Automating common administrative tasks to improve workload reliability and decrease potential risk is a common theme our consultants at Flux7 help our clients with. Doing so simplifies administration, encourages security through consistency and helps improve control over users and permissions. Amazon launched EC2 Run Command in October 2015 to help attain these benefits.
Specifically, EC2 Run Command provides a simple way of automating common administrative tasks like installing software or patches, running shell commands, performing operating system changes, managing local groups and users, altering configuration files and more in Windows instances. Two months later, in December 2015, they released the same feature for Linux instances.
Run Command allows users to execute commands at scale and provides visibility into the results, making it easy to manage instances. Run Command is accessible through the Commands page in the Amazon EC2 console or through the AWS CLI.
In May 2016, AWS updated the Run Command service to make it even better. Let’s walk through the new features:
- Document Management & Sharing
A command document is a JSON file that includes the information (description and explanation) about the command you want to run. If you have any command documents which you execute using EC2 Run Command, you can now manage and share them. This lowers the chance of errors and variability in your system.
By clicking on a document, you can examine its function and parameters before running it. You can also share it publicly or privately with other AWS accounts.
- Additional Predefined Commands
The Command document menu contains several predefined commands, along with any custom commands that users have created for their accounts:
AWS-RunShellScript to run shell scriptsAWS-UpdateSSMAgent to update the Amazon SSM agentWindowsAWS-JoinDirectoryServiceDomain to join an AWS Directory
AWS-RunPowerShellScript to run PowerShell commands or scripts
AWS-UpdateEC2Config to update the EC2Config service
AWS-ConfigureWindowsUpdate to configure Windows Update settings
AWS-InstallApplication to install, repair, or uninstall software using an MSI package
AWS-InstallPowerShellModule to install PowerShell modules
AWS-ConfigureCloudWatch to configure Amazon CloudWatch Logs to monitor applications and systemsHowever, many AWS customers use Run Command to maintain and administer EC2 instances that are running Microsoft Windows. Therefore, AWS has added four new commands designed to simplify and streamline some common operations:
AWS-ListWindowsInventory to collect information about an EC2 instance running in Windows.AWS-FindWindowsUpdates to scan an instance and determine which updates are missing.AWS-InstallMissingWindowsUpdates to install missing updates on your EC2 instance.AWS-InstallSpecificWindowsUpdates to install one or more specific updates.
- Linux Open Source SSM Agent
Run Command makes use of an agent (amazon-ssm-agent) that runs on each instance. The agent uses SSM documents. When you execute a command, the agent on the instance processes the document and configures the instance as specified.
amazon-ssm-agent is available for all Windows builds but for specific Linux distributions:
Amazon Linux AMI (64 bit) – 2015.09, 2015.03, 2014.09, and 2014.03.
Ubuntu Server (64 bit) – 14.04 LTS, 12.04 LTS
Red Hat Enterprise Linux (64 bit) – 7.x