AWS devopsagent medium security documentation change
Summary
Enhanced test environment setup with VPC/subnet parameters, SSM IAM role, and security group improvements.
Security assessment
Adds mandatory SSM IAM role (AmazonSSMManagedInstanceCore) which enables secure instance access without SSH keys. Corrects security group attachment method (!GetAtt) which prevents misconfiguration risks.
Diff
diff --git a/devopsagent/latest/userguide/getting-started-with-aws-devops-agent-creating-a-test-environment.md b/devopsagent/latest/userguide/getting-started-with-aws-devops-agent-creating-a-test-environment.md index dcd26331f..491e34e22 100644 --- a//devopsagent/latest/userguide/getting-started-with-aws-devops-agent-creating-a-test-environment.md +++ b//devopsagent/latest/userguide/getting-started-with-aws-devops-agent-creating-a-test-environment.md @@ -18,0 +19,2 @@ This guide provides hands-on tests to validate AWS DevOps Agent’s incident res + * For the EC2 test: an existing VPC with at least one subnet in the region where you'll deploy. + @@ -111,0 +114,6 @@ We'll use CloudFormation to create our test resources, which allows AWS DevOps A + VpcId: + Type: AWS::EC2::VPC::Id + Description: ID of an existing VPC where the test instance will be launched. + SubnetId: + Type: AWS::EC2::Subnet::Id + Description: ID of an existing subnet within the selected VPC. Choose a subnet that routes to an internet gateway if you plan to connect via SSH. @@ -121 +128,0 @@ We'll use CloudFormation to create our test resources, which allows AWS DevOps A - GroupName: AWS-DevOpsAgent-test-sg @@ -122,0 +130 @@ We'll use CloudFormation to create our test resources, which allows AWS DevOps A + VpcId: !Ref VpcId @@ -144,0 +153,24 @@ We'll use CloudFormation to create our test resources, which allows AWS DevOps A + # IAM Role for Session Manager access + SSMInstanceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: sts:AssumeRole + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore + Tags: + - Key: Name + Value: AWS-DevOpsAgent-Test-SSMRole + - Key: Purpose + Value: AWS-DevOpsAgent-Testing + # Instance profile wrapping the SSM role + SSMInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Roles: + - !Ref SSMInstanceRole @@ -151,0 +184 @@ We'll use CloudFormation to create our test resources, which allows AWS DevOps A + SubnetId: !Ref SubnetId @@ -153 +186,3 @@ We'll use CloudFormation to create our test resources, which allows AWS DevOps A - - !Ref TestSecurityGroup + - !GetAtt TestSecurityGroup.GroupId + IamInstanceProfile: !Ref SSMInstanceProfile + InstanceInitiatedShutdownBehavior: terminate @@ -239 +274 @@ We'll use CloudFormation to create our test resources, which allows AWS DevOps A - Value: !Ref TestSecurityGroup + Value: !GetAtt TestSecurityGroup.GroupId @@ -263 +298,5 @@ We'll use CloudFormation to create our test resources, which allows AWS DevOps A - 1. **MyIP** : Leave as default `0.0.0.0/0` (you can secure this later if needed) + 1. **VpcId** : Select an existing VPC from the dropdown. + + 2. **SubnetId** : Select a subnet within the VPC you chose. For SSH access, the subnet must route to an internet gateway, and the instance must have a public IPv4 address associated. Otherwise, the `SSHCommand` output will be empty and SSH connections won't succeed. + + 3. **MyIP** : Leave as default `0.0.0.0/0` (you can secure this later if needed) @@ -292 +331,3 @@ Skip this step if you just want to run the automated test - 1. **Navigate to EC2 Security Groups** : + 1. **Locate the security group** : + + 1. In AWS Console, go to **CloudFormation** and select the `AWS-DevOpsAgent-EC2-Test` stack @@ -294 +335 @@ Skip this step if you just want to run the automated test - 1. In AWS Console, go to **EC2** → **Security Groups** + 2. Open the **Outputs** tab and copy the value of `SecurityGroupId` (starts with `sg-`) @@ -296 +337 @@ Skip this step if you just want to run the automated test - 2. Find`AWS-DevOpsAgent-test-sg` + 3. Go to **EC2** → **Security Groups** and paste the ID into the search bar to open the security group