Implementation Intrastructure as Code & Automation of a Security Agent Installation
In this real world scenario one act as DevSecOps Engineer and have been asked to deploy a set of EC2 instances in an automated way (Infrasctructure as a code). Also as part of the DevSecOps team need to install a security agent on all of these Ec2 instances.
For this , use Terraform, which is one of the tools to provision resources in the Cloud using code.
Once the infrastructure was provisioned one will use AWS System Manager. It has a component called Run Command — which will be used to install security agent in an automated way. And the AWS System Manager will use Amazon Simple Notification Service to send email about the process status.
To implement a set of EC2 instances using Terraform and an AWS Systems Manager configuration in conjunction with Amazon Simple Notification Service (SNS) for automated installation of security officers, you can follow these steps:
Install and set up Terraform: Download and install Terraform from the official website (https://www.terraform.io/). Follow the installation instructions provided for your operating system.
Configure AWS credentials: Set up your AWS credentials on your local machine. You can either set environment variables or configure the AWS CLI with your access key and secret access key. Ensure that the credentials have sufficient permissions to create EC2 instances, SNS topics, and Systems Manager documents.
Create a Terraform configuration file: Create a new file with a
.tfextension (e.g.,main.tf) and define the necessary resources and configurations.
In AWS console — upload the files related to terraform and Initialize, plan and apply Terraform configuration: In your terminal, navigate to the directory containing the Terraform configuration file and run the following commands:
Initialize and apply Terraform configuration: In your terminal, navigate to the directory containing the Terraform configuration file and run the following commands:
Terraform will initialize the necessary dependencies and then prompt you to confirm the changes it will make. Review the proposed changes, type yes to confirm, and Terraform will provision the EC2 instances
Next step is to create a Role -SystemsManagerToSNS to Allow SSM to Call AWS Service on your behalf.
Create the IAM role “SystemsManagerToSNS” with the “AmazonSNSFullAccess” policy:
Go to the AWS Management Console and navigate to the IAM service.
Click on “Roles” in the left sidebar and then click “Create role”.
Select “AWS service” as the trusted entity and choose “EC2” as the service that will use this role.
Attach the “AmazonSNSFullAccess” policy to the role.
Give the role a name, such as “SystemsManagerToSNS”, and click “Create role”.
Create the notification topic “DevOpsNotification” and copy the ARN:
Go to the AWS Management Console and navigate to the Amazon SNS service.
Click on “Topics” in the left sidebar and then click “Create topic”.
Provide a name for the topic, such as “DevOpsNotification”, and click “Create topic”.
Copy the ARN of the created topic, as you’ll need it later.
Create a subscription for email notifications:
Select the created topic, “DevOpsNotification”.
Click on “Create subscription”.
Choose “Email” as the protocol and enter your email address.
Click “Create subscription”. You will receive a confirmation email to verify your subscription.
Run the AWS Systems Manager Quick Setup:
Go to the AWS Management Console and navigate to the Systems Manager service.
Click on “Quick Setup” in the left sidebar.
Choose “Instances you select manually” as the target and click “Next”.
Review the configurations and click “Create association”.
Wait for the association to be created and ensure that the status shows “Success”.
Explore the Session Manager by connecting via SSH browser:
In the Systems Manager console, click on “Session Manager” in the left sidebar.
Select the instances that were created by Terraform (if they don’t appear, reboot the instances using the EC2 console).
Click on the “Start session” button to connect to the instance using the SSH browser.
Execute “Run Command” to deploy the security agent installation:
In the Systems Manager console, click on “Run Command” in the left sidebar.
Click on “Run a command” and select “AWS-RunShellScript” as the command document.
Enter the following command parameters in the provided field:
Choose the instances manually and select the instances created by Terraform.
Uncheck the option to enable writing to an S3 bucket.
Enable SNS Notification and specify your email address to receive notifications.
Click on “Run”.
Check email notifications: You will receive an email notification from SNS regarding the status of the security agent installation on the instances. Monitor your email inbox for these notifications.
By following these steps, you will be able to deploy EC2 instances using Terraform, install a security agent using AWS Systems Manager’s Run Command, and receive email notifications about the installation process through Amazon SNS.
