Skip to content
This repository has been archived by the owner on Oct 4, 2024. It is now read-only.

Commit

Permalink
New checks and other enhancements
Browse files Browse the repository at this point in the history 
- New checks SSM Agent Version
- New checks Session Manager plugin version
- New output format (Table)
- Update the screenshots and flowchart
- Update README.md to reflect new checks
- Add new tests for the new checks
- Update the tests README.md and output
- Update the ZIP file to include latest changes
- Some other enhancements and minor changes
  • Loading branch information
@aaalzand
aaalzand committed Sep 17, 2021
1 parent f8aba4d commit cfcfa25
Show file tree
Hide file tree
Showing 34 changed files with 1,053 additions and 764 deletions.
50 changes: 30 additions & 20 deletions Systems Manager/SSMAgent-Toolkit-Windows/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,15 @@ The SSMAgent-Toolkit is a set of PowerShell scripts developed to run multiple ch

![Output](https://github.com/awslabs/aws-support-tools/raw/master/Systems%20Manager/SSMAgent-Toolkit-Windows/SSMAgent-Toolkit_HybridOutput.png?raw=1)


```powershell
PS C:\SSMAgent-Toolkit\Tests> Import-Module "$destination\SSMAgent-Toolkit\SSMAgent-Toolkit.psm1";Invoke-SSMChecks -GridView $false
PS C:\SSMAgent-Toolkit> Import-Module "$destination\SSMAgent-Toolkit\SSMAgent-Toolkit.psm1";Invoke-SSMChecks -Table
Checking for elevated permissions...
Code is running as administrator - executing the script...
[2021-04-06T15:29:22.8851270-04:00] [INFO] Log available at C:\SSMAgent-Toolkit\log\SSMCheck_2021-04-06-03-29-22.log
[2021-04-06T15:29:22.8911250-04:00] [INFO] Report available at C:\SSMAgent-Toolkit\report\SSMCheck_2021-04-06-03-29-22.txt
[2021-09-17T20:41:53.8766462+00:00] [INFO] Logs directory exists - C:\SSMAgent-Toolkit\logs\
[2021-09-17T20:41:53.8766462+00:00] [INFO] Outputs directory exists - C:\SSMAgent-Toolkit\Outputs\
[2021-09-17T20:41:53.8857124+00:00] [INFO] Logs available at C:\SSMAgent-Toolkit\logs\SSMCheck_2021-09-17-08-41-53.log
[2021-09-17T20:41:53.8857124+00:00] [INFO] Outputs available at C:\SSMAgent-Toolkit\Outputs\SSMCheck_2021-09-17-08-41-53.txt
Running all the tests can take a few minutes...
___ _ _______ _____ __ __ ___
/ | | / / ___/ / ___/__ _______/ /____ ____ ___ _____ / |/ /___ _____ ____ _____ ____ _____
Expand All @@ -36,11 +39,11 @@ IAM profile credential valid Skip
LocalSystem account user API assume role arn:aws:sts::012345678901:assumed-role/AmazonEC2RunCommandRoleForManagedInstances/mi-abcdef01234567890 The role and the instance in the ARN should match the role in the metadata and the current
instanceID
ssm.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.141.158
ec2messages.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.138.63
ssmmessages.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.156.29
S3.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.217.66.150
kms.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 54.239.18.42
logs.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 54.239.31.225
ec2messages.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.94.228.178
ssmmessages.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.132.109
S3.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.217.165.48
kms.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.134.194
logs.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 3.236.94.199
SSM Agent Proxy Setting N/A There is no proxy setting for SSM Agent
System-wide environment variable proxy N/A There is no http_proxy, https_proxy or no_proxy configured.
LocalSystem account user environment variable proxy N/A There is no http_proxy, https_proxy or no_proxy configured.
Expand All @@ -49,18 +52,22 @@ WinHTTP system-wide proxy N/A
LocalSystem account user Internet Explorer proxy N/A There is no ProxyServer configured. Note: If the instance behind a proxy and PowerShell via
run command has a command which needs access to the internet would fail if there are no
Internet Explorer proxy settings.
SSMAgent version Pass SSM Agent version: 3.1.282.0, the latest agent version in us-east-1 is 3.1.282.0.
Session Manager Plugin version Pass Session Manager Plugin version is 1.2.245.0, the latest Session Manager Plugin version is 1.2.245.0.
```

