CreateMacSystemIntegrityProtectionModificationTaskCommand

Suggest an Edit

Creates a System Integrity Protection (SIP) modification task to configure the SIP settings for an x86 Mac instance or Apple silicon Mac instance. For more information, see Configure SIP for Amazon EC2 instances  in the Amazon EC2 User Guide.

When you configure the SIP settings for your instance, you can either enable or disable all SIP settings, or you can specify a custom SIP configuration that selectively enables or disables specific SIP settings.

If you implement a custom configuration, connect to the instance and verify the settings  to ensure that your requirements are properly implemented and functioning as intended.

SIP configurations might change with macOS updates. We recommend that you review custom SIP settings after any macOS version upgrade to ensure continued compatibility and proper functionality of your security configurations.

To enable or disable all SIP settings, use the MacSystemIntegrityProtectionStatus parameter only. For example, to enable all SIP settings, specify the following:

  • MacSystemIntegrityProtectionStatus=enabled

To specify a custom configuration that selectively enables or disables specific SIP settings, use the MacSystemIntegrityProtectionStatus parameter to enable or disable all SIP settings, and then use the MacSystemIntegrityProtectionConfiguration parameter to specify exceptions. In this case, the exceptions you specify for MacSystemIntegrityProtectionConfiguration override the value you specify for MacSystemIntegrityProtectionStatus. For example, to enable all SIP settings, except NvramProtections, specify the following:

  • MacSystemIntegrityProtectionStatus=enabled

  • MacSystemIntegrityProtectionConfigurationRequest "NvramProtections=disabled"

Example Syntax

Use a bare-bones client and the command you need to make an API call.

import { EC2Client, CreateMacSystemIntegrityProtectionModificationTaskCommand } from "@aws-sdk/client-ec2"; // ES Modules import
// const { EC2Client, CreateMacSystemIntegrityProtectionModificationTaskCommand } = require("@aws-sdk/client-ec2"); // CommonJS import
const client = new EC2Client(config);
const input = { // CreateMacSystemIntegrityProtectionModificationTaskRequest
  ClientToken: "STRING_VALUE",
  DryRun: true || false,
  InstanceId: "STRING_VALUE", // required
  MacCredentials: "STRING_VALUE",
  MacSystemIntegrityProtectionConfiguration: { // MacSystemIntegrityProtectionConfigurationRequest
    AppleInternal: "enabled" || "disabled",
    BaseSystem: "enabled" || "disabled",
    DebuggingRestrictions: "enabled" || "disabled",
    DTraceRestrictions: "enabled" || "disabled",
    FilesystemProtections: "enabled" || "disabled",
    KextSigning: "enabled" || "disabled",
    NvramProtections: "enabled" || "disabled",
  },
  MacSystemIntegrityProtectionStatus: "enabled" || "disabled", // required
  TagSpecifications: [ // TagSpecificationList
    { // TagSpecification
      ResourceType: "capacity-reservation" || "client-vpn-endpoint" || "customer-gateway" || "carrier-gateway" || "coip-pool" || "declarative-policies-report" || "dedicated-host" || "dhcp-options" || "egress-only-internet-gateway" || "elastic-ip" || "elastic-gpu" || "export-image-task" || "export-instance-task" || "fleet" || "fpga-image" || "host-reservation" || "image" || "import-image-task" || "import-snapshot-task" || "instance" || "instance-event-window" || "internet-gateway" || "ipam" || "ipam-pool" || "ipam-scope" || "ipv4pool-ec2" || "ipv6pool-ec2" || "key-pair" || "launch-template" || "local-gateway" || "local-gateway-route-table" || "local-gateway-virtual-interface" || "local-gateway-virtual-interface-group" || "local-gateway-route-table-vpc-association" || "local-gateway-route-table-virtual-interface-group-association" || "natgateway" || "network-acl" || "network-interface" || "network-insights-analysis" || "network-insights-path" || "network-insights-access-scope" || "network-insights-access-scope-analysis" || "outpost-lag" || "placement-group" || "prefix-list" || "replace-root-volume-task" || "reserved-instances" || "route-table" || "security-group" || "security-group-rule" || "service-link-virtual-interface" || "snapshot" || "spot-fleet-request" || "spot-instances-request" || "subnet" || "subnet-cidr-reservation" || "traffic-mirror-filter" || "traffic-mirror-session" || "traffic-mirror-target" || "transit-gateway" || "transit-gateway-attachment" || "transit-gateway-connect-peer" || "transit-gateway-multicast-domain" || "transit-gateway-policy-table" || "transit-gateway-route-table" || "transit-gateway-route-table-announcement" || "volume" || "vpc" || "vpc-endpoint" || "vpc-endpoint-connection" || "vpc-endpoint-service" || "vpc-endpoint-service-permission" || "vpc-peering-connection" || "vpn-connection" || "vpn-gateway" || "vpc-flow-log" || "capacity-reservation-fleet" || "traffic-mirror-filter-rule" || "vpc-endpoint-connection-device-type" || "verified-access-instance" || "verified-access-group" || "verified-access-endpoint" || "verified-access-policy" || "verified-access-trust-provider" || "vpn-connection-device-type" || "vpc-block-public-access-exclusion" || "route-server" || "route-server-endpoint" || "route-server-peer" || "ipam-resource-discovery" || "ipam-resource-discovery-association" || "instance-connect-endpoint" || "verified-access-endpoint-target" || "ipam-external-resource-verification-token" || "capacity-block" || "mac-modification-task",
      Tags: [ // TagList
        { // Tag
          Key: "STRING_VALUE",
          Value: "STRING_VALUE",
        },
      ],
    },
  ],
};
const command = new CreateMacSystemIntegrityProtectionModificationTaskCommand(input);
const response = await client.send(command);
// { // CreateMacSystemIntegrityProtectionModificationTaskResult
//   MacModificationTask: { // MacModificationTask
//     InstanceId: "STRING_VALUE",
//     MacModificationTaskId: "STRING_VALUE",
//     MacSystemIntegrityProtectionConfig: { // MacSystemIntegrityProtectionConfiguration
//       AppleInternal: "enabled" || "disabled",
//       BaseSystem: "enabled" || "disabled",
//       DebuggingRestrictions: "enabled" || "disabled",
//       DTraceRestrictions: "enabled" || "disabled",
//       FilesystemProtections: "enabled" || "disabled",
//       KextSigning: "enabled" || "disabled",
//       NvramProtections: "enabled" || "disabled",
//       Status: "enabled" || "disabled",
//     },
//     StartTime: new Date("TIMESTAMP"),
//     Tags: [ // TagList
//       { // Tag
//         Key: "STRING_VALUE",
//         Value: "STRING_VALUE",
//       },
//     ],
//     TaskState: "successful" || "failed" || "in-progress" || "pending",
//     TaskType: "sip-modification" || "volume-ownership-delegation",
//   },
// };

