AWS Cloud Operations Blog

Manage your Amazon EC2 macOS instances with AWS Systems Manager

Are you using macOS for developing, building, testing, and signing applications for Apple devices? To all the thriving community of millions of developers worldwide building applications on Apple platforms, we at AWS bring you the first ever macOS based compute environments in the public cloud. Yes, you read that right! You can now run macOS applications on Amazon Elastic Compute Cloud (Amazon EC2) while enjoying elasticity, scalability, reliability, security, and cost effectiveness. If you are running workloads in your on-premises data center on Apple platforms, you can now use macOS on AWS to achieve cloud benefits.

We are taking it even further by adding AWS Systems Manager integration with macOS EC2 instances to reduce your operational overhead.  This blog post describes how to manage and gain operational insights into your macOS instances using AWS Systems Manager.

Solution overview

To give you visibility and control, and allow you to automate operational tasks, we provide you an inbuilt integration of macOS instances with AWS Systems Manager. AWS Systems Manager Agent, which makes it possible for Systems Manager to manage instances, is included by default in the EC2 macOS Amazon Machine Image (AMI). The agent processes requests from the Systems Manager service, and then runs them as specified on managed instances. A managed instance is any EC2 instance that has been configured for Systems Manager. The Systems Manager agent allows you to configure, manage, and patch your macOS deployments.

In this post, I discuss the following Systems Manager capabilities to manage your macOS instances.

  1. Secure one-click access to macOS instances using AWS Systems Manager Session Manager.
  2. Remotely run scripts on your macOS instance using AWS Systems Manager Run Command.
  3. Manage OS patches on your macOS instances using AWS Systems Manager Patch Manager.
  4. Install software packages on your macOS instances using AWS Systems Manager Distributor.
  5. Collect metadata from your macOS instances using AWS Systems Manager Inventory.

Prerequisites

To manage your Amazon EC2 macOS instances with AWS Systems Manager capabilities discussed in the solution overview section, you will need:

  1. An Amazon EC2 macOS managed instance with a running Systems Manager Agent. For more details, check working with SSM agent in the documentation.
  2. Set up AWS Systems Manager in your AWS account to configure the roles and permissions required for AWS Systems Manger operations. For more details, check setting up Systems Manager in the documentation.

Note: To quickly configure required security roles and commonly used Systems Manager capabilities on your macOS Amazon EC2 instances, you can use Systems Manager Quick Setup.

Let’s dive deep into each of the scenarios and find ways to improve the operation of your macOS workloads.

Secure one-click access to macOS instances using AWS Systems Manager Session Manager

Session Manager is a fully managed AWS Systems Manager feature that provides secure and auditable instance management. It removes the need to keep open inbound ports, maintain bastion hosts, or manage SSH keys. It provides controlled access to instances and fully auditable access logs with simple one-click cross-platform access to your managed instances. Follow the steps to set up Session Manager in the documentation.

Let’s discuss the steps required to access Amazon EC2 macOS instances using Session Manager.

    1. For the purposes of this blog post, I launched an Amazon EC2 instance on a macOS AMI of instance type mac1.metal.
    2. The instance is configured to use an instance profile that contains the AWS managed policy AmazonSSMManagedInstanceCore.
    3. The following screenshot provides details of the macOS instance.

      Instance summary for the Amazon EC2 macOS instance with managed IAM Role AmazonSSMRoleForInstancesQuickSetup, instance type as mac1.metal and amazn-ec2-macOS AMI.Figure 1 Instance summary of Amazon EC2 macOS instance

    4. To connect to this instance securely using Session Manager, select the instance ID in the EC2 console and click on the Connect button.

      Amazon EC2 macOS instance with three connection options - EC2 Instance Connect, Session Manager, SSH client.Figure 2 Amazon EC2 macOS instance connection options

    5.  There are three different ways to connect to the instance. Select the Session Manager tab to connect to the instance using Session Manager without the need for any inbound ports or SSH keys.

      Amazon EC2 macOS instance connection using Session Manager.Figure 3 Amazon EC2 macOS instance connection using Session Manager

    6.  Click Connect which opens a new browser-based shell session of your instance.
    7. Verify the macOS version of this instance by running sw_vers command.

      Session terminal of Amazon EC2 macOS instance with sw_vers command output.Figure 4 Session terminal of Amazon EC2 macOS instance

    8. This initiates your macOS instance session and connects to the instance. Select the Terminate button to shut down the session when you’re finished.

Remotely run scripts on your macOS instance using AWS Systems Manager Run Command

AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. Administrators use Run Command to perform configuration tasks like installing or bootstrapping applications on managed instances. You can run commands remotely without having to log in to each instance. Before you send a command using Run Command, verify that your instances meet Systems Manager requirements. You can specify resource group, specify instance tags, or choose instances manually as Run Command operation targets.

For example, if you want to run a script on multiple macOS instances, you can tag those instances with OS, environment, or any other suitable key-value pair and select all of the required instances as target for Run Command. For the purposes of this blog post, I tagged the macOS instance with OS tag and its value as mac. I show you how to run an example script that creates a bootstrap.sh file under /tmp/runcommand_example directory in your macOS instance using AWS-RunShellScript Run Command Document.

  1. Since we are targeting Run Command on instances that have a specific tag, let’s make sure your macOS instance is tagged with the OS key and mac value.

