How to configure AWS Ops Works
Ensure any Instance you create is on the approved list for AWS Ops Works
Ensure your IAM user has the proper policy configuration to register an instance. This can be a preexisting instance. I performed the registration via command line so I needed the permission: AWSOpsWorksRegisterCLI_EC2
Next, I ran the registration command:
When you register an instance through the AWS Ops Works console, a command will be created for you that will require some editing.
I actually removed the use-instance-profile
option to allow AWS Ops Works to create a new user for registration.
Once your instance is registered ensure your IAM user has been uploaded to the stack in the user section:
From this page you can also edit your user, change the permissions to allow SSH access, as well as sudo permissions if necessary. Finally, you can upload your own public key to this user!
You can change your public key as you wish, this makes it easy to quickly gain access and create new keys if necessary.
Administrators should ensure proper offboarding to include deleting users not currently requiring access to AWS Ops Works. Access keys should also have lifetimes, and offboarded users should have their access keys and accounts deleted
If you want to register your instance with the use-instance-profile
argument in the command above, you must create an instance profile as an IAM role and assign it to both the instance you are registering and the stack. (You can add it to a stack that already exists by editing its settings, or include this information in your new stack under "Default IAM Instance Profile".)
Ensure that the IAM role has permission to register an instance in Ops Works, and is the same for the instance and the stack. AWS Ops Works will use this profile for registration instead of creating a new one.