# Automated instance configuration in AMS Accelerate
AMS Accelerate provides an automated instance configuration service. This service ensures that an instance is emitting the correct logs and metrics for AMS to properly manage the instance. Automated instance configuration has its own prerequisites and steps for onboarding, described later in this section.
**Topics**
+ [How automated instance configuration works in Accelerate](inst-auto-config-how-works.md)
+ [SSM Agent automatic installation](ssm-agent-auto-install.md)
+ [Automated instance configuration changes](inst-auto-config-changes-made.md)
# How automated instance configuration works in Accelerate
Automated instance configuration enables AMS Accelerate to perform certain configurations on a daily basis on instances that you indicate by adding particular agents and tags.
# Prerequisites for automated instance configuration in Accelerate
These conditions must be met to enable AMS Accelerate to perform the previously described automated actions on managed instances.
**The SSM Agent is installed**
AMS Accelerate automated instance configuration requires that the AWS Systems Manager SSM Agent is installed.
For information on using the AMS SSM Agent auto installation feature see [SSM Agent automatic installation](ssm-agent-auto-install.md).
For information on manually installing the SSM Agent, see the following:
+ Linux: [ Manually install SSM Agent on Amazon EC2 instances for Linux - AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html)
+ Windows: [ Manually install SSM Agent on Amazon EC2 instances for Windows Server - AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-win.html)
**The SSM Agent is in the managed state**
AMS Accelerate automated instance configuration requires an operational SSM Agent. The SSM Agent must be installed, and the Amazon EC2 instance must be in the managed state. For more information, see the AWS documentation, [Working with SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html).
# Automated instance configuration setup
Assuming the prerequisites have been met, adding a specific Amazon EC2 instance tag automatically initiates the AMS Accelerate automated instance configuration. Use one of the following methods to add this tag:
1. (Strongly recommended) Use the AMS Accelerate Resource Tagger
To configure the tagging logic for your account, see [How tagging works](acc-tag-intro.md#acc-tag-how-works). After tagging is complete, tags and automated instance configuration are handled automatically.
1. Manually add tags
Manually add the following tag to the Amazon EC2 instances:
Key:**ams:rt:ams-managed**, Value:**true**.
**Note**
The instance configuration service attempts to apply the required AMS configurations once the **ams:rt:ams-managed** tag is applied to the instance. The service asserts the AMS required configurations whenever an instance is started, and when a the AMS daily configuration check occurs.
# SSM Agent automatic installation
**Important**
SSM Agent automatic installation doesn’t support the Asia Pacific (Malaysia) Region.
To have AMS manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, you must install AWS Systems Manager SSM Agent on each instance. If your instances don't have SSM Agent installed, then you can use the AMS SSM Agent auto-installation feature.
**Note**
If your account is onboarded to AMS Accelerate after 6/03/2024, then this feature is enabled by default. To turn off this feature, contact your CA or CSDM.
To turn on this feature in accounts onboarded before 6/03/2024, contact your CA or CSDM.
This feature is only available for EC2 instances that aren't in an Auto Scaling group and that run Linux operating systems supported by AMS.
## Prerequisites for SSM Agent use
+ Make sure the instance profile associated with the target instances has one of the following policies (or equivalent permissions as allowlisted in them):
+ AmazonSSMManagedEC2InstanceDefaultPolicy
+ AmazonSSMManagedInstanceCore
+ Make sure that there isn't a Service Control Policy at the AWS Organizations level that explicitly denies the permissions listed in the preceding policies.
For more information, see [Configure instance permissions required for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html).
+ To block outbound traffic, ensure that the following interface endpoints are enabled on the VPC where the target instances reside, (replace "region" in the URL appropriately):
+ ssm..amazonaws.com
+ ssmmessages..amazonaws.com
+ ec2messages..amazonaws.com
For more information, see [Improve the security of EC2 instances by using VPC endpoints for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html).
For general tips on enabling or troubleshooting managed node availability, see [Solution 2: Verify that an IAM instance profile has been specified for the instance (EC2 instances only)](https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-managed-instances.html#instances-missing-solution-2).
**Note**
AMS stops and starts each instance as part of the auto-installation process. When an instance is stopped, data stored in instance store volumes and data stored on the RAM is lost. For more information, see [What happens when you stop an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html#what-happens-stop).
## Request automatic installation of SSM Agent on your instances
If your accounts are onboarded to AMS Accelerate Patch Add-On, then configure a patch maintenance window (MW) for the instances. A working SSM Agent is required to complete the patch process. If SSM Agent is missing on an instance, then AMS tries to automatically install it during the patch maintenance window.
**Note**
AMS stops and starts each instance as part of the auto-installation process. When an instance is stopped, data stored in instance store volumes and data stored on the RAM is lost. For more information, see [What happens when you stop an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html#what-happens-stop).
