AWS Registration and Cleanup

In AWS environments, EC2 instances are often created and destroyed via automated processes.

By following this recipe, these instances may be automatically registered and de-registered in strongDM.

EC2 User Data Script

EC2 User Data scripts can perform EC2 instance initialization tasks.

In the script below, the sdm binary is used to self-register via the sdm admin servers add command.

The -p argument to the add command will result in an SSH public key to be printed. The key is then appended to $TARGET_USER/.ssh/authorized_keys.

SDM_ADMIN_TOKEN should be generated with only the Datasources & Servers > List, Grant, Create and Roles > List permissions via the Admin Token section of the admin UI.

NOTE: This script is designed for Ubuntu AMIs; change update commands and TARGET_USER as needed for your environment.

 #!/bin/bash

 export SDM_ADMIN_TOKEN=XXX
 export TARGET_USER=ubuntu

 apt update
 apt install -y unzip
 curl -o sdm.zip -L https://app.strongdm.com/releases/cli/linux
 unzip sdm.zip
 ./sdm admin servers add \
   -p `curl http://169.254.169.254/latest/meta-data/instance-id` \
   $TARGET_USER@`curl http://169.254.169.254/latest/meta-data/public-hostname` \
   | tee -a "/home/$TARGET_USER/.ssh/authorized_keys"
 ./sdm admin roles grant `curl http://169.254.169.254/latest/meta-data/instance-id`       Engineers
 rm sdm.zip

Cleanup Script

The following script can automatically remove terminated EC2 instances from the list of available strongDM servers.

SDM_ADMIN_TOKEN should be generated with only the Datasources & Servers > List, Delete permissions via the Admin Token section of the admin UI.

#!/bin/bash

# ec2-gc-demo sandbox environment garbage collection demo key
export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=XXX
export SDM_ADMIN_TOKEN=XXX

# garbage collect any servers by instance ID
aws ec2 describe-instances --region us-west-2 --output json \
  --query 'Reservations[*].Instances[*].[InstanceId]' \
  --filters "Name=instance-state-name,Values=[terminated,shutting-down]" \
  | jq 'add' | jq 'flatten | .[]' \
  | while read -r instid; do eval sdm admin servers delete $instid; done