Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.
2. What to expect from the session
Overview of Amazon EC2 Systems Manager capabilities
Use cases of each component
Walkthroughs:
Run Command, State Manager, Inventory, Patch Manager
Bringing it all together
3. Cloud is the new normal — enterprises of all
sizes are moving to the cloud to take
advantage of increased agility, lower costs, and
a global reach
4. Many enterprises often bring their traditional
on-premises toolset to manage their cloud and
hybrid environments
5. Customer challenges
Traditional IT toolset
not built for cloud-
scale infrastructure
Maintaining
enterprise-wide
visibility is challenging
Deploying multiple
products is a
significant overhead
Licensing costs and
complexity
Managing cloud and hybrid environments using
a traditional toolset is complex and costly
6. Introducing Amazon EC2 Systems Manager
A set of capabilities that:
• Enable automated configuration
• Support ongoing management of systems at scale
• Work across all of your Windows and Linux workloads
• Run in Amazon EC2 or on-premises
• Carry no additional charge to use
7. Why should I care?
Support for hybrid
Architecture
Cross-platform Scalable
Secure Easy-to-write
automation
Expected Reduction
in Total Cost of
Ownership (TCO)
9. Amazon Systems Manager Agent Overview
Processes Systems Manager requests and configures
instances
Supported Linux operating systems:
• Amazon Linux 2014.03 and later
• Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS
• RHEL 6.5+, CentOS 6.3+, SUSE 12+
Supported Windows operating systems:
• Windows Server 2003+, including R2 versions
Source code available on GitHub:
• https://github.com/aws/amazon-ssm-agent
NEW!
10. Amazon EC2 Systems Manager capabilities
State Manager Maintenance WindowInventory
Automation Parameter Store
Run Command
Patch Manager
11. Amazon EC2 Systems Manager – Components
Run Command
State Manager
Inventory Maintenance
Window
Patch Manager Automation Parameter Store
Documents
12. Wait, what’s a Document?
{
"schemaVersion": "2.0",
"description": "Installs a Windows Feature",
"parameters": {
"feature": {
"type”: "String",
"description": "Specify a package to install"
}
},
"mainSteps": [ {
"action": "aws:runPowerShellScript",
"name": "run",
"inputs": { "commands": "Install-WindowsFeature {{feature}}" }
} ]
}
13. Remotely and securely manage servers or virtual machines at
scale running in your data center or in AWS
Use Document to execute a script or just run a command
Execute commands across multiple instances simultaneously
Support for AWS and on-premises infrastructure
Rate Control and Error Control
AWS native
Run Command
14. No SSH or RDP access
Close Inbound access
Remote Administration
More control through IAM
Run Command: Use Cases
Run Bash and PowerShell
scripts
Manage local users & permissions
Support for PowerShell and Linux
commands
15. Perform Operating System changes
Perform AWS directory services domain join operations
Application management such as configuration changes,
application updates at scale
Execute third party configuration management scripts such
as PowerShell, DSC, Ansible and Salt
Run Command: Use Cases
18. Define and maintain consistent configuration of operating
systems and applications running in your data center or in AWS
State Manager & Inventory
Provides visibility into the software catalogue and configuration
for your Amazon EC2 instances and on-premises servers
20. Discover and Audit your
Software
Collect detailed information on the
software in your instances
Measure usage of licensed
software across your fleet
Inventory: Use Cases
Security & Incident Analysis
Historical record of inventory
changes over time
proactive notification if your
configurations become non-compliant
23. Define one or more recurring windows of time during which it is
acceptable for any disruptive operation to occur
Maintenance Window & Patch Manager
Automated tool that helps you simplify your Operating System
patching process
24. Automatically perform tasks in
defined windows of time
Define a maintenance window
using cron or rate expressions
Ensure maintenance doesn’t
overlap key business periods
Maintenance Window: Use Cases
Prioritise tasks and define roll-
back and timeout criteria
Ensure key tasks are completed
first during maintenance windows
Execute tasks with specific IAM
roles for granular security control
25. Manage Patch Baselines
Define patch baselines by
products, categories & severities
Define approval and distribution
schedule for specific baselines
Patch Manager: Use Cases
Manage Patch Compliance
Scan existing fleet to determine
patch levels of the software
Identify patches currently installed,
missing, recently applied, etc.
27. Simplifies common maintenance and deployment tasks, such as
updating Amazon Machine Images (AMIs)
Patch, update agents, or bake applications into your AMIs
Build workflows to accomplish complex tasks
Use pre-defined workflows or build your own
Invoke Lambda Functions
Automation
28. Maintain and Update your AMIs
Integrates with CloudWatch for
proactive notifications
Use in conjunction with
Maintenance Windows
Automation: Use Cases
Include Applications in your AMIs
Bake applications into an image
Incorporate Automation as part of
your change management process
29. Create AMI after Deployment
completion
Example: Using Automation with
Jenkins
Automation with CI/CD Pipeline
Automation: Use Cases
Simplify AMI Patching
Integrating Lambda and Parameter
Store
Update Autoscaling Group
30. Centralized store to manage your configuration data, including
plain-text data or secrets, encrypted through AWS KMS
Critical information stored securely within your environment
• Integrates with AWS IAM, AWS KMS, AWS CloudTrail
Re-use across your AWS configuration and automation workflows
Reference parameters from:
• Other Amazon EC2 Systems Manager capabilities (Run Command,
Automation, State Manager, etc.)
• Other AWS services (Amazon ECS, AWS Lambda, etc.)
Parameter Store
31. Store Secret
Can be used with AWS services
like ECS, CloudFormation,
OpsWorks and On-Premises
CI/CD Pipeline
Parameter Store: Use Cases
Secure domain join
Create secure string parameter
with domain join password
Control access to specific users
and refer using simple syntax
32. Blog: Access Secrets and Configuration data in
CodeDeploy
Blog Link
Parameter Store
Name: MySQLPassword
Value: abcd
Type: SecureString
EC2 Instances AWS CodeDeploy
get-parameters Create Deployment
ssm:GetParameters
kms:Decrypt
34. Integration with CloudWatch Events
Event Sources
Event Types
Statuses
Resources
Event Targets
Run Command
Documents
Target Key / Values
Parameters
IAM role
35. Integration with Lambda
Query the Output status
of each Invocation
Print the Output
status into
CloudWatch
Logs
Retrieve information from
the CloudWatch Event
36. Select the Lambda function
as the target of the rule
Specify the status(es)
that trigger the rule
Select EC2
Systems Manager
as the Event
Source
38. Example: Remediate Amazon Inspector Findings
Amazon Inspector sends SNS
notifications of identified CVEs
SNS triggers Lambda to call
the Amazon EC2 Systems
Manager to update the instance
Broad application to multiple cases
such as software and application
patching, kernel version updates,
security permissions, etc.
https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/
39. Recent Launches
• Systems Manager Agent support for SUSE Linux
• Hierarchy, Tagging, and Notification Support for
Parameter Store
• Cross-Platform and Multi-Step Document Support
• Patch Manager Supports Linux Patching
• Sync Inventory Data to Amazon S3 Buckets