Run Command

  • System Manager service that let you remotely perform sys admin tasks for your on-premises and EC2 instances without opening RDP or SSH sessions. You can also maintain audit log of who does what on your instance.
  • Managed Instance is the instances that can be accessed, requires SSM agent to be installed together with IAM roles
  • SM Document: Series of instructions to be performed in sequence and it could be bespoke or predefined documents. Documents can be shared across accounts.
  • Command invocation: instantiation of a command onto an instance. You can view status and output.
  • Use cases
    • Monitoring your systems: memory and disk utilisation etc.
    • Joining your windows instances to a domain
    • On-demand patching
    • Deploying code to your instances
    • Start/stop of processes or even bootstrapping your instance
    • User and account management, creating local users etc.
  • Fully managed AWS with no additional task.
  • You can configure CloudTrail audit log for any type of notifications using CloudFormation logs etc.
  • Commands at Scale
    • How to install apache on a fleet of servers: you can do this with max-concurrency and max-errors features. When you set values to these features, you make sure that you prevent this command from applied to all of the servers just in case there is a problem with the command.

State Manager

  • Tool that we can use to control how and when configurations can be applied. This is similar to the policy in Windows. For example a firewall rule is being kept updated within the registry in windows or configuration file in linux. It can be used to enforce enterprise wide policy.
  • Use cases
    • Configure firewalls
    • Turn off RDP or SSH or turn on
    • Update anti-malware definition files
    • For running inventory to avoid compliance drift

Parameter Store

  • Storage of credentials, product keys in a secure place. By doing this, you can secure your keys within scripts. Instead of changing the scripts, you can refer to the parameter store and update in one go.
  • You can also encrypt with your keys. You can access that data from app, CLI etc. tied into your account.
  • You can pass a key to all of your instances by calling the key from parameter store.

Inventory Services

  • This service helps you to collect useful information about your instances such as;
    • Instance details and OS details
    • Network configuration and patches installed
  • Licensing usage vs tracking utilisation. Quick and easy way to audit.
  • Also to identify unpatched servers by running a query.
  • Watch changes over time by integrating with AWS Config. Works with an agent installed on each instance or on-prem.
  • In AWS Config, you can turn off and on before integrating the Inventory Services.

Systems Manager Maintenance Window

  • Shared services component of SSM. Lets you to plan important changes;
    • patching OS
    • updating drivers
    • installing software
  • Each maintenance window has a schedule, duration, set of registered targets and tasks. Tasks such as;
    • Installing applications
    • Installing or updating the systems manager agent
    • Executing commands with run commands
    • Installing patches on windows Systems
  • You need to pass an IAM role to the SSM to let maintenance window perform certain actions.
  • Create one or more SSM command Documents
  • Create maintenance window and define its schedule
  • Register targets for maintenance window via instance ID or tags
  • Register one or more tasks with the maintenance window

Patch Manager

  • Automated tool to simplify OS patching process. You can auto apply and blacklist or whitelist specific patches. Schedule automated rollout through maintenance window.
  • How to apply for Windows instances
    • First configure your instances for patch management
    • Grant your user account access to the systems manager API
    • Configure pass role permissions for a maintenance window
    • Scan and patch your systems
  • Installing a missing patch will reboot the instance

Automation Custom automation workflows

  • For example: creating custom AMIs.
  • Create a new Document with automation option and paste the content of your Document.
  • You can apply default parameters like AMI ID, instance role to be assumed.
  • Automation can be integrated with CloudWatch events as well. Maintaining images with Automation
  • Customers’ feedback is that they build images as part of their CI/CD pipeline.