Install Software Using AWS SSM
  • 25 May 2022
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Install Software Using AWS SSM

  • Dark
    Light
  • PDF

The Install Software Using AWS SSM action installs software on Amazon Web Services (AWS) instances that are the result of the saved query supplied as a trigger (or devices selected in the asset table).

To configure Install Software Using AWS SSM, from the Action Library, click Manage AWS Services, and then click Install Software Using AWS SSM.

Connection Settings

  1. Use stored credentials from the Amazon Web Services (AWS) adapter (required, default: False) - Select this option to use the first connected AWS adapter credentials.
NOTE
  • To use this option, you must successfully configure a AWS Amazon Web Services (AWS) adapter connection.
  • The user name and the password used for the adapter connection must have the Required Permissions to install software on assets.
  1. AWS Access Key ID (optional) - Provide AWS Access Key ID or choose to use EC2 instance attached IAM role.
  2. AWS Access Key Secret (optional) - Provide AWS Access Key Secret or choose to use EC2 instance attached IAM role.
  3. Use Attached IAM Role (optional) - Use the IAM Role configured for the Amazon Web Services (AWS) adapter.
  4. Role ARN to assume (optional) – A file with role-ARNs which the AWS Adapter will try to assume for cross-account access with the single IAM user. Two available formats:
    • List of comma-delimited role-ARNs
    arn:aws:iam::111111111111:role/axonius-role, arn:aws:iam::222222222222:role/axonius-role
    
    • JSON format - list of dictionaries that define each role.
      • external_id is only supported in the JSON format
      • The external_id can be different for every role in the list.
    [
        {"arn": "arn:aws:iam::111111111111:role/axonius-role"},
        {"arn": "arn:aws:iam::222222222222:role/axonius-role", "external_id": "MY-SECRET"}
    ]
    
  5. External ID (optional) - Use the External ID configured for the Amazon Web Services (AWS) adapter.
  6. MFA Serial Number (optional) - The AWS MFA Serial Number configured for the Amazon Web Services (AWS) adapter.
  7. MFA Secret Key (optional) - The The AWS MFA Secret Key configured for the Amazon Web Services (AWS) adapter.
  8. Verify SSL (required) - Verify the SSL certificate offered by the host supplied in Service Desk domain. For more details, see SSL Trust & CA Settings.
    • If enabled, the SSL certificate offered by the host will be verified against the CA database inside of Axonius. If it fails validation, the connection will fail with an error.
    • If disabled, the SSL certificate offered by the host will not be verified against the CA database inside of Axonius.
  9. HTTPS proxy (optional) - A proxy to use when connecting to the value supplied in Host Name or IP Address.
    • When supplied, Axonius uses the proxy when connecting to the value supplied in Host Name or IP Address.
    • When not supplied, Axonius connects directly to the value supplied in Host Name or IP Address.
  10. HTTPS proxy user name (optional) - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.
    • When supplied, Axonius authenticates with this value when connecting to the value supplied in HTTPS Proxy.
    • When not supplied, Axonius does not perform authentication when connecting to the value supplied in HTTPS Proxy.
  11. HTTPS proxy password (optional) - The password to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.
    • When supplied, Axonius authenticates with this value when connecting to the value supplied in HTTPS Proxy.
    • When not supplied, Axonius does not perform authentication when connecting to the value supplied in HTTPS Proxy.
  12. SSM Document Name (required, string, default: AWS-ConfigureAWSPackage) - The document name to run in SSM to install an application.
  13. Package Name (same account) or Package ARN (external account) (required) - The package to install. It can be the name of the package if the package is in the same AWS account as the devices or package ARN if the package is in a different AWS account.

APIs

Axonius uses the Amazon SDK for Python (Boto3).

Required Ports

Axonius must be able to communicate with the value supplied in Connection Settings via the following ports:

  • TCP port 443

Required Permissions

The values supplied in AWS Access Key ID and AWS Access Key Secret or the EC2 instance (Axonius installed on) attached IAM role account must have permissions to install software on instances:

  • Register Task with Maintenance Window - Requires ssm:CreateAssociation permission.

This permission must be added to a policy attached to relevant IAM user account.
For details on creating an IAM user and attaching policies, see Connecting the Amazon Web Services (AWS) Adapter.

Version Matrix

This adapter has only been tested with the versions marked as supported, but may work with other versions. Please contact Axonius Support if you have a version that is not listed and it is not functioning as expected.

Version Supported Notes
AWS SDK for Python (Boto3) Yes

To learn more about configuring Enforcement Sets, see Configuring Enforcement Sets.


First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.