aws-well-architected-labs icon indicating copy to clipboard operation
aws-well-architected-labs copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Incorrect documentation

Open JamesFinglas opened this issue 3 years ago • 1 comments

This documentation: https://www.wellarchitectedlabs.com/operational-excellence/100_labs/100_inventory_patch_management/4_inventory_mgmt/

Is out of date.

The documentation states the following in step 3.5:

"In the Choose the service that will use this role section, scroll past the first reference to EC2 (EC2 Allows EC2 instances to call AWS services on your behalf) and choose EC2 from within the field of services. This will open the Select your use case section further down the page.

This, plus step 3.6 and step 4 are incorrect.

When you attached a role to an instance, what you are actually doing is creating an instance profile that will be attached to the instance that points back to the role you created. If you follow step 3.5 listed above, you will create a role with no instance profile. This is very counter intuitive and clearly not explained in the documentation.

Step 3.6 is moot because step 3.5 is incorrect. The user should select the first "EC2" option from the common use cases.

This is essentially dictating that you want to create an IAM role AND IAM instance profile at the same time. This will allow the role to show up in the "Modify IAm role" list because there will now be an IAM instance profile that will allow you to attach it to the instance. Step 4 directs the user to use the following policy: "AmazonEC2RoleforSSM". This policy is soon to be depreciated. The policy used should be "AmazonSSMManagedInstanceCore" as this policy supersedes the old "AmazonEC2RoleforSSM".

So, to summarize: when you reach step 3.5 you should do the following:

  • Select EC2 from the common cases option via its radio button, then next.
  • Search for the policy "AmazonSSMManagedInstanceCore". Select it and click next.
  • Assign role name, add tags if desired, and click create role.
  • Please note, if you now vioew this role from the roles console, and examine the summary, you should now see an instance profile ARN listed on the far right of the role summary window. This will confirm that you should now be able to select the role from the "Modify IAM role" console. -return to the instance listing, enter the "Modify IAM role" console: Instances > tick instance in list > Actions > Security > Modify IAM role, and select the desired role from the drop menu.

JamesFinglas avatar Feb 08 '22 11:02 JamesFinglas

Hi @JamesFinglas thanks for creating this issue. I will have a look into this. We are also happy to accept PRs via forks from the community. These are the guidelines https://wellarchitectedlabs.com/contributing/

awsdunc avatar Feb 14 '22 15:02 awsdunc