazonEC2RoleforSSM
AmazonSSMAutomationApproverAccess
AmazonSSMFullAccess
AmazonSSMAutomationRole

And the role is attached to the ec2 instances. The ec2 instance is listed in the session manager ec2 instance list however when I try to connect I am getting the following error

the version of SSM Agent on the instance supports Session Manager, but
the instance is not configured for use with AWS Systems Manager.
Verify that the IAM instance profile attached to the instance includes
the required permissions

Tried the troubleshooting methods but still getting the following error and one more thing even I removed the attached role the ec2 instance still showing up in the session manager instance list

Best Answer

The main things to do to resolve this are:

Check all the steps in Session Manager Getting Started have been done
Ensure the "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" policy is attached to the EC2 instance role
Ensure that AWS Organisations isn't blocking any of the services that are required. Key services you need to allow in organisations are

Key services for Session Manager

ec2:*
ec2messages:*
ssm:*
ssmmessages:*
s3:*

If you are in a private subnet you need to ensure that you can either access the internet via NAT, or you need to add the following VPC endpoints (docs link)

VPC Endpoints Required

com.amazonaws.ap-southeast-2.s3
com.amazonaws.ap-southeast-2.ssmmessages
com.amazonaws.ap-southeast-2.ec2messages
com.amazonaws.ap-southeast-2.ssm

Security groups need to allow your instance and the VPC endpoints inbound access on port 443 from your entire VPC. Outbound doesn't seem to be required. I can't say it's exactly right but seems to work.

Update

Mike Pope has published a nice article about Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission) on the AWS Security Blog, which explains the subject matter from an AWS point of view.

Initial Answer

Skaperen's answer is partially correct (+1), but slightly imprecise/misleading as follows (the explanation seems a bit too complex for a comment, hence this separate answer):

To launch an EC2 instance with an IAM role requires administrative access to the IAM facility.

This is correct as such and points towards the underlying problem, but the required administrative permissions are rather limited, so the following conclusion ...

Because IAM roles grant permissions, there is clearly a security issue to be addressed. You would not want IAM roles being a means to allow permission escalation.

... is a bit misleading, insofar the potential security issue can be properly addressed. The subject matter is addressed in Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources:

You can use IAM roles to manage credentials for applications that run on Amazon EC2 instances. When you use roles, you don't have to distribute AWS credentials to Amazon EC2 instances. Instead, you can create a role with the permissions that applications will need when they run on Amazon EC2 and make calls to other AWS resources. When developers launch an Amazon EC2 instance, they can specify the role you created to associate with the instance. Applications that run on the instance can then use the role credentials to sign requests.

Now, within the use case at hand the mentioned developers [that] launch an Amazon EC2 instance are in fact EC2 instances themselves, which appears to yield the catch 22 security issue Skaperen outlined. That's not really the case though as illustrated by the sample policy in section Permissions Required for Using Roles with Amazon EC2 :

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"iam:ListInstanceProfiles",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"ec2:*",
      "Resource":"*"
    }]
}

So iam:PassRole is in fact the only IAM permission required, and while technically of administrative nature, this isn't that far reaching - of course, the sample policy above would still allow to escalate permissions by means of listing and in turn passing any available role, but this can be prevented by specifying only those roles that are desired/safe to pass for the use case at hand - this is outlined in section Restricting Which Roles Can Be Passed to Amazon EC2 Instances (Using PassRole):

You can use the PassRole permission to prevent users from passing a role to Amazon EC2 that has more permissions than the user has already been granted, and then running applications under the elevated privileges for that role. In the role policy, allow the PassRole action and specify a resource (such as arn:aws:iam::111122223333:role/ec2Roles/*) to indicate that only a specific role or set of roles can be passed to an Amazon EC2 instance.

The respective sample policy illustrates exactly matches the use case at hand, i.e. grants permission to launch an instance with a role by using the Amazon EC2 API:

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect":"Allow",
      "Action":"ec2:RunInstances",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"arn:aws:iam::123456789012:role/Get-pics"
    }]
}

How to tag and name the EC2 Instance that was launched by an EC2 Spot Request

Spot instances requests are a type of EC2 resource. The AWS documentation notes that this type of resource can be tagged, but the resulting tags are not carried over to the actual instances:

The tags that you create for your Spot Instance requests only apply to the requests. These tags are not added automatically to the Spot Instance that the Spot service launches to fulfill the request. You must add tags to a Spot Instance yourself when you create the Spot Instance request or after the Spot Instance is launched.

So you'll need to add the tags after the instances have launched. You have some options here:

User Data Script on the created instance: Write a user data script that uses command line tools and the EC2 meta data service to allow the instance to discover its instance Id and create tags for itself. You can use the AWS CLI create-tags to tag any of your EC2 resources. Alternatively, you could bake this into the AMI as a startup script for whatever OS you intend to use. In either situation, the instance will have to have sufficient permissions to create EC2 tags for itself.
External Utility that monitors your spot request: You can use one of the AWS SDKs to monitor your spot request and tag the instances once they have been created. AWS has a tutorial on this very topic under the "How to Tag Your Spot Requests and Instances" header. Without getting too verbose, this simply involves polling Describe Spot Instance Requests until a created Instance Id is available, and then calling Create Tags.

Best Answer

Related Solutions

How to Specify an IAM Role for an Amazon EC2 Instance via AWS CLI

Update

Initial Answer

How to tag and name the EC2 Instance that was launched by an EC2 Spot Request

Related Topic