Open forward2you opened 2 years ago
Can this please get implemented? Surely a 'session' only mode should be possible...
I ended putting this in the json config:
{ "Agent": { "ContainerMode": true }, "Identity": { "ConsumptionOrder": [ "EC2" ] } }
Should this be fine?
xanather@: The ContainerMode setting does not apply to EC2 targets. This configuration is for Session Manager functionalities on containers only. By enabling this, the EC2 instances are not doing health pings to SSM and you will not be able to see the instances in Fleet Manager console.
We have captured a request to turn off the calls to ec2messages APIs from agent side. We will update once this is supported.
@yuting-fan do you have plan or roadmap about when you could support turn off these API calls? Our team are in urgent need for this feature badly
Backgroud
In our team, we adopt SSM session manager as the only way to SSH to our production instances and installed amazon ssm agent. As a security concern, we disabled other SSM features by locking down the SSM permissions to
What's the problem
We saw lots of AccessDeniedException message from
ec2messages:GetMessages
,ssm:ListAssociations
,ssm:ListInstanceAssociations
and so on. Every minute, there are a bunch of these kinds of error messages, and users are complaining about it a little bit. So we want to avoid them.What we want
As we don't want to open these permissions to our production instance, we hope to have a toggle
enabled
underMessagingDeliveryService
configurations and let us configdisable
, then MessagingDeliveryService will not make these API calls. Configuration inamazon-ssm-agent.json
looks like this: