Fix EC2 instance IAM profiles to allow traffic from SSM and CloudWatch agents

Opportunity Name:

 

Fix EC2 instance IAM profiles to allow traffic from SSM and CloudWatch agents

 

AWS Resource Type:

 

AWS IAM

 

Opportunity Description:

 

To identify all cost-saving opportunities for EC2 instances, CloudFix requires SSM and CloudWatch agents to run on each instance. This FF creates suitable IAM profiles to ensure the SSM and CloudWatch agents function correctly.

 

Criteria for identifying the opportunity:

 

The SSM and CloudWatch agents need IAM profiles to allow traffic from the EC2 instance to reach Systems Manager, EC2, CloudWatch Monitoring, SSM Messages, EC2 Messages, and S3.

This FF identifies an opportunity for an EC2 instance if the instance does not have an IAM role that allows this traffic.

 

Potential savings (range in % on annual basis):

 

None - this FF does not directly save costs but will unlock cost-saving opportunities for other FFs.

 

What happens when the Fixer is executed?

 

The Fixer carries out the following steps.

 

If the EC2 instance does not have an attached IAM role:

  • Create an IAM role.

  • Attach the required policies to the role:

  • The AmazonSSMManagedInstanceCore policy grants the necessary permissions for SSM agent.

  • The CloudWatchAgentServerPolicy policy grants the necessary permissions for the CloudWatch agent.

  • Attach the IAM role to the EC2 instance.

 

If the EC2 instance already has an attached IAM role:

 

Is it possible to rollback once CloudFix implements the fixer?

There is no automated rollback, but the changes can be manually reversed using the IAM DeleteRolePolicy API to remove the new policies from the role.

 

Can CloudFix implement the fix automatically once I accept the recommendation?

 

Yes.

 

Does this fix require downtime?

 

No.

 

Additional Resources:

Comments

0 comments

Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request