AWS prescriptive-guidance documentation change
Summary
Updated documentation URLs to include double slashes after domain names and made minor terminology clarifications (e.g., 'AWS VPN' to 'Site-to-Site VPN', 'Auto Scaling group' to 'Amazon EC2 Auto Scaling group').
Security assessment
The changes primarily fix URL formatting and clarify terminology. There is no evidence of addressing security vulnerabilities or introducing new security features. References to IAM roles, temporary credentials, and AWS PrivateLink reiterate existing security best practices but do not add new security documentation.
Diff
diff --git a/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/install-cloudwatch-systems-manager.md b/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/install-cloudwatch-systems-manager.md index a67dd4441..9d1de0ef6 100644 --- a//prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/install-cloudwatch-systems-manager.md +++ b//prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/install-cloudwatch-systems-manager.md @@ -19 +19 @@ Amazon Linux 2 is nearing end of support. For more information, see the [Amazon - * An IAM role or credentials that have the [required CloudWatch and Systems Manager permissions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html) must be attached to the EC2 instance or defined in the credentials file for an on-premises server. For example, you can create an IAM role that includes the AWS managed policies: `AmazonSSMManagedInstanceCore` for Systems Manager and `CloudWatchAgentServerPolicy` for CloudWatch. You can use the [ssm-cloudwatch-instance-role.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/blob/main/ssm-cloudwatch-instance-role.yaml) CloudFormation template to deploy an IAM role and instance profile that includes both of these policies. This template can also be modified to include other standard IAM permissions for your EC2 instances. For on-premises servers or VMs, should configure the CloudWatch agent to use the [Systems Manager service role](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-service-role.html) that was configured for the on-premises server. For more information about this, see [How can I configure on-premises servers that use Systems Manager Agent and the unified CloudWatch agent to use only temporary credentials?](https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-on-premises-temp-credentials/) in the AWS Knowledge Center. + * An IAM role or credentials that have the [required CloudWatch and Systems Manager permissions](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html) must be attached to the EC2 instance or defined in the credentials file for an on-premises server. For example, you can create an IAM role that includes the AWS managed policies: `AmazonSSMManagedInstanceCore` for Systems Manager and `CloudWatchAgentServerPolicy` for CloudWatch. You can use the [ssm-cloudwatch-instance-role.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/blob/main/ssm-cloudwatch-instance-role.yaml) CloudFormation template to deploy an IAM role and instance profile that includes both of these policies. This template can also be modified to include other standard IAM permissions for your EC2 instances. For on-premises servers or VMs, should configure the CloudWatch agent to use the [Systems Manager service role](https://docs.aws.amazon.com//systems-manager/latest/userguide/sysman-service-role.html) that was configured for the on-premises server. For more information about this, see [How can I configure on-premises servers that use Systems Manager Agent and the unified CloudWatch agent to use only temporary credentials?](https://aws.amazon.com//premiumsupport/knowledge-center/cloudwatch-on-premises-temp-credentials/) in the AWS Knowledge Center. @@ -50 +50 @@ However, you should also consider the following three areas before you choose th -You can use [Systems Manager Quick Setup](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-quick-setup.html) to quickly configure Systems Manager features, including automatically installing and updating the CloudWatch agent on your EC2 instances. The Quick Setup deploys an CloudFormation stack that deploys and configures Systems Manager resources based on your choices. +You can use [Systems Manager Quick Setup](https://docs.aws.amazon.com//systems-manager/latest/userguide/systems-manager-quick-setup.html) to quickly configure Systems Manager features, including automatically installing and updating the CloudWatch agent on your EC2 instances. The Quick Setup deploys an CloudFormation stack that deploys and configures Systems Manager resources based on your choices. @@ -101 +101 @@ Instead of using Quick Setup, you can use CloudFormation to configure Systems Ma -The Quick Setup feature also uses CloudFormation and creates a CloudFormation stack set to deploy and configure Systems Manager resources based on your choices. Before you can use CloudFormation stack sets, you must create the IAM roles used by CloudFormation StackSets to support deployments across multiple accounts or Regions. Quick Setup creates the roles it requires to support multi-Region or multi-account deployments with CloudFormation StackSets. You must complete the prerequisites for CloudFormation StackSets if you want to configure and deploy Systems Manager resources in multiple Regions or multiple accounts from a single account and Region. For more information about this, see [Prerequisites for stack set operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) in the CloudFormation documentation. +The Quick Setup feature also uses CloudFormation and creates a CloudFormation stack set to deploy and configure Systems Manager resources based on your choices. Before you can use CloudFormation stack sets, you must create the IAM roles used by CloudFormation StackSets to support deployments across multiple accounts or Regions. Quick Setup creates the roles it requires to support multi-Region or multi-account deployments with CloudFormation StackSets. You must complete the prerequisites for CloudFormation StackSets if you want to configure and deploy Systems Manager resources in multiple Regions or multiple accounts from a single account and Region. For more information about this, see [Prerequisites for stack set operations](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) in the CloudFormation documentation. @@ -149 +149 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https:// -If you are using multiple accounts and Regions, then you can deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/tree/main/custom_ssm_setup) CloudFormation template as a stack set. You must complete the [CloudFormation StackSet prerequisites](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) before using stack sets. The requirements vary depending on whether you are deploying stack sets with [**self-managed** or **service-managed** permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html). +If you are using multiple accounts and Regions, then you can deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/tree/main/custom_ssm_setup) CloudFormation template as a stack set. You must complete the [CloudFormation StackSet prerequisites](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) before using stack sets. The requirements vary depending on whether you are deploying stack sets with [**self-managed** or **service-managed** permissions](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html). @@ -190 +190 @@ The CloudWatch agent for on-premises servers and VMs is installed and configured -**Point the CloudWatch agent to the same temporary credentials used for Systems Manager.