Forum Discussion

Alladinsane's avatar
Alladinsane
Icon for Nimbostratus rankNimbostratus
Jan 15, 2025

Can SSM Agent run on Ec2 with BEST license?

I am setting up F5 on AWS, using a BEST licensed AMI from the Marketplace. I wanted to be able to manage the instance via Systems Manager. In order for ec2 instances to communicate via SSM, I must install the ssm-agent, which is not installed on the marketplace AMI.

However, I have discovered that the BEST AMI has FIPS protection, installing the ssm-agent triggers critical warnings, and my system becomes unavailable after a reboot. 

So far, the articles here have pointed to "downgrading" to a license that does not have FIPS as the only way to disable it entirely. However, WAF is a requirement for me, and only appears to be available in the BEST license. 

Is there a license that has Web Application Firewall but no(or a less restrictive) FIPS, or a way to allow SSM on a FIPS protected machine? It is the ssm commands that are installed in /usr/bin that trigger the alert.

  • Thank you for posting your questions. I see your question has been up for some time without a response and while I do not have an exact answer to you, I would suggest speaking with our F5 products and services team, they will be able to determine the best license for your needs. If you visit the sales page here that will allow you to submit your question directly to the proper team and they will reach out to assist. 

  • f51's avatar
    f51
    Icon for Cirrocumulus rankCirrocumulus

    Running the AWS Systems Manager (SSM) Agent on an F5 BIG-IP instance with a BEST license and FIPS protection can indeed be challenging, as you've encountered. The BEST license includes advanced features such as WAF (Web Application Firewall) and FIPS compliance, which imposes stricter security measures that may conflict with the SSM Agent.

    If you need both WAF and less restrictive FIPS settings, you might need to explore different licensing options or configurations. However, F5 does not typically offer a license that combines WAF without the stricter FIPS requirements under the BEST tier. You may need to contact F5 sales directly to discuss custom licensing options or configurations that meet your needs.