{"id":25050657,"url":"https://github.com/steadybit/extension-aws","last_synced_at":"2026-03-10T09:06:19.156Z","repository":{"id":53838805,"uuid":"516022473","full_name":"steadybit/extension-aws","owner":"steadybit","description":"A Steadybit discovery and action implementation to inject faults into various AWS services.","archived":false,"fork":false,"pushed_at":"2026-03-02T02:31:45.000Z","size":14846,"stargazers_count":9,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-03-02T05:14:27.817Z","etag":null,"topics":["attack","aws","chaos","chaos-engineering","cloud","lambda","rds","resilience"],"latest_commit_sha":null,"homepage":"https://hub.steadybit.com/extension/com.steadybit.extension_aws","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/steadybit.png","metadata":{"files":{"readme":"README-ecs-ssm-setup.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-07-20T14:49:21.000Z","updated_at":"2026-03-02T02:31:42.000Z","dependencies_parsed_at":"2025-11-27T08:31:49.183Z","dependency_job_id":null,"html_url":"https://github.com/steadybit/extension-aws","commit_stats":null,"previous_names":[],"tags_count":124,"template":false,"template_full_name":null,"purl":"pkg:github/steadybit/extension-aws","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-aws","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-aws/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-aws/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-aws/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/steadybit","download_url":"https://codeload.github.com/steadybit/extension-aws/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steadybit%2Fextension-aws/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30328280,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T05:25:20.737Z","status":"ssl_error","status_checked_at":"2026-03-10T05:25:17.430Z","response_time":106,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack","aws","chaos","chaos-engineering","cloud","lambda","rds","resilience"],"created_at":"2025-02-06T09:17:19.167Z","updated_at":"2026-03-10T09:06:19.143Z","avatar_url":"https://github.com/steadybit.png","language":"Go","readme":"# Setup for ECS Task attacks using the SSM\n\nThe SSM agent performs the stress CPU/memory/IO, Fill Disk and network attacks on ECS.\nYou must add the SSM agent to your ECS Task Definitions and deploy it with your application in the same ECS Task.\nThis is not performed by the extension-aws to not trigger an unanticipated restart of your ECS Tasks.\n\nTo execute attacks the targeted task must support fault injections by setting the `enableFaultInjection` property to `true`.\nFurthermore, network attacks and the stop process attack require the task to set `pidMode` to `task` and `networkMode` to a value other than `bridge`.\n\nThis setup is the same as you would use for [AWS FIS on ECS Tasks](https://docs.aws.amazon.com/fis/latest/userguide/ecs-task-actions.html).\n\nPlease note that the SSM agent is not supported on Windows containers or Tasks with the ECS's `execute command` feature enabled.\n\nAlso make sure the extension is granted the [necessary permissions](./README.md#ecs-permissions).\n\n## 1. IAM Role for the SSM Managed Instance\n\nThe SSM agent will register in the SSM as a managed instance and needs an IAM role to do so.\nCreate a role with the [AmazonSSMManagedInstanceCore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) managed policy attached and add the following policies:\n\n```json\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ssm:DeleteActivation\"\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ssm:DeregisterManagedInstance\"\n\t\t\t],\n\t\t\t\"Resource\": \"arn:aws:ssm:*:*:managed-instance/*\"\n\t\t}\n\t]\n}\n```\n\n## 2. SSM IAM Permissions for the ECS Task Role\n\nAdd the following policy to the ECS Task Role used to run the tasks (! this is not the same role used by the extension).\nSpecify the ARN of the role created in step 1 in the Resource section.\n\n```json{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"ssm:AddTagsToResource\",\n                \"ssm:CreateActivation\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"Statement2\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"iam:PassRole\"\n            ],\n            \"Resource\": \"\u003creplace with the ARN from step 1\u003e\"\n        }\n    ]\n}\n```\n\n## 3. Add the SSM agent container to your ECS Task Definition\n\nAdd the ss-agent container to your ECS Task Definition.