### The instance register as a EC2 instance

![Output](https://github.com/awslabs/aws-support-tools/raw/master/Systems%20Manager/SSMAgent-Toolkit-Windows/SSMAgent-Toolkit_EC2Output.png?raw=1)

```powershell
PS C:\SSMAgent-Toolkit> Import-Module "$destination\SSMAgent-Toolkit\SSMAgent-Toolkit.psm1";Invoke-SSMChecks -GridView $false
PS C:\SSMAgent-Toolkit> Import-Module "$destination\SSMAgent-Toolkit\SSMAgent-Toolkit.psm1";Invoke-SSMChecks -Table
Checking for elevated permissions...
Code is running as administrator - executing the script...
[2021-04-06T15:50:17.8155081-04:00] [INFO] Log available at C:\SSMAgent-Toolkit\log\SSMCheck_2021-04-06-03-50-17.log
[2021-04-06T15:50:17.8165076-04:00] [INFO] Report available at C:\SSMAgent-Toolkit\report\SSMCheck_2021-04-06-03-50-17.txt
[2021-09-17T20:25:41.8395772+00:00] [INFO] Logs directory exists - C:\SSMAgent-Toolkit\logs\
[2021-09-17T20:25:41.8395772+00:00] [INFO] Outputs directory exists - C:\SSMAgent-Toolkit\Outputs\
[2021-09-17T20:25:41.8395772+00:00] [INFO] Logs available at C:\SSMAgent-Toolkit\logs\SSMCheck_2021-09-17-08-25-41.log
[2021-09-17T20:25:41.8395772+00:00] [INFO] Outputs available at C:\SSMAgent-Toolkit\Outputs\SSMCheck_2021-09-17-08-25-41.txt
Running all the tests can take a few minutes...
___ _ _______ _____ __ __ ___
/ | | / / ___/ / ___/__ _______/ /____ ____ ___ _____ / |/ /___ _____ ____ _____ ____ _____
Expand All @@ -77,31 +84,34 @@ Amazon SSM service account LocalSystem
Managed(hybrid) Instance Registration Skip The instance is not configured as Managed(hybrid) Instance. Metadata will be used to get the InstanceId and Region
EC2 instance metadata accessible Pass EC2 InstanceID = i-abcdef01234567890, Region = us-east-1
IAM instance profile SSMInstanceProfile IAM instance profile SSMInstanceProfile is attached to the instance
IAM profile credential valid Pass IAM instance profile's credential is up to date. IAM credential Expiration timestamp is 04/06/2021 21:48:57. The Last
update is 04/06/2021 15:46:23 UTC
IAM profile credential valid Pass IAM instance profile`'s credential is up to date. IAM credential Expiration timestamp is 09/18/2021 01:49:12.
The Last update is 09/17/2021 19:29:32 UTC
LocalSystem account user API assume role arn:aws:sts::012345678901:assumed-role/SSMInstanceProfile/i-abcdef01234567890 The role and the instance in the ARN should match the role in the metadata and the current instanceID
ssm.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.141.158
ssm.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.145.233
ec2messages.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.138.63
ssmmessages.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.132.109
S3.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.217.70.126
kms.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 54.239.17.195
logs.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.143.188
S3.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.217.98.142
kms.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 52.46.136.89
logs.us-east-1.amazonaws.com accessible Pass Endpoint IP address is 3.236.94.131
SSM Agent Proxy Setting N/A There is no proxy setting for SSM Agent
System-wide environment variable proxy N/A There is no http_proxy, https_proxy or no_proxy configured.
LocalSystem account user environment variable proxy N/A There is no http_proxy, https_proxy or no_proxy configured.
WinHTTP system-wide proxy N/A There is no ProxyServer(s) configured for WinHTTP system-wide proxy. Note: This proxy settings mainly used to by Windows
Update service
LocalSystem account user Internet Explorer proxy N/A There is no ProxyServer configured. Note: If the instance behind a proxy and PowerShell via run command has a command
which needs access to the internet would fail if there are no Internet Explorer proxy settings.
SSMAgent version Pass SSM Agent version: 3.1.282.0, the latest agent version in us-east-1 is 3.1.282.0.
Session Manager Plugin version Pass Session Manager Plugin version is 1.2.245.0, the latest Session Manager Plugin version is 1.2.245.0.
```

