search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.05k stars 324 forks source link

Make disable Message configurable #419

Open forward2you opened 2 years ago

forward2you commented 2 years ago

Backgroud

In our team, we adopt SSM session manager as the only way to SSH to our production instances and installed amazon ssm agent. As a security concern, we disabled other SSM features by locking down the SSM permissions to 

"ssm:UpdateInstanceInformation",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"

What's the problem

We saw lots of AccessDeniedException message from ec2messages:GetMessages, ssm:ListAssociations, ssm:ListInstanceAssociations and so on. Every minute, there are a bunch of these kinds of error messages, and users are complaining about it a little bit. So we want to avoid them.

ERROR [HandleAwsError @ awserr.go.49] [ssm-agent-worker] [MessagingDeliveryService] [Association] error when calling AWS APIs. error details - AccessDeniedException: User: xxx is not authorized to perform: ssm:ListInstanceAssociations on resource: arn:xxx because no identity-based policy allows the ssm:ListInstanceAssociations action
ERROR [HandleAwsError @ awserr.go.49] [ssm-agent-worker] [MessagingDeliveryService] [messageID=aws.ssm.e0808a75-a37d-495a-bdb7-9cdce719b16f.i-0349e0c2394f469cf] error when calling AWS APIs. error details - AcknowledgeMessage Error: AccessDeniedException: User: xxx is not authorized to perform: ec2messages:AcknowledgeMessage on resource: arn:xxx because no identity-based policy allows the ec2messages:AcknowledgeMessage action
        status code: 400, request id: abfe2526-618b-4cdb-84a7-c46c2c10fa59
ERROR [checkStopPolicy @ scheduler.go.108] [ssm-agent-worker] [MessagingDeliveryService] MessagingDeliveryService stopped temporarily due to internal failure. We will retry automatically after 15 minutes

What we want

As we don't want to open these permissions to our production instance, we hope to have a toggle enabled under MessagingDeliveryService configurations and let us config disable, then MessagingDeliveryService will not make these API calls. Configuration in amazon-ssm-agent.json looks like this:


"Mds": {
        "Enabled": false
    }
xanather commented 2 years ago

Can this please get implemented? Surely a 'session' only mode should be possible...

xanather commented 2 years ago

I ended putting this in the json config:

{ "Agent": { "ContainerMode": true }, "Identity": { "ConsumptionOrder": [ "EC2" ] } }

Should this be fine?

yuting-fan commented 1 year ago

xanather@: The ContainerMode setting does not apply to EC2 targets. This configuration is for Session Manager functionalities on containers only. By enabling this, the EC2 instances are not doing health pings to SSM and you will not be able to see the instances in Fleet Manager console.

We have captured a request to turn off the calls to ec2messages APIs from agent side. We will update once this is supported.

forward2you commented 1 year ago

@yuting-fan do you have plan or roadmap about when you could support turn off these API calls? Our team are in urgent need for this feature badly