Fix EC2 instance IAM profiles to allow traffic from SSM and CloudWatch agents
AWS Resource Type:
To identify all cost-saving opportunities for EC2 instances, CloudFix requires SSM and CloudWatch agents to run on each instance. This FF creates suitable IAM profiles to ensure the SSM and CloudWatch agents function correctly.
Criteria for identifying the opportunity:
The SSM and CloudWatch agents need IAM profiles to allow traffic from the EC2 instance to reach Systems Manager, EC2, CloudWatch Monitoring, SSM Messages, EC2 Messages, and S3.
This FF identifies an opportunity for an EC2 instance if the instance does not have an IAM role that allows this traffic.
Potential savings (range in % on annual basis):
None - this FF does not directly save costs but will unlock cost-saving opportunities for other FFs.
What happens when the Fixer is executed?
The Fixer carries out the following steps.
If the EC2 instance does not have an attached IAM role:
If the EC2 instance already has an attached IAM role:
Is it possible to rollback once CloudFix implements the fixer?
There is no automated rollback, but the changes can be manually reversed using the IAM DeleteRolePolicy API to remove the new policies from the role.
Can CloudFix implement the fix automatically once I accept the recommendation?
Does this fix require downtime?