Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Maitreya Ranganath, AWS Solutions Architect, Amazon
July 27, 2017
Deep Dive with
Amazon EC2 Systems Manager
Hybrid-Cloud Management at Scale

2. What to expect from the session
 Overview of Amazon EC2 Systems Manager capabilities
 Use cases of each component
 Walkthroughs:
 Run Command, State Manager, Inventory, Patch Manager
 Bringing it all together

3. Cloud is the new normal — enterprises of all
sizes are moving to the cloud to take
advantage of increased agility, lower costs, and
a global reach

4. Many enterprises often bring their traditional
on-premises toolset to manage their cloud and
hybrid environments

5. Customer challenges
Traditional IT toolset
not built for cloud-
scale infrastructure
Maintaining
enterprise-wide
visibility is challenging
Deploying multiple
products is a
significant overhead
Licensing costs and
complexity
Managing cloud and hybrid environments using
a traditional toolset is complex and costly

6. Introducing Amazon EC2 Systems Manager
A set of capabilities that:
• Enable automated configuration
• Support ongoing management of systems at scale
• Work across all of your Windows and Linux workloads
• Run in Amazon EC2 or on-premises
• Carry no additional charge to use

7. Why should I care?
Support for hybrid
Architecture
Cross-platform Scalable
Secure Easy-to-write
automation
Expected Reduction
in Total Cost of
Ownership (TCO)

8. Amazon Systems Manager Components
Overview and Use cases

9. Amazon Systems Manager Agent Overview
Processes Systems Manager requests and configures
instances
Supported Linux operating systems:
• Amazon Linux 2014.03 and later
• Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS
• RHEL 6.5+, CentOS 6.3+, SUSE 12+
Supported Windows operating systems:
• Windows Server 2003+, including R2 versions
Source code available on GitHub:
• https://github.com/aws/amazon-ssm-agent
NEW!

10. Amazon EC2 Systems Manager capabilities
State Manager Maintenance WindowInventory
Automation Parameter Store
Run Command
Patch Manager

11. Amazon EC2 Systems Manager – Components
Run Command
State Manager
Inventory Maintenance
Window
Patch Manager Automation Parameter Store
Documents

12. Wait, what’s a Document?
{
"schemaVersion": "2.0",
"description": "Installs a Windows Feature",
"parameters": {
"feature": {
"type”: "String",
"description": "Specify a package to install"
}
},
"mainSteps": [ {
"action": "aws:runPowerShellScript",
"name": "run",
"inputs": { "commands": "Install-WindowsFeature {{feature}}" }
} ]
}

13. Remotely and securely manage servers or virtual machines at
scale running in your data center or in AWS
 Use Document to execute a script or just run a command
 Execute commands across multiple instances simultaneously
 Support for AWS and on-premises infrastructure
 Rate Control and Error Control
 AWS native
Run Command

14. No SSH or RDP access
 Close Inbound access
 Remote Administration
 More control through IAM
Run Command: Use Cases
Run Bash and PowerShell
scripts
 Manage local users & permissions
 Support for PowerShell and Linux
commands

15.  Perform Operating System changes
 Perform AWS directory services domain join operations
 Application management such as configuration changes,
application updates at scale
 Execute third party configuration management scripts such
as PowerShell, DSC, Ansible and Salt
Run Command: Use Cases

16. Blog: Replacing a Bastion Host
Blog Link

17. Walkthrough: Run Command

18. Define and maintain consistent configuration of operating
systems and applications running in your data center or in AWS
State Manager & Inventory
Provides visibility into the software catalogue and configuration
for your Amazon EC2 instances and on-premises servers

19. Maintain a Consistent
Configuration
State Manager: Use Cases
Reduce Configuration Drift in
Autoscaling service

20. Discover and Audit your
Software
 Collect detailed information on the
software in your instances
 Measure usage of licensed
software across your fleet
Inventory: Use Cases
Security & Incident Analysis
 Historical record of inventory
changes over time
 proactive notification if your
configurations become non-compliant

22. Walkthrough: State Manager and
Inventory

23. Define one or more recurring windows of time during which it is
acceptable for any disruptive operation to occur
Maintenance Window & Patch Manager
Automated tool that helps you simplify your Operating System
patching process