** | When you set up Systems Manager in a hybrid environment that includes on-premises servers, you can activate Systems Manager with an IAM role. You should use the role created for your EC2 instances that includes the `CloudWatchAgentServerPolicy` and `AmazonSSMManagedInstanceCore` policies. This results in the Systems Manager agent retrieving and writing temporary credentials to a local credentials file. You can point your CloudWatch agent configuration to the same file. You can use the process from [Configure on-premises servers that use Systems Manager agent and the unified CloudWatch agent to use only temporary credentials](https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-on-premises-temp-credentials/) in the AWS Knowledge Center. You can also automate this process by defining a separate Systems Manager Automation runbook and State Manager association, and targeting your on-premises instances with tags. When you create an [Systems Manager activation](https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-activation-managed-nodes.html) for your on-premises instances, you should include a tag that identifies the instances as on-premises instances. +**Point the CloudWatch agent to the same temporary credentials used for Systems Manager.** | When you set up Systems Manager in a hybrid environment that includes on-premises servers, you can activate Systems Manager with an IAM role. You should use the role created for your EC2 instances that includes the `CloudWatchAgentServerPolicy` and `AmazonSSMManagedInstanceCore` policies. This results in the Systems Manager agent retrieving and writing temporary credentials to a local credentials file. You can point your CloudWatch agent configuration to the same file. You can use the process from [Configure on-premises servers that use Systems Manager agent and the unified CloudWatch agent to use only temporary credentials](https://aws.amazon.com//premiumsupport/knowledge-center/cloudwatch-on-premises-temp-credentials/) in the AWS Knowledge Center. You can also automate this process by defining a separate Systems Manager Automation runbook and State Manager association, and targeting your on-premises instances with tags. When you create an [Systems Manager activation](https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-activation-managed-nodes.html) for your on-premises instances, you should include a tag that identifies the instances as on-premises instances. @@ -192 +192 @@ The CloudWatch agent for on-premises servers and VMs is installed and configured -**Consider using accounts and Regions that have VPN or Direct Connect access and AWS PrivateLink.** | You can use AWS Direct Connect or AWS Virtual Private Network (AWS VPN) to establish private connections between on-premises networks and your virtual private cloud (VPC). AWS PrivateLink establishes a private connection to CloudWatch Logs with an interface VPC endpoint. This approach is useful if you have restrictions that prevent data being sent over the public internet to a public service endpoint. +**Consider using accounts and Regions that have VPN or Direct Connect access and AWS PrivateLink.** | You can use AWS Direct Connect or AWS Virtual Private Network (Site-to-Site VPN) to establish private connections between on-premises networks and your virtual private cloud (VPC). AWS PrivateLink establishes a private connection to CloudWatch Logs with an interface VPC endpoint. This approach is useful if you have restrictions that prevent data being sent over the public internet to a public service endpoint. @@ -197 +197 @@ The CloudWatch agent for on-premises servers and VMs is installed and configured -EC2 instances are temporary, or _ephemeral_ , if they are provisioned by Amazon EC2 Auto Scaling, Amazon EMR, [Amazon EC2 Spot Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html), or AWS Batch. Ephemeral EC2 instances can cause a very large number of CloudWatch streams under a common log group without additional information on their runtime origin. +EC2 instances are temporary, or _ephemeral_ , if they are provisioned by Amazon EC2 Auto Scaling, Amazon EMR, [Amazon EC2 Spot Instances](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/using-spot-instances.html), or AWS Batch. Ephemeral EC2 instances can cause a very large number of CloudWatch streams under a common log group without additional information on their runtime origin. @@ -199 +199 @@ EC2 instances are temporary, or _ephemeral_ , if they are provisioned by Amazon -If you use ephemeral EC2 instances, consider adding additional dynamic contextual information in the log group and log stream names. For example, you can include the Spot Instance request ID, Amazon EMR cluster name, or Auto Scaling group name. This information can vary for newly launched EC2 instances and you might have to retrieve and configure it at runtime. You can do this by writing a CloudWatch agent configuration file at boot and restarting the agent to include the updated configuration file. This enables delivery of logs and metrics to CloudWatch using dynamic runtime information. +If you use ephemeral EC2 instances, consider adding additional dynamic contextual information in the log group and log stream names. For example, you can include the Spot Instance request ID, Amazon EMR cluster name, or Amazon EC2 Auto Scaling group name. This information can vary for newly launched EC2 instances and you might have to retrieve and configure it at runtime. You can do this by writing a CloudWatch agent configuration file at boot and restarting the agent to include the updated configuration file. This enables delivery of logs and metrics to CloudWatch using dynamic runtime information.