Ugly Green Logo

4n6ir.com

Cloud Investigations

GitHub Organization

MatchMeta.Info

Slack Workspace

22 December 2021

System Manager Quick Setup

by John Lukach

EC2 Global-View works for a single AWS account, but AWS System Manager Quick Setup can provide an Organization EC2 Inventory. Start by defining a home AWS region that cannot be changed once chosen in the management account.

System Manager Quick Setup

Create System Manager Quick Setup by choosing the Host Management configuration type and clicking next.

System Manager Quick Setup

The primary goal of building an Organization EC2 Inventory requires no configuration options to use System Manager Explorer as the centralized UI initially.

System Manager Quick Setup

A good inventory requires targeting all accounts and regions in the organization.

System Manager Quick Setup

If you decide to use the Amazon Cloud Watch or System Manager Agents, this step provides an easy way to grant the necessary IAM permissions. I would recommend using VPC Endpoints to protect the EC2 and SSM endpoints.

System Manager Quick Setup

Click create and let the process run, as it will take some time depending on selected options and the number of accounts/regions enabled.

System Manager Quick Setup

The last setup item in the management account to configure is the delegation of administration for Systems Manager Explorer under Settings.

System Manager Quick Setup

The System Manager Explorer Delegated Administrator account needs a resource data-sync configured to collect the Organization EC2 Inventory; be patient initially.

System Manager Quick Setup

Success!! Searching by tags requires the reporting tags to be configured in each account and region with a limit of 5, unfortunately.

System Manager Quick Setup

The aqueduct script makes it easy to push the command-line configuration to all accounts and regions using SSO for authentication and authorization. Remember, not all regions in this example support all services, such as Osaka (ap-northeast-3).

aws ssm update-service-setting --setting-id '/ssm/opsitem/resourceTags' --setting-value "[\"Name\",\"aws:cloudformation:stack-name\"]"

https://github.com/jblukach/aqueduct

tags: AWS - SSM - System - Manager