CreateMacSystemIntegrityProtectionModificationTaskCommand Input

See CreateMacSystemIntegrityProtectionModificationTaskCommandInput for more details

Parameter
Type
Description
InstanceId
Required
string | undefined

The ID of the Amazon EC2 Mac instance.

MacSystemIntegrityProtectionStatus
Required
MacSystemIntegrityProtectionSettingStatus | undefined

Specifies the overall SIP status for the instance. To enable all SIP settings, specify enabled. To disable all SIP settings, specify disabled.

ClientToken
string | undefined

Unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see Ensuring Idempotency .

DryRun
boolean | undefined

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

MacCredentials
string | undefined

[Apple silicon Mac instances only] Specifies the following credentials:

  • Internal disk administrative user

    • Username - Only the default administrative user (aws-managed-user) is supported and it is used by default. You can't specify a different administrative user.

    • Password - If you did not change the default password for aws-managed-user, specify the default password, which is blank. Otherwise, specify your password.

  • Amazon EBS root volume administrative user

    • Username - If you did not change the default administrative user, specify ec2-user. Otherwise, specify the username for your administrative user.

    • Password - Specify the password for the administrative user.

The credentials must be specified in the following JSON format:

{ "internalDiskPassword":"internal-disk-admin_password", "rootVolumeUsername":"root-volume-admin_username", "rootVolumepassword":"root-volume-admin_password" }

MacSystemIntegrityProtectionConfiguration
MacSystemIntegrityProtectionConfigurationRequest | undefined

Specifies the overrides to selectively enable or disable individual SIP settings. The individual settings you specify here override the overall SIP status you specify for MacSystemIntegrityProtectionStatus.

TagSpecifications
TagSpecification[] | undefined

Specifies tags to apply to the SIP modification task.

CreateMacSystemIntegrityProtectionModificationTaskCommand Output

See CreateMacSystemIntegrityProtectionModificationTaskCommandOutput for details

Parameter
Type
Description
$metadata
Required
ResponseMetadata
Metadata pertaining to this request.
MacModificationTask
MacModificationTask | undefined

Information about the SIP modification task.

Throws

Name
Fault
Details
EC2ServiceException
Base exception class for all service exceptions from EC2 service.