24. Automatically perform tasks in
defined windows of time
 Define a maintenance window
using cron or rate expressions
 Ensure maintenance doesn’t
overlap key business periods
Maintenance Window: Use Cases
Prioritise tasks and define roll-
back and timeout criteria
 Ensure key tasks are completed
first during maintenance windows
 Execute tasks with specific IAM
roles for granular security control

25. Manage Patch Baselines
 Define patch baselines by
products, categories & severities
 Define approval and distribution
schedule for specific baselines
Patch Manager: Use Cases
Manage Patch Compliance
 Scan existing fleet to determine
patch levels of the software
 Identify patches currently installed,
missing, recently applied, etc.

26. Walkthrough: Patch Manager

27. Simplifies common maintenance and deployment tasks, such as
updating Amazon Machine Images (AMIs)
 Patch, update agents, or bake applications into your AMIs
 Build workflows to accomplish complex tasks
 Use pre-defined workflows or build your own
 Invoke Lambda Functions
Automation

28. Maintain and Update your AMIs
 Integrates with CloudWatch for
proactive notifications
 Use in conjunction with
Maintenance Windows
Automation: Use Cases
Include Applications in your AMIs
 Bake applications into an image
 Incorporate Automation as part of
your change management process

29.  Create AMI after Deployment
completion
 Example: Using Automation with
Jenkins
Automation with CI/CD Pipeline
Automation: Use Cases
Simplify AMI Patching
 Integrating Lambda and Parameter
Store
 Update Autoscaling Group

30. Centralized store to manage your configuration data, including
plain-text data or secrets, encrypted through AWS KMS
 Critical information stored securely within your environment
• Integrates with AWS IAM, AWS KMS, AWS CloudTrail
 Re-use across your AWS configuration and automation workflows
 Reference parameters from:
• Other Amazon EC2 Systems Manager capabilities (Run Command,
Automation, State Manager, etc.)
• Other AWS services (Amazon ECS, AWS Lambda, etc.)
Parameter Store

31. Store Secret
 Can be used with AWS services
like ECS, CloudFormation,
OpsWorks and On-Premises
 CI/CD Pipeline
Parameter Store: Use Cases
Secure domain join
 Create secure string parameter
with domain join password
 Control access to specific users
and refer using simple syntax

32. Blog: Access Secrets and Configuration data in
CodeDeploy
Blog Link
Parameter Store
Name: MySQLPassword
Value: abcd
Type: SecureString
EC2 Instances AWS CodeDeploy
get-parameters Create Deployment
ssm:GetParameters
kms:Decrypt

33. Example: Integration with other
AWS Services

34. Integration with CloudWatch Events
 Event Sources
 Event Types
 Statuses
 Resources
 Event Targets
 Run Command
Documents
 Target Key / Values
 Parameters
 IAM role

35. Integration with Lambda
Query the Output status
of each Invocation
Print the Output
status into
CloudWatch
Logs
Retrieve information from
the CloudWatch Event

36. Select the Lambda function
as the target of the rule
Specify the status(es)
that trigger the rule
Select EC2
Systems Manager
as the Event
Source

37. Viewing the output in CloudWatch Logs
View the CloudWatch Log Streams

38. Example: Remediate Amazon Inspector Findings
 Amazon Inspector sends SNS
notifications of identified CVEs
 SNS triggers Lambda to call
the Amazon EC2 Systems
Manager to update the instance
 Broad application to multiple cases
such as software and application
patching, kernel version updates,
security permissions, etc.
https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/

39. Recent Launches
• Systems Manager Agent support for SUSE Linux
• Hierarchy, Tagging, and Notification Support for
Parameter Store
• Cross-Platform and Multi-Step Document Support
• Patch Manager Supports Linux Patching
• Sync Inventory Data to Amazon S3 Buckets

40. Customers using Systems Manager

41. Where is SSM

42. In summary...
Hybrid Cross-platform Scalable
Secure Easy-to-write
automation
Reduced TCO
https://aws.amazon.com/blogs/mt/

43. Thank you!