Set up Amazon Systems Manager for Microsoft SCVMM - Amazon Elastic Compute Cloud
Sign up for AmazonSet up access for usersDeploy the add-inProvide your Amazon credentials
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set up Amazon Systems Manager for Microsoft SCVMM

When you set up Amazon Systems Manager, users in your organization can access your Amazon resources. The process involves creating accounts, deploying the add-in, and providing your credentials.

Sign up for Amazon

When you sign up for Amazon Web Services, your Amazon account is automatically signed up for all services in Amazon. You are charged only for the services that you use.

If you have an Amazon account already, skip to the next task. If you don't have an Amazon account, see Sign up for an Amazon Web Services account for instructions on how to create one.

Set up access for users

The first time that you use Systems Manager, you must provide Amazon credentials. To enable multiple users to access the same Amazon account using unique credentials and permissions, create a user for each user. You can create one or more groups with policies that grant permissions to perform limited tasks. Then you can create one or more users, and add each user to the appropriate group.

To create an Administrators group

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Groups and then choose Create New Group.

  3. In the Group Name box, specify Administrators and then choose Next Step.

  4. On the Attach Policy page, select the AdministratorAccess Amazon managed policy.

  5. Choose Next Step and then choose Create Group.

To create a group with limited access to Amazon EC2

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Groups and then choose Create New Group.

  3. In the Group Name box, specify a meaningful name for the group and then choose Next Step.

  4. On the Attach Policy page, do not select an Amazon managed policy — choose Next Step, and then choose Create Group.

  5. Choose the name of the group you've just created. On the Permissions tab, choose Inline Policies, and then click here.

  6. Select the Custom Policy radio button and then choose Select.

  7. Enter a name for the policy and a policy document that grants limited access to Amazon EC2, and then choose Apply Policy. For example, you can specify one of the following custom policies.

    Grant users in this group permission to view information about EC2 instances only

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "iam:ListInstanceProfiles"
      ],
      "Resource": "*"
    }
  ]
}

    Grant users in this group permission to perform all operations on EC2 instances that are supported by the add-in

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListInstanceProfiles", 
        "ec2:Describe*", "ec2:CreateKeyPair",
        "ec2:CreateTags", "ec2:DeleteTags",
        "ec2:RunInstances", "ec2:GetPasswordData",
        "ec2:RebootInstances", "ec2:StartInstances", 
        "ec2:StopInstances", "ec2:TerminateInstances"
      ],
      "Resource": "*"
    }
  ]
}

    Grant users in this group permission to import a VM to Amazon EC2

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets", "s3:CreateBucket",
        "s3:DeleteBucket", "s3:DeleteObject",
        "s3:GetBucketLocation", "s3:GetObject",
        "s3:ListBucket", "s3:PutObject",
        "ec2:DescribeTags", "ec2:CancelConversionTask", 
        "ec2:DescribeConversionTasks", "ec2:DescribeInstanceAttribute",
        "ec2:CreateImage", "ec2:AttachVolume",
        "ec2:ImportInstance", "ec2:ImportVolume",
        "dynamodb:DescribeTable", "dynamodb:CreateTable",
        "dynamodb:Scan", "dynamodb:PutItem", "dynamodb:UpdateItem"
      ],
      "Resource": "*"
    }
  ]
}

To create a user, get the user's Amazon credentials, and grant the user permissions

Users need programmatic access if they want to interact with Amazon outside of the Amazon Web Services Management Console. The Amazon APIs and the Amazon Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.

To grant users programmatic access, choose one of the following options.

Which user needs programmatic access? To By
IAM Use short-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). Following the instructions in Using temporary credentials with Amazon resources in the IAM User Guide.
IAM

(Not recommended)

Use long-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs).		 Following the instructions in Managing access keys for IAM users in the IAM User Guide.

Deploy the add-in

Add-ins for System Center VMM are distributed as .zip files. To deploy the add-in, use the following procedure.

To deploy the add-in

  1. From your instance, go to Amazon Systems Manager for Microsoft System Center Virtual Machine Manager and click SCVMM. Save the aws-systems-manager-1.5.zip file to your instance.

  2. Open the VMM console.

  3. In the navigation pane, click Settings and then click Console Add-Ins.

  4. On the ribbon, click Import Console Add-in.

  5. On the Select an Add-in page, click Browse and select the aws-systems-manager-1.5.zip file for the add-in that you downloaded.

  6. Ignore any warnings that there are assemblies in the add-in that are not signed by a trusted authority. Select Continue installing this add-in anyway and then click Next.

  7. On the Summary page, click Finish.

  8. When the add-in is imported, the status of the job is Completed. You can close the Jobs window.

Provide your Amazon credentials

When you use the Systems Manager for the first time, you must provide your Amazon credentials. Your access keys identify you to Amazon. There are two types of access keys: access key IDs (for example, AKIAIOSFODNN7EXAMPLE) and secret access keys (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You should have stored your access keys in a safe place when you received them.

To provide your Amazon credentials

  1. Open the VMM console.

  2. In the navigation pane, click VMs and Services.

  3. On the ribbon, click Amazon EC2.

  4. On the Credentials tab, specify your Amazon credentials, select a default region, and then click Save.

    Amazon Systems Manager Credentials tab.

To change these credentials at any time, click Configuration.