AWS Cloud Operations Blog
Manage your Amazon EC2 macOS instances with AWS Systems Manager
Are you using macOS for developing, building, testing, and signing applications for Apple devices? To all the thriving community of millions of developers worldwide building applications on Apple platforms, we at AWS bring you the first ever macOS based compute environments in the public cloud. Yes, you read that right! You can now run macOS applications on Amazon Elastic Compute Cloud (Amazon EC2) while enjoying elasticity, scalability, reliability, security, and cost effectiveness. If you are running workloads in your on-premises data center on Apple platforms, you can now use macOS on AWS to achieve cloud benefits.
We are taking it even further by adding AWS Systems Manager integration with macOS EC2 instances to reduce your operational overhead. This blog post describes how to manage and gain operational insights into your macOS instances using AWS Systems Manager.
Solution overview
To give you visibility and control, and allow you to automate operational tasks, we provide you an inbuilt integration of macOS instances with AWS Systems Manager. AWS Systems Manager Agent, which makes it possible for Systems Manager to manage instances, is included by default in the EC2 macOS Amazon Machine Image (AMI). The agent processes requests from the Systems Manager service, and then runs them as specified on managed instances. A managed instance is any EC2 instance that has been configured for Systems Manager. The Systems Manager agent allows you to configure, manage, and patch your macOS deployments.
In this post, I discuss the following Systems Manager capabilities to manage your macOS instances.
- Secure one-click access to macOS instances using AWS Systems Manager Session Manager.
- Remotely run scripts on your macOS instance using AWS Systems Manager Run Command.
- Manage OS patches on your macOS instances using AWS Systems Manager Patch Manager.
- Install software packages on your macOS instances using AWS Systems Manager Distributor.
- Collect metadata from your macOS instances using AWS Systems Manager Inventory.
Prerequisites
To manage your Amazon EC2 macOS instances with AWS Systems Manager capabilities discussed in the solution overview section, you will need:
- An Amazon EC2 macOS managed instance with a running Systems Manager Agent. For more details, check working with SSM agent in the documentation.
- Set up AWS Systems Manager in your AWS account to configure the roles and permissions required for AWS Systems Manger operations. For more details, check setting up Systems Manager in the documentation.
Note: To quickly configure required security roles and commonly used Systems Manager capabilities on your macOS Amazon EC2 instances, you can use Systems Manager Quick Setup.
Let’s dive deep into each of the scenarios and find ways to improve the operation of your macOS workloads.
Secure one-click access to macOS instances using AWS Systems Manager Session Manager
Session Manager is a fully managed AWS Systems Manager feature that provides secure and auditable instance management. It removes the need to keep open inbound ports, maintain bastion hosts, or manage SSH keys. It provides controlled access to instances and fully auditable access logs with simple one-click cross-platform access to your managed instances. Follow the steps to set up Session Manager in the documentation.
Let’s discuss the steps required to access Amazon EC2 macOS instances using Session Manager.
-
- For the purposes of this blog post, I launched an Amazon EC2 instance on a macOS AMI of instance type mac1.metal.
- The instance is configured to use an instance profile that contains the AWS managed policy AmazonSSMManagedInstanceCore.
- The following screenshot provides details of the macOS instance.
Figure 1 Instance summary of Amazon EC2 macOS instance
- To connect to this instance securely using Session Manager, select the instance ID in the EC2 console and click on the Connect button.
Figure 2 Amazon EC2 macOS instance connection options
- There are three different ways to connect to the instance. Select the Session Manager tab to connect to the instance using Session Manager without the need for any inbound ports or SSH keys.
Figure 3 Amazon EC2 macOS instance connection using Session Manager
- Click Connect which opens a new browser-based shell session of your instance.
- Verify the macOS version of this instance by running sw_vers command.
Figure 4 Session terminal of Amazon EC2 macOS instance
- This initiates your macOS instance session and connects to the instance. Select the Terminate button to shut down the session when you’re finished.
Remotely run scripts on your macOS instance using AWS Systems Manager Run Command
AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. Administrators use Run Command to perform configuration tasks like installing or bootstrapping applications on managed instances. You can run commands remotely without having to log in to each instance. Before you send a command using Run Command, verify that your instances meet Systems Manager requirements. You can specify resource group, specify instance tags, or choose instances manually as Run Command operation targets.
For example, if you want to run a script on multiple macOS instances, you can tag those instances with OS, environment, or any other suitable key-value pair and select all of the required instances as target for Run Command. For the purposes of this blog post, I tagged the macOS instance with OS
tag and its value as mac
. I show you how to run an example script that creates a bootstrap.sh
file under /tmp/runcommand_example
directory in your macOS instance using AWS-RunShellScript Run Command Document.
