AWS Systems Manager. No more bastion hosts, nor credentials to run scripts or commands against multiple servers at once ?


Hey guys !!!

Hope you are doing pretty good?

Today's post is supposed to be a quick one.

Replacing a Bastion Host with Amazon EC2 Systems Manager | AWS ...

I am going to start with a real case scenario. I was working for an Enterprise Managed Services provider and because EMS supports multiple customers, you end up with a bunch of environments, credentials, diagrams that make your life a lot harder whenever you need to jump on a server to troubleshoot something. This tough task though, can be easier if you have the ability to leverage AWS Systems Manager in your environment. What systems manager allows you to do is , basically, access a shell of a machine without having to rdp or ssh to it, have an inventory of your fleet, and , one of the coolest features, running commands/scripts against multiple servers at once, again, without even knowing an username or password.

My assignment was to identify which servers were still configured to use a DNS server that we were going to decommission. The challenge was, not all servers were part of a trusted domain. We had a combination of workgroup machines, non-trusted machines, etc..
Simply using powershell to do this would be very challenging because credentials would be a problem to work across all servers. Here is where AWS Systems Manager comes into play.

The pre-reqs to install and set up AWS Systems Manager you can find here : SSM

I ain't going over the steps today. I will just show you in my lab, how it works.

For this, we will need these "ingredients":

1) Your environment in AWS cloud;
2) A few Windows servers in AWS cloud;
3) A document created with the instructions to be executed on the target servers;
4) Two tags (PROD and NON-PROD) that will be attached to the servers.

                 Yummy Face Smile Delicious Icon Logo Yummy Tongue Emoji Tasty Or ...

Alright, if you haven't checked my other post yet My other post, I strongly recommend you to check it out as it can help you a lot in quickly setting up your cloud environment. Otherwise, if you already have your own environment, just move on to the next step.

In my cloud lab, I got 6 windows servers, whereas 4 are PROD and 2 are NON_PROD. Because one non_prod isn't able to reach AWS Systems Manager endpoints, it can't be managed. That's why you will only see one server in non_prod resource group. I've tagged them to make easier for me to target systems I will run the script against. The goal here is to find out whether the DNS server that will be deco'ed is being used so we can address this issue later.






I have created two resource groups, one for PROD servers and another for NON_PROD and populated them with respective servers.


Here I see a few instances showing up on my managed instances console:

That's is good. Now, I have the instances ready for AWS Systems Manager, I have my resource groups and I just need a document which contains the script that I will run against these servers.

Here it is :


Don't worry about the parameters block. Since this is a lab, the information does not reflect accurately what the document does. The most important thing here is to understand which command will give us the DNS servers config.

The full command is :

Get-DnsClientServerAddress | Select-Object -ExpandProperty ServerAddresses |  findstr /b /r /c:"1" /b /r /c:”2” /b /r /c:”3” /b /r /c:”4” /b /r /c:”5” /b /r /c:”6” /b /r /c:”7” /b /r /c:”8” /b /r /c:”9”  

I am leveraging "findstr" to narrow the results down to only IPV4. Without this, you will also see IPV6 output. I don't need this for now.

Alright, so, the ip address I am looking for is 192.168.0.2. This is the DNS server that is going to be deco'ed. I will start with non_prod.

Go to AWS console and Systems Manager


Then, documents and find the document you are going to use:
Open the document and click on "Run command"
Next, you will choose the targets. Here is the cool thing about resource groups. You can target a set of machines and have the script run against them.
You have a few options like, writing the output on S3, error control, how many machines you want to run it concurrently, etc..
Click on "Run"
For non-prod I only have one server
Once is done, I can click on it and see the result
Here I see the script was run without errors and here is the result :
B I N G O ! I see 192.168.0.2 is there. So, This is one server I have to make sure this address is replaced before dns server has been deco'ed.

Now, let's check the PROD servers

I got 4 PROD servers and all of them succeeded. 

Out of these 4, two happen to have 192.168.0.2 as dns server.



Just to be clear. 

The script does three things :
  • Outputs any service that is set to start automatically but it is stopped;
  • Outputs the server name;
  • and finally, which dns servers are set.


There you go folks ! These servers are part of a workgroup and I was able to run a powershell script without having to RDP or having any credentials other than AWS Systems Manager access.

This is a very cool feature that can be used to fix a lot of small issues, such as : restarting a service that got stuck on a server, checking if a given KB has been installed, checking TCP/IP configuration, etc. Just have  a document created and run it against servers of your choice and that's it !!

I hope this has been useful for you and I'd like to thank you for reading it.

See you next time !!!





Comments

Popular posts from this blog

Certification or Degree ??

Understanding Azure AD Device Management