chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

I am thrilled to share that developers can now programmatically turn off Apple System Integrity Protection (SIP) on their Amazon EC2 Mac instances. SIP, also referred to as rootless, is a security feature introduced by Apple in OS X El Capitan (2015, version 10.11). It aims to safeguard the system from potentially harmful software by restricting the capabilities of the root user account. By default, SIP is enabled on macOS.

SIP provides protection by preventing the modification of protected files and folders, limiting access to system-owned files and directories, and blocking unauthorized software from selecting a startup disk. Its primary purpose is to tackle the security risks associated with unrestricted root access, which could allow malware to take full control of a device with a single password or vulnerability. By implementing this protection, Apple seeks to enhance security for macOS users, particularly since many operate with administrative accounts that may have weak or no passwords.

While SIP is effective in defending against malware during daily use, developers may occasionally need to disable it temporarily for development and testing purposes. For instance, when creating new device drivers or system extensions, turning off SIP is essential to install and test code. Furthermore, SIP might restrict access to specific system settings crucial for software functionality. Temporarily disabling SIP allows developers to have the necessary permissions to adjust their programs for macOS. However, it’s essential to keep in mind that this is similar to briefly unlocking a vault door for authorized maintenance, not leaving it open indefinitely.

Previously, disabling SIP on a Mac required physical access to the machine. You would need to restart in recovery mode, disable SIP using the csrutil command line tool, then restart the machine once again.

However, this is no longer the case! You can now enable or disable SIP at your convenience on your Amazon EC2 Mac instances. Let’s explore how this functionality works.

Imagine I have an Amazon EC2 Mac instance running—specifically a mac2-m2.metal instance powered by an Apple silicon M2 processor. Changing SIP status is as simple as calling a new EC2 API: CreateMacSystemIntegrityProtectionModificationTask. This API operates asynchronously, initiating the process of adjusting the SIP status on your instance. You can track its progress with another new EC2 API: DescribeMacModificationTasks. The only information I need is the instance ID of the machine I want to manage.

Prerequisites

For Apple silicon-based EC2 Mac instances and newer machine types, prior to invoking the new EC2 API, I must set the ec2-user password and enable the secure token for that user on macOS. This requires a connection to the machine and the execution of two commands in the terminal.

# on the target EC2 Mac instance
# Set a password for the ec2-user user
~ % sudo /usr/bin/dscl . -passwd /Users/ec2-user
New Password: (MyNewPassw0rd)

# Enable secure token, with the same password, for the ec2-user
# old password is the one you just set with dscl
~ % sysadminctl -newPassword MyNewPassw0rd -oldPassword MyNewPassw0rd
2025-03-05 13:16:57.261 sysadminctl[3993:3033024] Attempting to change password for ec2-user…
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] SecKeychainCopyLogin returned -25294
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] Failed to update keychain password (-25294)
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] - Done

The error regarding the KeyChain is expected; I never connected with the GUI on this machine, thus the Login keychain does not exist. You can disregard this error. To confirm that the secure token is ENABLED, I run the following command:

~ % sysadminctl -secureTokenStatus ec2-user
2025-03-05 13:18:12.456 sysadminctl[4017:3033614] Secure token is ENABLED for user ec2-user

Changing the SIP status

I don’t need to log into the machine to toggle the SIP status; I only need its instance ID. I open a terminal on my laptop and use the AWS Command Line Interface (AWS CLI) to find the Amazon EC2 Mac instance ID:

aws ec2 describe-instances 
 --query "Reservations[].Instances[?InstanceType == 'mac2-m2.metal' ].InstanceId" 
 --output text

This command returns the instance ID, for example: i-012a5de8da47bdff7. Now, still from the terminal on my laptop, I disable SIP by executing the create-mac-system-integrity-protection-modification-task command:

echo '{"rootVolumeUsername":"ec2-user","rootVolumePassword":"MyNewPassw0rd"}' > tmpCredentials
aws ec2 create-mac-system-integrity-protection-modification-task 
 --instance-id "i-012a5de8da47bdff7" 
 --mac-credentials file://./tmpCredentials 
 --mac-system-integrity-protection-status "disabled" && rm tmpCredentials

After starting the task, I can check its status with the aws ec2 describe-mac-modification-tasks command. The instance begins the process and undergoes a series of reboots, during which it becomes unreachable. This process may take 60–90 minutes to complete. Once I see the status in the console indicating it’s available again, I connect to the machine via SSH or EC2 Instance Connect, just as usual.

➜  ~ ssh ec2-user@54.99.9.99
Warning: Permanently added '54.99.9.99' (ED25519) to the list of known hosts.
Last login: Mon Feb 26 08:52:42 2024 from 1.1.1.1

    ┌───┬──┐   __|  __|_  )
    │ ╷╭╯╷ │   _|  (     /
    │  └╮  │  ___|___|___|
    │ ╰─┼╯ │  Amazon EC2
    └───┴──┘  macOS Sonoma 14.3.1

➜  ~ uname -a
Darwin Mac-mini.local 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:30:27 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T8103 arm64

➜ ~ csrutil --status 
System Integrity Protection status: disabled.

When to disable SIP

Disabling SIP should be approached with caution, as it exposes the system to potential security risks. However, as previously mentioned, you may need to disable SIP when developing device drivers or kernel extensions for macOS. Some older applications may also not function correctly when SIP is turned on.

Moreover, turning off SIP is necessary to disable Spotlight indexing. While Spotlight is great for quickly locating apps, documents, and emails on your Mac, it may not be ideal for a server environment. For further insights on financial recovery, check out this useful blog post here.

To understand more about gender equity and the importance of diversity, visit the SHRM site, which is an authority on this topic. Lastly, if you’re looking for a fantastic resource, don’t miss this informative video here.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *