AWS Registration and Cleanup
Last modified on July 28, 2023
In AWS environments, EC2 instances are often created and destroyed via automated processes.
By following this recipe, these instances may be automatically registered and de-registered in StrongDM.
EC2 User Data Script
EC2 User Data scripts can perform EC2 instance initialization tasks.
In the script below, the sdm binary is used to self-register via the sdm admin ssh add command.
The -p argument to the add command will result in an SSH public key to be printed. The key is then appended to $TARGET_USER/.ssh/authorized_keys.
sdm admin ssh add and sdm admin servers add commands (without a type set) default (are aliased to) the type ssh, as in sdm admin servers add ssh. If you include any type as the last parameter, it will supersede that default.SDM_ADMIN_TOKEN should be generated with only the Datasources & Servers > List, Update, Create and Roles > List permissions via the Admin Token section of the admin UI.
This script is designed for Ubuntu AMIs; change update commands and TARGET_USER as needed for your environment.
#!/bin/bash
export SDM_ADMIN_TOKEN=XXX
export TARGET_USER=ubuntu
apt update
apt install -y unzip
curl -o sdm.zip -L https://app.strongdm.com/releases/cli/linux
unzip sdm.zip
./sdm admin ssh add \
-p `curl http://169.254.169.254/latest/meta-data/instance-id` \
$TARGET_USER@`curl http://169.254.169.254/latest/meta-data/public-hostname` \
| tee -a "/home/$TARGET_USER/.ssh/authorized_keys"
./sdm admin roles grant `curl http://169.254.169.254/latest/meta-data/instance-id` Engineers
rm sdm.zip
Cleanup Script
The following script can automatically remove terminated EC2 instances from the list of available StrongDM servers.
SDM_ADMIN_TOKEN should be generated with only the Datasources & Servers > List, Delete permissions via the Admin Token section of the admin UI.
#!/bin/bash
# ec2-gc-demo sandbox environment garbage collection demo key
export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=XXX
export SDM_ADMIN_TOKEN=XXX
# garbage collect any servers by instance ID
aws ec2 describe-instances --region us-west-2 --output json \
--query 'Reservations[*].Instances[*].[InstanceId]' \
--filters "Name=instance-state-name,Values=[terminated,shutting-down]" \
| jq 'add' | jq 'flatten | .[]' \
| while read -r instid; do eval sdm admin servers delete $instid; done