\nSpecify the ARN of the role created in step 1 for the `MANAGED_INSTANCE_ROLE_NAME` environment variable section.\n\n[Readable version of the script executed by this container](https://docs.aws.amazon.com/fis/latest/userguide/ecs-task-actions.html#ecs-task-reference)\n\n```json\n{\n    \"name\": \"amazon-ssm-agent\",\n    \"image\": \"public.ecr.aws/amazon-ssm-agent/amazon-ssm-agent:latest\",\n    \"cpu\": 0,\n    \"links\": [],\n    \"portMappings\": [],\n    \"essential\": false,\n    \"entryPoint\": [],\n    \"command\": [\n\t\t\t\"/bin/bash\",\n\t\t\t\"-c\",\n\t\t\t\"set -e; dnf upgrade -y; dnf install jq procps awscli -y; term_handler() { echo \\\"Deleting SSM activation $ACTIVATION_ID\\\"; if ! aws ssm delete-activation --activation-id $ACTIVATION_ID --region $ECS_TASK_REGION; then echo \\\"SSM activation $ACTIVATION_ID failed to be deleted\\\" 1\u003e\u00262; fi; MANAGED_INSTANCE_ID=$(jq -e -r .ManagedInstanceID /var/lib/amazon/ssm/registration); echo \\\"Deregistering SSM Managed Instance $MANAGED_INSTANCE_ID\\\"; if ! aws ssm deregister-managed-instance --instance-id $MANAGED_INSTANCE_ID --region $ECS_TASK_REGION; then echo \\\"SSM Managed Instance $MANAGED_INSTANCE_ID failed to be deregistered\\\" 1\u003e\u00262; fi; kill -SIGTERM $SSM_AGENT_PID; }; trap term_handler SIGTERM SIGINT; if [[ -z $MANAGED_INSTANCE_ROLE_NAME ]]; then echo \\\"Environment variable MANAGED_INSTANCE_ROLE_NAME not set, exiting\\\" 1\u003e\u00262; exit 1; fi; if ! ps ax | grep amazon-ssm-agent | grep -v grep \u003e /dev/null; then if [[ -n $ECS_CONTAINER_METADATA_URI_V4 ]] ; then echo \\\"Found ECS Container Metadata, running activation with metadata\\\"; TASK_METADATA=$(curl \\\"${ECS_CONTAINER_METADATA_URI_V4}/task\\\"); ECS_TASK_AVAILABILITY_ZONE=$(echo $TASK_METADATA | jq -e -r '.AvailabilityZone'); ECS_TASK_ARN=$(echo $TASK_METADATA | jq -e -r '.TaskARN'); ECS_TASK_REGION=$(echo $ECS_TASK_AVAILABILITY_ZONE | sed 's/.$//'); ECS_TASK_AVAILABILITY_ZONE_REGEX='^(af|ap|ca|cn|eu|me|sa|us|us-gov)-(central|north|(north(east|west))|south|south(east|west)|east|west)-[0-9]{1}[a-z]{1}$'; if ! [[ $ECS_TASK_AVAILABILITY_ZONE =~ $ECS_TASK_AVAILABILITY_ZONE_REGEX ]]; then echo \\\"Error extracting Availability Zone from ECS Container Metadata, exiting\\\" 1\u003e\u00262; exit 1; fi; ECS_TASK_ARN_REGEX='^arn:(aws|aws-cn|aws-us-gov):ecs:[a-z0-9-]+:[0-9]{12}:task/[a-zA-Z0-9_-]+/[a-zA-Z0-9]+$'; if ! [[ $ECS_TASK_ARN =~ $ECS_TASK_ARN_REGEX ]]; then echo \\\"Error extracting Task ARN from ECS Container Metadata, exiting\\\" 1\u003e\u00262; exit 1; fi; CREATE_ACTIVATION_OUTPUT=$(aws ssm create-activation --iam-role $MANAGED_INSTANCE_ROLE_NAME --tags Key=ECS_TASK_AVAILABILITY_ZONE,Value=$ECS_TASK_AVAILABILITY_ZONE Key=ECS_TASK_ARN,Value=$ECS_TASK_ARN Key=FAULT_INJECTION_SIDECAR,Value=true --region $ECS_TASK_REGION); ACTIVATION_CODE=$(echo $CREATE_ACTIVATION_OUTPUT | jq -e -r .ActivationCode); ACTIVATION_ID=$(echo $CREATE_ACTIVATION_OUTPUT | jq -e -r .ActivationId); if ! amazon-ssm-agent -register -code $ACTIVATION_CODE -id $ACTIVATION_ID -region $ECS_TASK_REGION; then echo \\\"Failed to register with AWS Systems Manager (SSM), exiting\\\" 1\u003e\u00262; exit 1; fi; amazon-ssm-agent \u0026 SSM_AGENT_PID=$!; wait $SSM_AGENT_PID; else echo \\\"ECS Container Metadata not found, exiting\\\" 1\u003e\u00262; exit 1; fi; else echo \\\"SSM agent is already running, exiting\\\" 1\u003e\u00262; exit 1; fi\"\n    ],\n    \"environment\": [\n        {\n            \"name\": \"MANAGED_INSTANCE_ROLE_NAME\",\n            \"value\": \"\u003creplace with the ARN from step 1\u003e\"\n        }\n    ],\n    \"environmentFiles\": [],\n    \"mountPoints\": [],\n    \"volumesFrom\": [],\n    \"secrets\": [],\n    \"dnsServers\": [],\n    \"dnsSearchDomains\": [],\n    \"extraHosts\": [],\n    \"dockerSecurityOptions\": [],\n    \"dockerLabels\": {},\n    \"ulimits\": [],\n    \"logConfiguration\": {},\n    \"systemControls\": []\n}\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteadybit%2Fextension-aws","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsteadybit%2Fextension-aws","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteadybit%2Fextension-aws/lists"}