AWS Inspector2 not working with default Amazon Linux 2 - amazon-web-services

I'm trying to use the aws inspector service (the new one, not the classic one) and I created an Amazon Linux 2 instance, and I attached the AmazonSSMManagedInstanceCore role and so the instance appeared in the fleet manager but the aws inspector doesn't find any package vulnerabilities in the instance. I can only make it work when I choose the "Amazon Linux 2 AMI with Amazon Inspector Agent" image. Is there something missing to make it work in the default instance?
I already tried using the default Amazon Linux 2 instance, but it only worked with the instance with the agent already installed

The Amazon Inspector Agent needs to be installed in order to run the Amazon Inspector. If you want to use the default AMI or any other AMI. You can use userdata to install the Amazon Inspector Agent or run SSM document to do the installation.
https://docs.aws.amazon.com/inspector/v1/userguide/inspector_installing-uninstalling-agents.html#install-linux

Related

Option to auto install AWS Systems Manager(SSM agent) on the existing AWS EC2 instances

Is there a way to auto-install AWS Systems Manager on the existing AWS EC2 instances.
I see the SSM agent is pre-install on Amazon Linux, but how about the other OS like Redhat, ubuntu, centos?
how about the other OS like Redhat, ubuntu, centos?
Ubuntu also has pre-installed SSM Agent. From docs:
SM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):
Amazon Linux
Amazon Linux 2
Ubuntu Server 16.04
Ubuntu Server 18.04
Amazon ECS-Optimized
For the remaining AMIs, you could install the agent as described in the docs and create a custom AMI. This way you do it only once, and re-use the custom AMIs.
As an alternative, a User Data could be used to automate the installation of the agent whenever an instance is launch.

No changes to app after redeployment to EC2 instance

I've got development and production instances in EC2. I've been updating my app in Visual Studio 2019 and redeploying it to the dev instance, then creating an AMI of that instance and using that image to update the production instance(s).
Suddenly my app no longer updates when I deploy to the dev instance. The logs all show the update was applied, but when I look at the files on the server they have not changed for days. I suspect I may be using AMIs incorrectly, but I'm not sure what I'm doing wrong.
How do I get my updates to show again?
You are facing the issue because creating an AMI from running environment isn't the right approach since EB runs several scripts under the hood to attach instances to that particular environment.
Note: Custom AMIs are ideal only when you're installing a lot of dependencies or software that you want to be baked into your AMI so subsequent deployments go through quick. Here's the documentation that walks you through the steps, and here's the summary of the steps:
The best approach would be to launch a stand alone EC2 using an EB
AMI as base (ideally an AMI with HVM virtualization).
Connect to the instance with SSH or RDP.
Perform any customizations you want.
(Windows platforms) Run the EC2Config service Sysprep. For
information about EC2Config, see Configuring a Windows Instance Using
the EC2Config Service. Ensure that Sysprep is configured to generate
a random password that can be retrieved from the AWS Management
Console.
In the Amazon EC2 console, stop the EC2 instance. Then on the
Instance Actions menu, choose Create Image (EBS AMI).

Installing Amazon Inspector Service

I'm about to install and use Amazon Inspector. We have many EC2 instances behind ELB. Plus some EC2 instances are opened via Auto-Scale.
My question: Is the Amazon Inspector doing its work locally or globally, meaning is the monitoring being made on the instance that it is installed on or it can be configured to include all the instances of the infrastructure?
If Inspector should be applied on every EC2 instance, can the Auto-Scale be configured to open the new instances with Inspector already installed on them and if yes, how can i do that?
I asked a similar question on the Amazon forum but got no response.
In the end I used the following feature to customise the EC2 instances that my application gets deployed to:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html
Basically off the root of your .war file you need a folder named '.ebextensions' and in there a .config file containing some commands to install the Inspector client.
So my file 'inspector-agent.config' looks like this:
# Errors get logged to /var/log/cfn-init.log. See Also /var/log/eb-tools.log
commands:
# Download the agent installation script
"01-agent-repository":
command: sudo wget https://inspector-agent.amazonaws.com/linux/latest/install
# Run the installation script
"02-run-installation-script":
command: sudo bash install
I've found the answer and the solution, You have to install Amazon Inspector on each EC2 in order to inspect them all using Amazon Inspector.
About the Auto-Scale, I've applied Amazon Inspector on the main EC2 servers and took an image from them (after inspecting all the EC2s and fix all the issues). Then I've configured the Auto-Scale to lunch to lunch from the new AMIs (The Inspected AMIs).

aws ssm send command not working in Ubuntu servers

I just started exploring aws system manager feature.
I am using python 3.6 and boto3 to test ssm.
I have created the Ubuntu server EC2(t2 micro) and assigned the IAM role with policy "AmazonEC2RoleforSSM", which as per my knowledge should allow running ssm send command on that EC2. But, instead I get below error:
botocore.errorfactory.InvalidInstanceId: An error occurred (InvalidInstanceId) when calling the SendCommand operation:
I even tried to check the output of:
ssm.describe_instance_information()['InstanceInformationList'])
It doesn't have the instance Id I created, which pretty much tells the story why I am getting that error. But, to my knowledge if I assign the IAM role with above mentioned policy it should show up in the list.
Strangely when I try to do above setup with Amazon Linux AMI server and run ssm everything looks good.
any idea why ssm not working in ubuntu server? I am missing something?
But, to my knowledge if I assign the IAM role with above mentioned
policy it should show up in the list.
No, there's much more to it than that. You need to install the AWS SSM agent on each server you want to manage. The reason it is working for you with Amazon Linux is that the latest version of Amazon Linux has the SSM agent pre-installed.

Can I use AWS CloudFormation with a custom AMI?

I want to use an AMI that have not been created from a snapshot. The AMI was created using a virtual machine and then I used CLI tools to create the instance and the AMI.
This instance have installed cloud-init. Could I use this AMI to create instances using cloudformation?
Do I need to install more software to use that service?
Thanks!
Yes, definitely, that is a very common use case:
Amazon Web Services (AWS) publishes many Amazon Machine Images (AMIs)
that contain common software configurations for public use. In
addition, the AWS developer community has published many custom AMIs.
You can also create your own custom AMIs so that you can quickly and
easily start new instances that have everything you need for your
application. For example, if your application is a website or a web
service, your AMI could include a web server, the associated static
content, and the code for the dynamic pages. After you launch an
instance with this AMI, your application is running and ready to
accept requests.
https://s3.amazonaws.com/cloudformation-examples/BoostrappingApplicationsWithAWSCloudFormation.pdf
Should you plan to use Cloudformation:Init inside your template to add additional configuration when your instance will start, be sure to install cfn tools as well (cfn-init, cfn-hup, cfn-signal...)
More details about Cloudformation:Init : http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html
How to install cfn helper scripts : http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-helper-scripts-reference.html
Yes.
When you are specifying the instance in the cloud formation script you can use "ImageID": "" <- put in the AMI ID
ImageId
Provides the unique ID of the Amazon Machine Image (AMI) that was assigned during registration.
Required: Yes
Type: String
Update requires: Replacement