aqilzeeshan/SessionManager_without_IGW.yml

## SessionManager_without_IGW.yml
AWSTemplateFormatVersion: 2010-09-09

Parameters:
  LatestAmiId:
    # Use public Systems Manager Parameter for AMI Image name
    # https://aws.amazon.com/blogs/compute/query-for-the-latest-amazon-linux-ami-ids-using-aws-systems-manager-parameter-store/
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Description: Select Amazon Linux(1) or 2
    Default: /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2
    AllowedValues:
      - /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2 # Amazon Linux [1]
      - /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 # Amazon Linux 2
  InstanceType:
    Type: String
    Default: t2.nano
    Description: Select an instance type
    AllowedValues:
      - t2.nano
      - t2.micro
      - t3.nano
      - t3.micro

  # Parameters for the 'harness' VPC to host this demo.  All defaults are fine for our purposes.
  VpcCidr:
    Description: Please enter the IP range (CIDR notation) for this VPC
    Type: String
    Default: 10.192.0.0/16
  PrivateSubnetCidr:
    Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone
    Type: String
    Default: 10.192.20.0/24
Resources:

  Ec2InPrivateSubnet:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref LatestAmiId
      InstanceType: !Ref InstanceType
      # KeyName: NO SSH Key needed
      IamInstanceProfile: !Ref Ec2InstanceProfile
      NetworkInterfaces:
        - DeviceIndex: 0
          GroupSet:
            - !Ref SecurityGroupEc2Instance
          SubnetId: !Ref PrivateSubnet
      Tags:
        - Key: Name
          Value: Session Manager test Instnace in Private Subnet
  # By default, AWS Systems Manager doesn't have permission to perform actions on your instances.
  # You must grant access by using an AWS Identity and Access Management (IAM) instance profile.
  # https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html
  Ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles: [ !Ref Ec2InstanceRole ]
  Ec2InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        # ********** This is really the only adjustment we need to make to enable use of SSM Session Manager
        #            All the AWS::CloudFormation::Init and cloud init script work is setting up cloudwatch logs
        #            to give visibility to the SSM Agent actions.
        - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ ec2.amazonaws.com ]
            Action:
              - sts:AssumeRole
      Path: /

  Vpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcCidr
      EnableDnsHostnames: True
      EnableDnsSupport: True
  # Three VPC endpoints are required for Session Manager without an internet gateway:
  # 1. ssm
  # 2. ssmmessages
  # 3. ec2messages
  # This solution will not work without in Regions that do not include all three
  # of these VPC endpoints
  SsmVpcEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub com.amazonaws.${AWS::Region}.ssm
      VpcId: !Ref Vpc
      SubnetIds:
        - !Ref PrivateSubnet
      SecurityGroupIds:
        - !Ref SecurityGroupVpcEndpoint
      VpcEndpointType: Interface
      PrivateDnsEnabled: True
  SsmMessagesVpcEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub com.amazonaws.${AWS::Region}.ssmmessages
      VpcId: !Ref Vpc
      SubnetIds:
        - !Ref PrivateSubnet
      SecurityGroupIds:
        - !Ref SecurityGroupVpcEndpoint
      VpcEndpointType: Interface
      PrivateDnsEnabled: True
  Ec2MessagesVpcEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub com.amazonaws.${AWS::Region}.ec2messages
      VpcId: !Ref Vpc
      SubnetIds:
        - !Ref PrivateSubnet
      SecurityGroupIds:
        - !Ref SecurityGroupVpcEndpoint
      VpcEndpointType: Interface
      PrivateDnsEnabled: True
  PrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref Vpc
      CidrBlock: !Ref PrivateSubnetCidr
      AvailabilityZone: !Select [ 0, !GetAZs ]    # Get the first AZ in the list
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName}-Private-Subnet
  # Here is a private route table:
  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref Vpc
      Tags:
      - Key: Name
        Value: Private
  PrivateSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PrivateSubnet
      RouteTableId: !Ref PrivateRouteTable


