AWS Registration and Cleanup

Last modified on July 28, 2023

In AWS environments, EC2 instances are often created and destroyed via automated processes.

By following this recipe, these instances may be automatically registered and de-registered in StrongDM.

EC2 User Data Script

EC2 User Data scripts can perform EC2 instance initialization tasks.

In the script below, the sdm binary is used to self-register via the sdm admin ssh add command.

The -p argument to the add command will result in an SSH public key to be printed. The key is then appended to $TARGET_USER/.ssh/authorized_keys.

SDM_ADMIN_TOKEN should be generated with only the Datasources & Servers > List, Update, Create and Roles > List permissions via the Admin Token section of the admin UI.

This script is designed for Ubuntu AMIs; change update commands and TARGET_USER as needed for your environment.

 #!/bin/bash

 export SDM_ADMIN_TOKEN=XXX
 export TARGET_USER=ubuntu

 apt update
 apt install -y unzip
 curl -o sdm.zip -L https://app.strongdm.com/releases/cli/linux
 unzip sdm.zip
 ./sdm admin ssh add \
   -p `curl http://169.254.169.254/latest/meta-data/instance-id` \
   $TARGET_USER@`curl http://169.254.169.254/latest/meta-data/public-hostname` \
   | tee -a "/home/$TARGET_USER/.ssh/authorized_keys"
 ./sdm admin roles grant `curl http://169.254.169.254/latest/meta-data/instance-id`       Engineers
 rm sdm.zip

Cleanup Script

The following script can automatically remove terminated EC2 instances from the list of available StrongDM servers.

SDM_ADMIN_TOKEN should be generated with only the Datasources & Servers > List, Delete permissions via the Admin Token section of the admin UI.

#!/bin/bash

# ec2-gc-demo sandbox environment garbage collection demo key
export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=XXX
export SDM_ADMIN_TOKEN=XXX

# garbage collect any servers by instance ID
aws ec2 describe-instances --region us-west-2 --output json \
  --query 'Reservations[*].Instances[*].[InstanceId]' \
  --filters "Name=instance-state-name,Values=[terminated,shutting-down]" \
  | jq 'add' | jq 'flatten | .[]' \
  | while read -r instid; do eval sdm admin servers delete $instid; done