AWS Systems Manager Basics
Run Command
- System Manager service that let you remotely perform sys admin tasks for your on-premises and EC2 instances without opening RDP or SSH sessions. You can also maintain audit log of who does what on your instance.
- Managed Instance is the instances that can be accessed, requires SSM agent to be installed together with IAM roles
- SM Document: Series of instructions to be performed in sequence and it could be bespoke or predefined documents. Documents can be shared across accounts.
- Command invocation: instantiation of a command onto an instance. You can view status and output.
- Use cases
- Monitoring your systems: memory and disk utilisation etc.
- Joining your windows instances to a domain
- On-demand patching
- Deploying code to your instances
- Start/stop of processes or even bootstrapping your instance
- User and account management, creating local users etc.
- Fully managed AWS with no additional task.
- You can configure CloudTrail audit log for any type of notifications using CloudFormation logs etc.
- Commands at Scale
- How to install apache on a fleet of servers: you can do this with max-concurrency and max-errors features. When you set values to these features, you make sure that you prevent this command from applied to all of the servers just in case there is a problem with the command.
State Manager
- Tool that we can use to control how and when configurations can be applied. This is similar to the policy in Windows. For example a firewall rule is being kept updated within the registry in windows or configuration file in linux. It can be used to enforce enterprise wide policy.
- Use cases
- Configure firewalls
- Turn off RDP or SSH or turn on
- Update anti-malware definition files
- For running inventory to avoid compliance drift
Parameter Store
- Storage of credentials, product keys in a secure place. By doing this, you can secure your keys within scripts. Instead of changing the scripts, you can refer to the parameter store and update in one go.
- You can also encrypt with your keys. You can access that data from app, CLI etc. tied into your account.
- You can pass a key to all of your instances by calling the key from parameter store.
Inventory Services
- This service helps you to collect useful information about your instances such as;
- Instance details and OS details
- Network configuration and patches installed
- Licensing usage vs tracking utilisation. Quick and easy way to audit.
- Also to identify unpatched servers by running a query.
- Watch changes over time by integrating with AWS Config. Works with an agent installed on each instance or on-prem.
- In AWS Config, you can turn off and on before integrating the Inventory Services.
Systems Manager Maintenance Window
- Shared services component of SSM. Lets you to plan important changes;
- patching OS
- updating drivers
- installing software
- Each maintenance window has a schedule, duration, set of registered targets and tasks. Tasks such as;
- Installing applications
- Installing or updating the systems manager agent
- Executing commands with run commands
- Installing patches on windows Systems
- You need to pass an IAM role to the SSM to let maintenance window perform certain actions.
- Create one or more SSM command Documents
- Create maintenance window and define its schedule
- Register targets for maintenance window via instance ID or tags
- Register one or more tasks with the maintenance window
Patch Manager
- Automated tool to simplify OS patching process. You can auto apply and blacklist or whitelist specific patches. Schedule automated rollout through maintenance window.
- How to apply for Windows instances
- First configure your instances for patch management
- Grant your user account access to the systems manager API
- Configure pass role permissions for a maintenance window
- Scan and patch your systems
- Installing a missing patch will reboot the instance
Automation Custom automation workflows
- For example: creating custom AMIs.
- Create a new Document with automation option and paste the content of your Document.
- You can apply default parameters like AMI ID, instance role to be assumed.
- Automation can be integrated with CloudWatch events as well. Maintaining images with Automation
- Customers’ feedback is that they build images as part of their CI/CD pipeline.