- Since we are targeting Run Command on instances that have a specific tag, let’s make sure your macOS instance is tagged with the
OS
key andmac
value.Figure 5 Amazon EC2 macOS instance Tags
- Go to the AWS Systems Manager Console and select Run Command under Instances&Nodes category on the left navigation pane.
- In the Run Command console, select the Run Command button. From the list of command documents, select AWS-RunShellScript. This command runs shell script on your managed instances.
- In the command parameters section, provide the following script.
sudo su cd /tmp mkdir runcommand_example cd runcommand_example touch bootstrap.sh
Figure 6 Script section of AWS-RunShellScript command document
- In the targets section, select Specify instance tags, and add Tag key:
OS
and Tag value:mac
.Figure 7 Run Command targets section
- You can also write Run Command output to an Amazon S3 bucket. For this example, I disable the output options, and keep the remaining options as default. Select Run.
- Run Command sends the request to run the shell script and the command status can be found in the Command ID console. Note that it automatically fetches our macOS managed instance based on the
OS
tag mentioned in the Run Command target section.Figure 8 Run Command status
- After the command runs successfully, the status of the command ID will show as “success”.
- You can also verify whether the command ran successfully by connecting to the instance using Session Manager.
Figure 9 Successful run of Run Command
Manage OS patches on your macOS instances using AWS Systems Manager Patch Manager
AWS Systems Manager Patch Manager automates the process of patching managed instances with operating system patches. Customers can use Patch Manager to roll out OS updates pre-approved by system administrators. The AWS-RunPatchBaseline and AWS-RunPatchBaselineAssociation documents are updated to support patching macOS instances.
Let’s discuss the steps required to install patches on the Amazon EC2 macOS instance.
- In the Patch Manager console, select Configure patching and specify the instance
OS
tag to identify the instances to be patched. Under Patching schedule, select Skip scheduling and patch instances now. In the patching operation section, select to scan and install patches. Then select Configure patching button.Figure 10 Patch Manager patching configuration settings
- This takes you to the corresponding Run Command ID where you can view the status and output of the patching operation. Step 3 is the PatchMacOS step, which corresponds to the macOS instance.
Figure 11 Amazon EC2 macOS instance patch installation output
The PatchMacOS step output shows successful installation of macOS patches.
Install software packages on your macOS instances using AWS Systems Manager Distributor
AWS Systems Manager Distributor lets you package your own software and find AWS-provided agent software packages, such as AmazonCloudWatchAgent or third-party packages to install on AWS Systems Manager managed instances.
Here’s how to install AmazonCloudWatchAgent software using Distributor on your managed macOS instance.
- In the Distributor page of the Systems Manager console, you can find different types of packages. Select AmazonCloudWatchAgent in the Owned by Amazon section and choose the Install one time option.
Figure 12 AWS Systems Manager Distributor console with AmazonCloudWatchAgent package
- This takes you to the Run Command console with AWS-ConfigureAWSPackage command document. Select your target instances. As discussed in the previous sections, choose the managed macOS instance by specifying the
OS
tag. Keep the other options set to their defaults and select Run.Figure 13 Run Command console with AWS-ConfigureAWSPackage command document
Figure 14 Run Command in progress to install Distributor package
- The Run Command status shows the progress of package installation. When the status shows “success,” the CloudWatch Agent is installed on the Amazon macOS instance.
Figure 15 Successful installation of Distributor package on Amazon EC2 macOS instance
Collect metadata from your macOS instances using AWS Systems Manager Inventory
AWS Systems Manager Inventory provides visibility into your managed instances. You can use Inventory to collect metadata from your managed instances. The different metadata types include information about applications, AWS components, network configuration, tags etc. For more details on pre-configured metadata types, check the Systems Manager Inventory metadata documentation.
- In the inventory page of the Systems Manager console, you find several predefined cards to help you query the data.
Figure 16 AWS Systems Manager Inventory console
- In the Corresponding managed instances section, select the macOS instance to find information about different metadata types like inventory, configuration compliance etc.
Figure 17 Corresponding managed instances section of Inventory
- You can find the details of different applications running on the macOS instance by selecting the AWS:Application inventory type.
Figure 18 Amazon EC2 macOS instance inventory metadata
Cleaning up
Be sure to delete any unused resources so that you don’t incur additional costs. For more details on the cost associated with Systems Manager, check the AWS Systems Manager pricing documentation.
Conclusion
In this blog post, we discussed different ways to manage your macOS instances using the Systems Manager service. This reduces operational overhead and improves efficiency of your macOS workloads on AWS Cloud. For further reading, see the AWS Systems Manager documentation to find additional ways to gain operational insights and manage your macOS instances.
About the Author
Harshitha Putta is a Cloud Infrastructure Architect with AWS Professional Services in Seattle, WA. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and hiking.