## Usage

Simply download the ZIP file included in this package and extract. Run one of the followings as an administrator in PowerShell.
Simply download the ZIP file included in this package and extract. Run the one of the followings as administrator in PowerShell.

```powershell
Import-Module .\SSMAgent-Toolkit.psm1;Invoke-SSMChecks
Import-Module .\SSMAgent-Toolkit.psm1;Invoke-SSMChecks -GridView "False"
Import-Module .\SSMAgent-Toolkit.psm1;Invoke-SSMChecks -Table
Import-Module .\SSMAgent-Toolkit.psm1;Invoke-SSMChecks -GridView
```

Or run the following sample code as an administrator in PowerShel to download the ZIP file included in this package, extract and execute the toolkit.
Expand All @@ -121,7 +131,7 @@ else {
Write-host "SSMAgent-Toolkit.zip"
Expand-Archive -Path "$destination\SSMAgent-Toolkit.zip" -DestinationPath "$destination\SSMAgent-Toolkit"
Write-host "Extracting SSMAgent-Toolkit.zip complete successfully"
Import-Module "$destination\SSMAgent-Toolkit\SSMAgent-Toolkit.psm1"; Invoke-SSMChecks -GridView "False"
Import-Module "$destination\SSMAgent-Toolkit\SSMAgent-Toolkit.psm1"; Invoke-SSMChecks -Table
}
```

Expand Down
Binary file modified Systems Manager/SSMAgent-Toolkit-Windows/SSMAgent-Toolkit.zip
View file
Binary file not shown.
6 changes: 3 additions & 3 deletions Systems Manager/SSMAgent-Toolkit-Windows/SSMAgent-Toolkit/Public/Get-AgentProxySettings.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,21 @@
Get-AgentProxySettings -Message "Error message" -Key "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AmazonSSMAgent"
.INPUTS
Key = The registry path.
Skip = Default is false. This script will be skipped if the agent is not installed.
Skip = Switch to skip this function if the agent is not installed.
.OUTPUTS
New-PSObjectResponse -Check "$check" -Status "$value" -Note "$note"
#>
Function Get-AgentProxySettings {
[CmdletBinding()]
param (
[String]$Key = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AmazonSSMAgent",
[String]$Skip = $false
[Switch]$Skip
)
$check = "SSM Agent Proxy Setting"
Write-Log -Message "New check....."
Write-Log -Message "$check"

if ($Skip -ne $true) {
if (-not ($Skip)) {
If (-not (Test-RegistryValue -Path $Key -Value 'Environment')) {
$value = "N/A"
$note = "There is no proxy setting for SSM Agent"
Expand Down
6 changes: 3 additions & 3 deletions Systems Manager/SSMAgent-Toolkit-Windows/SSMAgent-Toolkit/Public/Get-IEProxySettings.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,15 @@
.Example
Get-IEProxySettings
.INPUTS
Skip = Default is false. This script will be skipped if the agent is not installed.
Skip = Switch to skip this function if the agent is not installed.
.OUTPUTS
New-PSObjectResponse -Check "$check" -Status "$value" -Note "$note"
#>
Function Get-IEProxySettings {
[CmdletBinding()]
param (
[String]$Key = "Registry::HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings",
[String]$Skip = $false
[Switch]$Skip
)

$check = "LocalSystem account user Internet Explorer proxy"
Expand All @@ -25,7 +25,7 @@ Function Get-IEProxySettings {
Write-Log -Message "For more information check - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows."
Write-Log -Message "IE proxy settings mainly used to enable PowerShell to have access to the internet (not Windows Update service)"

if ($Skip -ne $true) {
if (-not ($Skip)) {
If (((Get-Item -Path $Key).GetValue("ProxyEnable") -eq 0) -Or (-not (Test-RegistryValue -Path $Key -Value 'ProxyEnable'))) {
$value = "N/A"
$note = "There is no ProxyServer configured. Note: If the instance behind a proxy and PowerShell via run command has a command which needs access to the internet would fail if there are no Internet Explorer proxy settings."
Expand Down
6 changes: 3 additions & 3 deletions ...olkit-Windows/SSMAgent-Toolkit/Public/Get-LocalSystemAccountEnvironmentVariablesProxy.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,14 @@
