SystemsManager - cirelledo-csa/herd GitHub Wiki

Systems Manager

Install Systems Manager (ssm) agent on all (vm/ec2) OS we manage.

Consult best practices for howto

Here's the what

Here's the why:

PROBLEM DETECTION

  • view operational data for groups of resources
  • quickly identify issues that impact applications
  • Resources can be grouped by applications, application layers, production versus development, or anything else you choose.
  • single, easy to read dashboard

EASY TO USE AUTOMATION

  • automate operational actions
  • automate maintenance and deployment tasks on Amazon EC2 and on-premise instances
  • automatically apply patches, updates, and configuration changes across any resource group.
  • predefined automation documents for common operational tasks, such as stopping and restarting an EC2 instance, that you can customize to your own specific use cases.
  • built-in safety controls, allowing you to incrementally roll out new changes and automatically halt the roll-out when errors occur.

IMPROVE VISIBILITY AND CONTROL

  • understand and control the current state of resource groups.
  • detailed system configurations, operating system patch levels, software installations, application configurations
  • integration with AWS Config so you view changes across your resources as they occur over time.

MANAGE HYBRID ENVIRONMENTS

  • manage servers running on AWS and in your on-premises data center through a single interface.
  • securely communicates with a lightweight agent installed on your servers to execute management tasks.
  • manage resources for Windows and Linux operating systems running on Amazon EC2 or on-premise.

MAINTAIN SECURITY AND COMPLIANCE

  • maintain security and compliance by scanning your instances against your patch, configuration, and custom policies.
  • define patch baselines, maintain up-to-date anti-virus definitions, and enforce firewall policies.
  • remotely manage servers at scale without manually logging in to each server.
  • centralized store to manage your configuration data, whether its plain text, such as database strings, or secrets, such as passwords.
  • separate secrets and configuration data from code.

what is it?

Provides a managed service for

Automation

  • Create self-service runbooks for infrastructure as Automation documents.
  • Automate AMI creation using public SSM documents or custom workflows.
  • Build and maintain AMIs using the AWS-UpdateLinuxAmi and AWS-UpdateWindowsAmi Automation documents, or using custom Automation documents

Inventory

  • Inventory with AWS Config to audit your application configurations over time.

Maintenance Windows

  • Define a schedule to perform potentially disruptive actions on your instances such as OS patching, driver updates, or software installations.

Parameter Store

  • centrally manage global configuration settings.
  • encrypt and manage secrets by using AWS KMS.
  • ECS task definitions to store secrets.

Patch Manager

  • rollout patches at scale and increase fleet compliance

Run Command

  • Manage Instances at Scale without SSH Access Using EC2 Run Command.
  • Audit all API calls made by on or on behalf of Run Command using AWS CloudTrail.
  • Use the targets and rate control features in Run Command to perform a staged command execution.
  • Use fine-grained access permissions for Run Command (and all Systems Manager capabilities) by using AWS Identity and Access Management (IAM) policies.

State Manager

  • Update SSM Agent at least once a month using the pre-configured AWS-UpdateSSMAgent document.
  • Bootstrap EC2 Instances on launch using EC2Config for Windows
  • (Windows) Upload the PowerShell or DSC module to Amazon S3, and use AWS-InstallPowerShellModule.
  • Use Amazon EC2 tags to create application groups for your instances. And then target instances using the Targets parameter instead of specifying individual instance IDs.
  • Automatically remediate findings generated by Amazon Inspector by using Systems Manager.
  • Use a centralized configuration repository for all of your SSM documents, and share documents across your organization.

Cost

howto:

install:

ssm agent comes pre-installed on amazon linux and modern windows 2016/2019

Here's a way to install Systems Manager on legacy linux systems:

ansible role

list online instances:

 aws ssm describe-instance-information  --output json | jq -r '.InstanceInformationList[]  | select (.PingStatus=="Online") | [.InstanceId,.ComputerName] | @tsv'

list Windows instances:

aws ssm describe-instance-information  --output json | jq -r '.InstanceInformationList[] | select (.PlatformType=="Windows") '

Session Manager

start a session:

aws ssm start-session --target $iid

list session history:

aws ssm describe-sessions --state History

Run Command

list documents:

 aws ssm list-documents

list documents you can run:

aws ssm list-documents |jq -r .DocumentIdentifiers[].Name |grep Run
AWS-RunAnsiblePlaybook
AWS-RunDockerAction
AWS-RunDocument
AWS-RunInspecChecks
AWS-RunPatchBaseline
AWS-RunPowerShellScript
AWS-RunRemoteScript
AWS-RunSaltState
AWS-RunShellScript
AWSSupport-RunEC2RescueForWindowsTool
AWSEC2-RunSysprep
SSM-SessionManagerRunShell

run a shell script:

 cid=$(aws ssm send-command --instance-ids "$iid" --document-name "AWS-RunShellScript" --comment "how you doing?" --parameters commands=uptime --output json | jq -r .Command.CommandId)

run a powershell script:

 cid=$(aws ssm send-command --instance-ids "$iid" --document-name "AWS-RunPowerShellScript"  --parameters commands=["whoami"] --output json | jq -r .Command.CommandId)

get output of a ssm command:

aws ssm list-command-invocations --command-id $cid --details --output json | jq -r  .CommandInvocations[].CommandPlugins[].Output

ssm runs as root! with great power comes great responsibility

Associations

gather software inventory 1x/day:

 aws ssm create-association --name AWS-GatherSoftwareInventory --targets Key=InstanceIds,Values=* --schedule-expression "rate(1 day)" --parameters applications=Enabled,awsComponents=Enabled,customInventory=Enabled,instanceDetailedInformation=Enabled,networkConfig=Enabled,services=Enabled,windowsRoles=Enabled,windowsUpdates=Enabled

update ssm 1x/week:

 aws ssm create-association --targets Key=InstanceIds,Values=* --name AWS-UpdateSSMAgent --schedule-expression "cron(0 0 2 ? * SUN *)"