You can integrate Amazon Elastic Compute Cloud (Amazon EC2) instances with AWS Systems Manager to automate operational tasks and provide more visibility and control. To integrate with Systems Manager, EC2 instances must have an installed AWS Systems Manager Agent (SSM Agent) and an AmazonSSMManagedInstanceCore AWS Identity and Access Management (IAM) policy attached to their instance profiles.
However, if you want to ensure that all EC2 instance profiles have the AmazonSSMManagedInstanceCore policy attached, you can face challenges updating new EC2 instances that don’t have instance profiles or EC2 instances that have an instance profile but don’t have the AmazonSSMManagedInstanceCore policy. It can also be difficult to add this policy across multiple Amazon Web Services (AWS) accounts and AWS Regions.
This pattern helps solve these challenges by deploying three Cloud Custodian policies in your AWS accounts:
The first Cloud Custodian policy checks for existing EC2 instances that have an instance profile but don't have the AmazonSSMManagedInstanceCore policy. The AmazonSSMManagedInstanceCore policy is then attached.
The second Cloud Custodian policy checks for existing EC2 instances without an instance profile and adds a default instance profile that has the AmazonSSMManagedInstanceCore policy attached.
The third Cloud Custodian policy creates AWS Lambda functions in your accounts to monitor the creation of EC2 instances and instance profiles. This ensures that the AmazonSSMManagedInstanceCore policy is automatically attached when an EC2 instance is created.
This pattern uses AWS DevOps tools to achieve a continuous, at-scale deployment of the Cloud Custodian policies to a multi-account environment, without provisioning a separate compute environment.