    Amazon EC2 macOS instance Tags with OS tag name and mac value.Figure 5 Amazon EC2 macOS instance Tags

  2. Go to the AWS Systems Manager Console and select Run Command under Instances&Nodes category on the left navigation pane.
  3. In the Run Command console, select the Run Command button. From the list of command documents, select AWS-RunShellScript. This command runs shell script on your managed instances.
  4. In the command parameters section, provide the following script.
    sudo su
    cd /tmp
    mkdir runcommand_example
    cd runcommand_example
    touch bootstrap.sh

    AWS-RunShellScript command document with the script to run using Run Command.Figure 6 Script section of AWS-RunShellScript command document

  5. In the targets section, select Specify instance tags, and add Tag key: OS and Tag value: mac.

    Run Command targets section with specify instance tags menthod selected and tag key OS and tag value mac added.Figure 7 Run Command targets section

  6. You can also write Run Command output to an Amazon S3 bucket. For this example, I disable the output options, and keep the remaining options as default. Select Run.
  7. Run Command sends the request to run the shell script and the command status can be found in the Command ID console. Note that it automatically fetches our macOS managed instance based on the OS tag mentioned in the Run Command target section.

    Run Command status console with Command ID and overall status. Also showing the Amazon EC2 macOS instance as the target.Figure 8 Run Command status

  8. After the command runs successfully, the status of the command ID will show as “success”.
  9. You can also verify whether the command ran successfully by connecting to the instance using Session Manager.

    Session terminal of Amazon EC2 macOS instance showing successful run of Run Command.Figure 9 Successful run of Run Command

Manage OS patches on your macOS instances using AWS Systems Manager Patch Manager

AWS Systems Manager Patch Manager automates the process of patching managed instances with operating system patches. Customers can use Patch Manager to roll out OS updates pre-approved by system administrators. The AWS-RunPatchBaseline and AWS-RunPatchBaselineAssociation documents are updated to support patching macOS instances.

Let’s discuss the steps required to install patches on the Amazon EC2 macOS instance.

  1. In the Patch Manager console, select Configure patching and specify the instance OS tag to identify the instances to be patched. Under Patching schedule, select Skip scheduling and patch instances now. In the patching operation section, select to scan and install patches. Then select Configure patching button.

    Configure patching console with instance tags OS:mac and patching schedule section with skip scheduling and patch now option and patching operation of scan and install selected.Figure 10 Patch Manager patching configuration settings

  2. This takes you to the corresponding Run Command ID where you can view the status and output of the patching operation. Step 3 is the PatchMacOS step, which corresponds to the macOS instance.

    Run Command output console of the patching operation showing the output of patch installation on Amazon EC2 macOS instances.Figure 11 Amazon EC2 macOS instance patch installation output

The PatchMacOS step output shows successful installation of macOS patches.

Install software packages on your macOS instances using AWS Systems Manager Distributor

AWS Systems Manager Distributor lets you package your own software and find AWS-provided agent software packages, such as AmazonCloudWatchAgent or third-party packages to install on AWS Systems Manager managed instances.

Here’s how to install AmazonCloudWatchAgent software using Distributor on your managed macOS instance.

  1. In the Distributor page of the Systems Manager console, you can find different types of packages. Select AmazonCloudWatchAgent in the Owned by Amazon section and choose the Install one time option.

    Systems Manager Distributor console with AmazonCloudWatchAgent package selected.Figure 12 AWS Systems Manager Distributor console with AmazonCloudWatchAgent package

  2. This takes you to the Run Command console with AWS-ConfigureAWSPackage command document. Select your target instances. As discussed in the previous sections, choose the managed macOS instance by specifying the OS tag. Keep the other options set to their defaults and select Run.

    Run Command console with AWS-ConfigurAWSPackage command document.Figure 13 Run Command console with AWS-ConfigureAWSPackage command document

    Run Command ID console with in progress status, Amazon EC2 macOS instance as target and AWS-ConfigureAWSPackage command document.Figure 14 Run Command in progress to install Distributor package

  3. The Run Command status shows the progress of package installation. When the status shows “success,” the CloudWatch Agent is installed on the Amazon macOS instance.

    Run Command ID console with success status after installing the package using Distributor on Amazon macOS instance.Figure 15 Successful installation of Distributor package on Amazon EC2 macOS instance

Collect metadata from your macOS instances using AWS Systems Manager Inventory

AWS Systems Manager Inventory provides visibility into your managed instances. You can use Inventory to collect metadata from your managed instances. The different metadata types include information about applications, AWS components, network configuration, tags etc. For more details on pre-configured metadata types, check the Systems Manager Inventory metadata documentation.

  1. In the inventory page of the Systems Manager console, you find several predefined cards to help you query the data.

    Systems Manager Inventory page with predefined cards showing information of Managed instances.Figure 16 AWS Systems Manager Inventory console

  2. In the Corresponding managed instances section, select the macOS instance to find information about different metadata types like inventory, configuration compliance etc.

    Corresponding managed instances section on Inventory console with Amazon EC2 macOS instance selected.Figure 17 Corresponding managed instances section of Inventory

  3. You can find the details of different applications running on the macOS instance by selecting the AWS:Application inventory type.

    Amazon EC2 macOS instance inventory metadata with AWS:Application inventory type.Figure 18 Amazon EC2 macOS instance inventory metadata

Cleaning up

Be sure to delete any unused resources so that you don’t incur additional costs. For more details on the cost associated with Systems Manager, check the AWS Systems Manager pricing documentation.

Conclusion

In this blog post, we discussed different ways to manage your macOS instances using the Systems Manager service. This reduces operational overhead and improves efficiency of your macOS workloads on AWS Cloud. For further reading, see the AWS Systems Manager documentation to find additional ways to gain operational insights and manage your macOS instances.

 

About the Author

Harshitha Putta is a Cloud Infrastructure Architect with AWS Professional Services in Seattle, WA. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and hiking.