Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.1.2. Systems Manager Run Command for Remote Management

šŸ’” First Principle: Systems Manager Run Command enables SysOps Administrators to securely and remotely execute commands or scripts on fleets of EC2 instances or on-premises servers, ensuring consistent management without direct SSH access.

Scenario: You need to install a new monitoring agent on 50 EC2 instances across different environments. Manually SSHing into each instance is time-consuming and opens unnecessary security risks.

Systems Manager Run Command is a capability of AWS Systems Manager that allows you to run shell commands, PowerShell commands, or Systems Manager Documents (SSM Documents) on a large fleet of instances. It provides a secure, auditable, and scalable way to manage your servers remotely.

Key Features of Systems Manager Run Command:
  • Secure Execution: Commands are executed securely without needing to open inbound SSH ports or use bastion hosts.
  • Remote Management: Execute commands on single instances, multiple instances (by tags, instance IDs), or entire Auto Scaling Groups.
  • Auditable: All command executions are logged in AWS CloudTrail.
  • SSM Documents: Define common actions (e.g., AWS-RunShellScript, AWS-InstallApplication) as reusable documents. You can also create custom SSM Documents.
  • Output: Command output can be sent to Amazon S3 or Amazon CloudWatch Logs.
  • Rate Control & Error Handling: Specify concurrency and error thresholds for batch operations.

āš ļø Common Pitfall: Not using appropriate IAM permissions for the SSM Agent or the user executing the command, leading to permission denied errors.

Key Trade-Offs: Secure, auditable remote execution (Run Command) versus direct SSH access (less secure, less auditable, more complex key management).

Practical Implementation: Executing a shell script on an EC2 instance using Run Command via CLI:

aws ssm send-command \
    --instance-ids "i-0abcdef1234567890" \
    --document-name "AWS-RunShellScript" \
    --parameters 'commands=["sudo yum install -y httpd"]' \
    --comment "Install Apache on instance"

Reflection Question: How does Systems Manager Run Command, by enabling secure and remote execution of scripts (via SSM Documents) on fleets of EC2 instances, fundamentally simplify consistent management without direct SSH access?