Skip to content

Manage AWS with PowerShell Series 01

Manage AWS with PowerShell Series: #01 - IAM Role Attachments to EC2 Instances Using PowerShell

In managing cloud infrastructure, especially in environments as dynamic and expansive as AWS, automation is not just a convenience but a necessity. It streamlines processes, reduces manual intervention, and enhances overall system reliability. One area where automation plays a crucial role is in managing IAM (Identity and Access Management) roles for EC2 instances.

In this blog post, we'll delve into how PowerShell scripting can be leveraged within the AWS CloudShell environment to automate the attachment of an IAM policy to a fleet of EC2 instances. Specifically, we'll explore a scenario where we attach the "AmazonSSMReadOnlyAccess" policy to a set of Windows EC2 instances.

Introduction to PowerShell in AWS CloudShell

AWS CloudShell provides a browser-based shell environment that allows users to manage AWS resources directly from the AWS Management Console. It comes pre-configured with commonly used AWS CLI (Command Line Interface) tools, including PowerShell. This makes it an excellent platform for automating tasks and managing AWS resources without the need for local installations or configurations.

PowerShell, a versatile scripting language developed by Microsoft, is particularly well-suited for interacting with AWS services through the AWS CLI. It provides cmdlets (command-lets) that allow seamless integration with AWS APIs, making it an ideal choice for automating administrative tasks.

Understanding the Script

Let's break down the PowerShell script provided in the scenario:

$inventory = (((aws ec2 describe-instances | convertfrom-json).Reservations).Instances) | `
    select-object -property @{Name="Name"; Expression={ ($_.Tags | ?{$_.Key -eq "Name"}).Value }}, `
    InstanceId, PlatformDetails, @{Name="Status"; Expression={$_.State.Name}}, @{Name="ARN"; E={$_.IamInstanceProfile.ARN}}, `
    @{Name="IAM-ID"; E={$_.IamInstanceProfile.Id}} | ?{$_.Status -eq "running" -and $_.PlatformDetails -like "*Windows*"}

$inventory = ($inventory | select-object @{N="ARN"; E={  ($_.ARN -split '/')[1]   }},IAM-ID -unique) | `
    Where-Object {$_.ARN -ne $null}

$policyArn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"

foreach($i in $inventory.ARN){
    "ssm was added to $i"
    aws iam attach-role-policy --policy-arn $policyArn --role-name $i
}

Script Explanation:

  • Describing EC2 Instances: The script starts by describing EC2 instances using the aws ec2 describe-instances command. The output is then converted from JSON format to PowerShell objects using convertfrom-json.
  • Selecting Relevant Properties: The script selects specific properties of the EC2 instances, including Name, InstanceId, PlatformDetails, Status, ARN, and IAM-ID. It filters out only running Windows instances.
  • Filtering Unique ARNs: It filters out unique ARNs while ensuring they are not null.
  • Defining the IAM Policy ARN: The ARN of the IAM policy to be attached, "AmazonSSMReadOnlyAccess," is defined..
  • Attaching Policy to Instances: Using a foreach loop, the script iterates over the ARNs in the inventory and attaches the specified IAM policy to each instance using the aws iam attach-role-policy command.