  SecurityGroupEc2Instance:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SG for EC2 Instance
      VpcId: !Ref Vpc
      # Despite this security group containing no ingress rules, Session
      # Manager can still provide shell access
      SecurityGroupEgress:
      # The SSM Agent connects to Session Manager over TCP 443
      - Description: allow outbound HTTPS to the VPC
        CidrIp: !Ref VpcCidr
        FromPort: 443
        ToPort: 443
        IpProtocol: tcp

  SecurityGroupVpcEndpoint:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SG for VPC Endpoints
      VpcId: !Ref Vpc
      SecurityGroupIngress:
      # The SSM Agent connects to Session Manager over TCP 443
      - Description: allow inbound HTTPS from the EC2 instance
        SourceSecurityGroupId: !Ref SecurityGroupEc2Instance
        FromPort: 443
        ToPort: 443
        IpProtocol: tcp
      SecurityGroupEgress:
      # The SSM Agent connects to Session Manager over TCP 443
      - Description: allow outbound HTTPS to the VPC
        CidrIp: !Ref VpcCidr
        FromPort: 443
        ToPort: 443
        IpProtocol: tcp

Outputs:

  SessionManagementListUrl:
    Description: The URL to the Session Management Console listing all instances it is aware of
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/systems-manager/session-manager/start-session?region=${AWS::Region}
  SessionManagementPublicSubnetInstanceUrl:
    Description: The URL to the Session Management Console for this instance
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/systems-manager/session-manager/${Ec2InPrivateSubnet}?region=${AWS::Region}
	AWSTemplateFormatVersion: 2010-09-09

	Parameters:
	LatestAmiId:
	# Use public Systems Manager Parameter for AMI Image name
	# https://aws.amazon.com/blogs/compute/query-for-the-latest-amazon-linux-ami-ids-using-aws-systems-manager-parameter-store/
	Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
	Description: Select Amazon Linux(1) or 2
	Default: /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2
	AllowedValues:
	- /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2 # Amazon Linux [1]
	- /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 # Amazon Linux 2
	InstanceType:
	Type: String
	Default: t2.nano
	Description: Select an instance type
	AllowedValues:
	- t2.nano
	- t2.micro
	- t3.nano
	- t3.micro

	# Parameters for the 'harness' VPC to host this demo. All defaults are fine for our purposes.
	VpcCidr:
	Description: Please enter the IP range (CIDR notation) for this VPC
	Type: String
	Default: 10.192.0.0/16
	PrivateSubnetCidr:
	Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone
	Type: String
	Default: 10.192.20.0/24
	Resources:

	Ec2InPrivateSubnet:
	Type: AWS::EC2::Instance
	Properties:
	ImageId: !Ref LatestAmiId
	InstanceType: !Ref InstanceType
	# KeyName: NO SSH Key needed
	IamInstanceProfile: !Ref Ec2InstanceProfile
	NetworkInterfaces:
	- DeviceIndex: 0
	GroupSet:
	- !Ref SecurityGroupEc2Instance
	SubnetId: !Ref PrivateSubnet
	Tags:
	- Key: Name
	Value: Session Manager test Instnace in Private Subnet
	# By default, AWS Systems Manager doesn't have permission to perform actions on your instances.
	# You must grant access by using an AWS Identity and Access Management (IAM) instance profile.
	# https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html
	Ec2InstanceProfile:
	Type: AWS::IAM::InstanceProfile
	Properties:
	Path: /
	Roles: [ !Ref Ec2InstanceRole ]
	Ec2InstanceRole:
	Type: AWS::IAM::Role
	Properties:
	ManagedPolicyArns:
	# ********** This is really the only adjustment we need to make to enable use of SSM Session Manager
	# All the AWS::CloudFormation::Init and cloud init script work is setting up cloudwatch logs
	# to give visibility to the SSM Agent actions.
	- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service: [ ec2.amazonaws.com ]
	Action:
	- sts:AssumeRole
	Path: /