## How SSM Agent automatic installation works
AMS uses EC2 user data to run the installation script on your instances. To add the user data script and run it on your instances, AMS must stop and start each instance.
If your instance already has an existing user data script, then AMS completes the following steps during the auto installation process:
1. Creates a backup of the existing user data script.
1. Replaces the existing user data script with the SSM Agent installation script.
1. Restarts the instance to install SSM Agent.
1. Stops the instance and restores the original script.
1. Restarts the instance with the original script.
# Automated instance configuration changes
The AMS Accelerate instance configuration automation makes the following changes in your account:
1. IAM permissions
Adds the IAM-managed Policies required to grant the instance permission to use the agents installed by AMS Accelerate.
1. Agents
1. The Amazon CloudWatch Agent is responsible for emitting OS logs and metrics. The instance configuration automation ensures that the CloudWatch agent is installed and running the AMS Accelerate minimum version.
1. The AWS Systems Manager SSM Agent is responsible for running remote commands on the instance. The instance configuration automation ensures that the SSM Agent is running the AMS Accelerate minimum version.
1. CloudWatch Configuration
1. To ensure that the required metrics and logs are emitted, AMS Accelerate customizes the CloudWatch configuration. For more information, see the following section, [CloudWatch configuration change details](inst-auto-config-details-cw.md).
Automated instance configuration makes changes or additions to your IAM instance profiles and CloudWatch configuration.
# IAM permissions change details
Each managed instance must have an AWS Identity and Access Management role that includes the following managed policies:
+ arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
+ arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
+ arn:aws:iam::aws:policy/AMSInstanceProfileBasePolicy
The first two are AWS-managed policies. The AMS-managed policy is:
**AMSInstanceProfileBasePolicy**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:/ams/byoa/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
If your instance already has an attached IAM role, but is missing any of these policies, then AMS adds the missing policies to your IAM role. If your instance doesn't have an IAM role, then AMS attaches the **AMSOSConfigurationCustomerInstanceProfile** IAM role. The **AMSOSConfigurationCustomerInstanceProfile** IAM role has all policies that are required by AMS Accelerate.
**Note**
If the default instance profile limit of 10 is reached, then AMS increases the limit to 20, so that the required instance profiles can be attached.
# CloudWatch configuration change details
Additional detail on the CloudWatch configuration.
+ CloudWatch configuration file location on the instance:
+ Windows: %ProgramData%\$1Amazon\$1AmazonCloudWatchAgent\$1amazon-cloudwatch-agent.json
+ Linux: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/ams-accelerate-config.json
+ CloudWatch configuration file location in Amazon S3:
+ Windows: https://ams-configuration-artifacts-*REGION\$1NAME*.s3.*REGION\$1NAME*.amazonaws.com/configurations/cloudwatch/latest/windows-cloudwatch-config.json
+ Linux: https://ams-configuration-artifacts-*REGION\$1NAME*.s3.*REGION\$1NAME*.amazonaws.com/configurations/cloudwatch/latest/linux-cloudwatch-config.json
+ Metrics collected:
+ Windows:
+ AWS Systems Manager SSM Agent (CPU\$1Usage)
+ CloudWatch Agent (CPU\$1Usage)
+ Disk space utilization for all disks (% free space)
+ Memory (% committed bytes in use)
+ Linux:
+ AWS Systems Manager SSM Agent (CPU\$1Usage)
+ CloudWatch Agent (CPU\$1Usage)
+ CPU (cpu\$1usage\$1idle, cpu\$1usage\$1iowait, cpu\$1usage\$1user, cpu\$1usage\$1system)
+ Disk (used\$1percent, inodes\$1used, inodes\$1total)
+ Diskio (io\$1time, write\$1bytes, read\$1bytes, writes, reads)
+ Mem (mem\$1used\$1percent)
+ Swap (swap\$1used\$1percent)
+ Logs collected:
+ Windows:
+ AmazonSSMAgentLog
+ AmazonCloudWatchAgentLog
+ AmazonSSMErrorLog
+ AmazonCloudFormationLog
+ ApplicationEventLog
+ EC2ConfigServiceEventLog
+ MicrosoftWindowsAppLockerEXEAndDLLEventLog
+ MicrosoftWindowsAppLockerMSIAndScriptEventLog
+ MicrosoftWindowsGroupPolicyOperationalEventLog
+ SecurityEventLog
+ SystemEventLog
+ Linux:
+ /var/log/amazon/ssm/amazon-ssm-agent.log
+ /var/log/amazon/ssm/errors.log
+ /var/log/audit/audit.log
+ /var/log/cloud-init-output.log
+ /var/log/cloud-init.log
+ /var/log/cron
+ /var/log/dpkg.log
+ /var/log/maillog
+ /var/log/messages
+ /var/log/secure
+ /var/log/spooler
+ /var/log/syslog
+ /var/log/yum.log
+ /var/log/zypper.log