.Example
Get-LocalSystemAccountEnvironmentVariablesProxy
.INPUTS
Skip = Default is false. This script will be skipped if the agent is not installed.
Skip = Switch to skip this function if the agent is not installed.
.OUTPUTS
New-PSObjectResponse -Check "$check" -Status "$value" -Note "$note"
#>
Function Get-LocalSystemAccountEnvironmentVariablesProxy {
param (
[String]$Key = "Registry::HKEY_USERS\.DEFAULT\Environment", #https://docs.microsoft.com/en-us/windows/win32/procthread/environment-variables
[String]$Skip = $false
[Switch]$Skip
)

$check = "LocalSystem account user environment variable proxy"
Expand All @@ -24,7 +24,7 @@ Function Get-LocalSystemAccountEnvironmentVariablesProxy {
Write-Log -Message "For more information check - https://docs.microsoft.com/en-us/windows/win32/procthread/environment-variables."
Write-Log -Message "LocalSystem account user environment variable proxy mainly used by SSM Agent to connect to the endpoints"

if ($Skip -ne $true) {
if (-not ($Skip)) {
$http_proxy_check = New-ProxyOutput -Path $Key -Value 'http_proxy' -SettingName $check
$https_proxy_check = New-ProxyOutput -Path $Key -Value 'https_proxy' -SettingName $check
$no_proxy_check = New-ProxyOutput -Path $Key -Value 'no_proxy' -SettingName $check
Expand Down
10 changes: 5 additions & 5 deletions ...ger/SSMAgent-Toolkit-Windows/SSMAgent-Toolkit/Public/Get-LocalSystemSTSCallerIdentity.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,25 +5,25 @@
This is a public function will create a schedule task under system account to make GetCallerIdentity api call - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html. This to returns the IAM user or role arn whose credentials are used to call the operation under LocalSystem account.
.Example
Get-LocalSystemAccountSTSCallerIdentity -ParentDirectoryLocation "C:\SSMAgent-Toolkit"
Get-LocalSystemAccountSTSCallerIdentity -ParentDirectoryLocation "C:\SSMAgent-Toolkit" -Skip $true
Get-LocalSystemAccountSTSCallerIdentity -ParentDirectoryLocation "C:\SSMAgent-Toolkit" -Skip
.INPUTS
$ParentDirectoryLocation - The location of the current module
$Skip - If this test would be skipped
$ParentDirectoryLocation = The location of the current module.
$Skip = Switch to skip this function if neither metadata or registration is accessible.
.OUTPUTS
New-PSObjectResponse -Check "$check" -Status "$value" -Note "$note"
#>
Function Get-LocalSystemAccountSTSCallerIdentity {
[CmdletBinding()]
param (
[String]$ParentDirectoryLocation,
[String]$Skip = $false
[Switch]$Skip
)

$check = "LocalSystem account user API assume role"
Write-Log -Message "New check....."
Write-Log -Message "$check"

if ($Skip -ne $true) {
if (-not ($Skip)) {
try {
$OutputPath = "$ParentDirectoryLocation\temp\STSCallerIdentity.xml"

Expand Down
6 changes: 3 additions & 3 deletions Systems Manager/SSMAgent-Toolkit-Windows/SSMAgent-Toolkit/Public/Get-MetadataAccess.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
StatusCode
Region
EC2InstanceID
ManagedInstance = Default is $false, if call the function with $true value will skip the check.
ManagedInstance = Switch to skip this function if the instance registered as hybrid instance.
.OUTPUTS
New-PSObjectResponse -Check "$check" -Status "$value" -Note "$note"
#>
Expand All @@ -20,13 +20,13 @@ Function Get-MetadataAccess {
[String]$StatusCode,
[String]$Region,
[String]$EC2InstanceID,
[String]$ManagedInstance = $false
[Switch]$ManagedInstance
)
$check = "EC2 instance metadata accessible"
Write-Log -Message "New check....."
Write-Log -Message "$check"

if ($ManagedInstance -ne $true) {
if (-not ($ManagedInstance)) {
#Check if there is access to the metadata
if ($StatusCode -eq 200) {
$value = "Pass"
Expand Down
Loading

0 comments on commit cfcfa25

Please sign in to comment.