	Vpc:
	Type: AWS::EC2::VPC
	Properties:
	CidrBlock: !Ref VpcCidr
	EnableDnsHostnames: True
	EnableDnsSupport: True
	# Three VPC endpoints are required for Session Manager without an internet gateway:
	# 1. ssm
	# 2. ssmmessages
	# 3. ec2messages
	# This solution will not work without in Regions that do not include all three
	# of these VPC endpoints
	SsmVpcEndpoint:
	Type: AWS::EC2::VPCEndpoint
	Properties:
	ServiceName: !Sub com.amazonaws.${AWS::Region}.ssm
	VpcId: !Ref Vpc
	SubnetIds:
	- !Ref PrivateSubnet
	SecurityGroupIds:
	- !Ref SecurityGroupVpcEndpoint
	VpcEndpointType: Interface
	PrivateDnsEnabled: True
	SsmMessagesVpcEndpoint:
	Type: AWS::EC2::VPCEndpoint
	Properties:
	ServiceName: !Sub com.amazonaws.${AWS::Region}.ssmmessages
	VpcId: !Ref Vpc
	SubnetIds:
	- !Ref PrivateSubnet
	SecurityGroupIds:
	- !Ref SecurityGroupVpcEndpoint
	VpcEndpointType: Interface
	PrivateDnsEnabled: True
	Ec2MessagesVpcEndpoint:
	Type: AWS::EC2::VPCEndpoint
	Properties:
	ServiceName: !Sub com.amazonaws.${AWS::Region}.ec2messages
	VpcId: !Ref Vpc
	SubnetIds:
	- !Ref PrivateSubnet
	SecurityGroupIds:
	- !Ref SecurityGroupVpcEndpoint
	VpcEndpointType: Interface
	PrivateDnsEnabled: True
	PrivateSubnet:
	Type: AWS::EC2::Subnet
	Properties:
	VpcId: !Ref Vpc
	CidrBlock: !Ref PrivateSubnetCidr
	AvailabilityZone: !Select [ 0, !GetAZs ] # Get the first AZ in the list
	Tags:
	- Key: Name
	Value: !Sub ${AWS::StackName}-Private-Subnet
	# Here is a private route table:
	PrivateRouteTable:
	Type: AWS::EC2::RouteTable
	Properties:
	VpcId: !Ref Vpc
	Tags:
	- Key: Name
	Value: Private
	PrivateSubnetRouteTableAssociation:
	Type: AWS::EC2::SubnetRouteTableAssociation
	Properties:
	SubnetId: !Ref PrivateSubnet
	RouteTableId: !Ref PrivateRouteTable


	SecurityGroupEc2Instance:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: SG for EC2 Instance
	VpcId: !Ref Vpc
	# Despite this security group containing no ingress rules, Session
	# Manager can still provide shell access
	SecurityGroupEgress:
	# The SSM Agent connects to Session Manager over TCP 443
	- Description: allow outbound HTTPS to the VPC
	CidrIp: !Ref VpcCidr
	FromPort: 443
	ToPort: 443
	IpProtocol: tcp

	SecurityGroupVpcEndpoint:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: SG for VPC Endpoints
	VpcId: !Ref Vpc
	SecurityGroupIngress:
	# The SSM Agent connects to Session Manager over TCP 443
	- Description: allow inbound HTTPS from the EC2 instance
	SourceSecurityGroupId: !Ref SecurityGroupEc2Instance
	FromPort: 443
	ToPort: 443
	IpProtocol: tcp
	SecurityGroupEgress:
	# The SSM Agent connects to Session Manager over TCP 443
	- Description: allow outbound HTTPS to the VPC
	CidrIp: !Ref VpcCidr
	FromPort: 443
	ToPort: 443
	IpProtocol: tcp

	Outputs:

	SessionManagementListUrl:
	Description: The URL to the Session Management Console listing all instances it is aware of
	Value: !Sub https://${AWS::Region}.console.aws.amazon.com/systems-manager/session-manager/start-session?region=${AWS::Region}
	SessionManagementPublicSubnetInstanceUrl:
	Description: The URL to the Session Management Console for this instance
	Value: !Sub https://${AWS::Region}.console.aws.amazon.com/systems-manager/session-manager/${Ec2InPrivateSubnet}?region=${AWS::Region}