Centralized Windows Instances of Multiple Accounts and Cross-Platform EC2 Instances Using AWS Systems Manager

STEP 1 – Connect to your windows instance open Powerhell ISE window and use below code- which is divided into 3 sections

  1. Uninstalling of SSM Agent
  2. Registration Code
  3. Tagging Instances

# STEP 1 - Uninstalling of SSM Agent

    [switch] $removeProgramData

function Log-Info {
        [string] $message
    Write-Host("[INFO] {0}" -f $message)

function Log-Warning {
        [string] $message
    Write-Warning("{0}" -f $message)

$ServiceName = ".\\AmazonSSMAgent"
$InstalledPath = Join-Path $env:programFiles -ChildPath "Amazon" | Join-Path -ChildPath "SSM"
$CustomizedSeelog = Join-Path $InstalledPath -ChildPath "seelog.xml"
$CustomizedAppConfig = Join-Path $InstalledPath -ChildPath "amazon-ssm-agent.json"
$ProgramDataAmazonFolder = Join-Path $env:programData -ChildPath "Amazon"
$ProgramDataSSMFolder= Join-Path $ProgramDataAmazonFolder -ChildPath "SSM"

Log-Info("Uninstalling Amazon SSM Agent begins")

# Check if Amazon SSM Agent service is already installed or running
Log-Info("Checking if $ServiceName exists in Windows service")
$ExistingService = Get-CimInstance -ClassName Win32_Service -Filter "Name='$ServiceName'"
if($ExistingService) {
    Log-Info("Checking if {0} is running as windows service" -f $ServiceName)

    # If Amazon SSM Agent service is already running or waiting, check the state
    if($ExistingService.State -in "Running", "Waiting") {
        # Stop the service if running
        Log-Info("Stopping {0} in windows service" -f $ServiceName)
        try {
            $ErrorActionPreference = "Stop";
            net stop $ServiceName
        } catch {
            $ex = $Error[0].Exception
            Log-Warning("{0}.. exit!" -f $ex)
            Exit 1

    # Delete Amazon SSM Agent service
    Log-Info("Deleting $ServiceName from service")
    $silent = $ExistingService | Invoke-CimMethod -MethodName Delete

    Start-Sleep 1

# If removeProgramData is set as argument, remove program data
Log-Info("Checking if removeProgramData argument is set")
if($removeProgramData) {
    Log-Info("Removing program data since removeProgramData is set")

    # Remove ProgramDataSSMFolder
    if(Test-Path $ProgramDataSSMFolder) {
        Log-Info("Removing SSM ProgramData directory: {0}" -f $ProgramDataSSMFolder)
        Remove-Item $ProgramDataSSMFolder -Recurse

    # Check if ProgramDataAmazonFolder is empty and if so, remove the folder as well
    if((Test-Path $ProgramDataAmazonFolder) -and ((Get-ChildItem -Path $ProgramDataAmazonFolder -Recurse | Measure-Object).Count -eq 0)) {
        Log-Info("Removing Amazon ProgramData directory: {0}" -f $ProgramDataSSMFolder)
        Remove-Item $ProgramDataAmazonFolder

# Remove files and directories excluding customized files in installed path
Log-Info("Checking if any file exists in installed path excluding customized files")
if(Test-Path $InstalledPath) {
    Log-Info("Removing files and directories excluding {0} and {1} if exists" -f $CustomizedSeelog, $CustomizedAppConfig)
    Get-ChildItem $InstalledPath | ForEach-Object {
        if($_.FullName -ne $CustomizedSeelog -and $_.FullName -ne $CustomizedAppConfig) {
            Log-Info("Removing {0}" -f $_)
            Remove-Item $_.FullName -Recurse

Log-Info("Checking if installed path is empty")
if((Test-Path $InstalledPath) -and ((Get-ChildItem -Path $InstalledPath -Recurse | Measure-Object).Count -eq 0)) {
    Log-Info("Removing $InstalledPath since it is empty")
    Remove-Item $InstalledPath

Log-Info("Uninstalling Amazon SSM Agent successfully ended!`n")

# STEP 2 - Registration of Windows Instances to move in centralized account i.e. SS Account

$code = "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
$id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$region = "us-east-1"
$dir = $env:TEMP + "\ssm"
New-Item -ItemType directory -Path $dir -Force
cd $dir
(New-Object System.Net.WebClient).DownloadFile("https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe", $dir + "\AmazonSSMAgentSetup.exe")
Start-Process .\AmazonSSMAgentSetup.exe -ArgumentList @("/q", "/log", "install.log", "CODE=$code", "ID=$id", "REGION=$region") -Wait
Get-Content ($env:ProgramData + "\Amazon\SSM\InstanceData\registration")
Get-Service -Name "AmazonSSMAgent"

# STEP 3 - Tagging of Windows Instances

$instanceId = Invoke-WebRequest -Uri -UseBasicParsing | Out-File -FilePath .\p2.txt
echo $instanceId
$ivalue = cat .\p2.txt | where {$_ -match "i-" }
echo $ivalue
$instid = $ivalue.Substring(20)
echo $instid
$miobject = Get-Content ($env:ProgramData + "\Amazon\SSM\InstanceData\registration") | ConvertFrom-Json
#echo $mivalue | 
#$miextract = $mivalue.substring(22)
echo $miextract
Install-Module -Scope CurrentUser -Name AWSPowerShell.NetCore -Force
Import-Module "C:\Program Files (x86)\AWS Tools\PowerShell\AWSPowerShell\AWSPowerShell.psd1"
Import-Module AWSPowerShell
$tag = New-Object Amazon.EC2.Model.Tag
$tag.key = "ManagedInstanceId"
$tag.value = $miextract
New-EC2Tag -Resource $instid -Tag $tag
$aliases=aws iam list-account-aliases --output text
$tag = New-Object Amazon.EC2.Model.Tag
$tag.key = "SourceAccount"
$tag.value = $aliases.substring(15)
New-EC2Tag -Resource $instid -Tag $tag

Tags: No tags

Add a Comment

Your email address will not be published. Required fields are marked *