AWS Systems Manager - keshavbaweja-git/guides GitHub Wiki

Introduction

  • Group resources
  • View operational data
  • Automate operational tasks
  • Scan and report on security and policy violations

Prerequisites

Instance Profile

To manage an EC2 instance via Systems Manager, the EC2 instance should be associated with an Instance Profile that allow Systems Manager Agent (SSM Agent) to perform various actions. Instance Profile is a container for an IAM role and a mechanism to associate that role with an EC2 instance. AWS managed permission policies must be attached to the role - AmazonSSMManagedInstanceCore, AmazonSSMPatchAssociation, CloudWatchAgentServerPolicy. An EC2 instance with such a configuration is registered with Systems Manager and is known as a Managed Instance.

Additionally, to allow Session Manager to launch remote session, an inline policy that enables encrypted session channel must be attached to the role. Please see here

Document Types

Document Type Owner Count(Oregon)
Automation AWS 302
Command AWS 77
Session AWS 12
Policy AWS 1

Node management

Fleet Manager

View and perform actions on Managed Instances.

  • View application inventory
  • Start remote session
  • View performance counters This only works after Session Manager has been configured to encrypt session channel. Provides following counters - CPU Utilization, Disk I/O, Network I/O and Memory utilization
  • View file system details
  • View & create users and groups
  • View SSM Document associations
  • View Patches applied
  • View Configuration compliance

Session Manager

Session Manager enables users to launch remote session on Managed Instances. For this to work, Session Manager must be configured to encrypt session channels using KMS key. This can be done under Preferences.

Patch Manager

Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for applications released by Microsoft.) You can use Patch Manager to install Service Packs on Windows instances and perform minor version upgrades on Linux instances. You can patch fleets of Amazon Elastic Compute Cloud (Amazon EC2) instances or your on-premises servers and virtual machines (VMs) by operating system type.

Run on-demand (Patch now) and on-schedule patching actions - scan/scan & install. Patch now workflow has Lifecycle hooks that allows SSM documents to be executed before or after patch installation.

Patch Manager uses patch baselines, which include rules for auto-approving patches within days of their release, in addition to a list of approved and rejected patches. You can install patches on a regular basis by scheduling patching to run as a Systems Manager maintenance window task. You can also install patches individually or to large groups of instances by using Amazon EC2 tags. You can add tags to your patch baselines themselves when you create or update them.

Patch Manager provides options to scan your instances and report compliance on a schedule, install available patches on a schedule, and patch or scan instances on demand whenever you need to. You can also generate patch compliance reports that are sent to an Amazon Simple Storage Service (Amazon S3) bucket of your choice. You can generate one-time reports, or generate reports on a regular schedule. For a single instance, reports include details of all patches for the instance. For a report on all instances, only a summary of how many patches are missing is provided.

State Manager

  • Secure and scalable configuration management system
  • Manage both AWS and On-premises servers

Association

A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. The association specifies a schedule for when the configuration is applied once or reapplied at specified times. For example, an association for antivirus software might run once a day. If the software isn't installed, then State Manager installs it. If the software is installed, but the service isn't running, then the association might instruct State Manager to start the service.

Association: rate controls

  • Concurrency: The concurrency value specifies how many instances can to run the association simultaneously.
  • Error threshold: An error threshold specifies how many association executions can fail before Systems Manager sends a command to each instance configured with that association to stop running the association.
aws ssm create-association \
  --association-name Update_SSM_Agent_Linux \
  --targets Key=resource-groups:Name,Values=HR-Department \
  --name AWS-UpdateSSMAgent  \
  --compliance-severity "MEDIUM" \
  --schedule "cron(0 2 ? * SUN *)" \
  --max-errors "5" \
  --max-concurrency "10" \
  --apply-only-at-cron-interval

SSM Documents

State Manager uses SSM documents to create an association. Systems Manager includes dozens of pre-configured SSM documents that you can use to create an association. Pre-configured documents are ready to perform common tasks like installing applications, configuring Amazon CloudWatch, running AWS Systems Manager automation, running PowerShell and Shell scripts, and joining a Directory Service domain for Active Directory. Specify the name of the document and information for the required parameters and then run the command to create the association.

MOF files: Windows servers

You can run Managed Object Format (MOF) files to enforce a desired state on Windows Server managed instances, by using the AWS-ApplyDSCMofs SSM document. The AWS-ApplyDSCMofs document has two execution modes. With the first mode, you can configure the association to scan and report if the managed instances are in the desired state defined in the specified MOF files. In the second mode, you can run the MOF files and change the configuration of your instances based on the resources and their values defined in the MOF files. The AWS-ApplyDSCMofs document allows you to download and run MOF configuration files from Amazon Simple Storage Service (Amazon S3), a local share, or from a secure website with an HTTPS domain.

MOF file execution is built on Windows PowerShell Desired State Configuration (PowerShell DSC). PowerShell DSC is a declarative platform used for configuration, deployment, and management of Windows systems. PowerShell DSC allows administrators to describe, in simple text documents called DSC configurations, how they want a server to be configured. A PowerShell DSC configuration is a specialized PowerShell script that states what to do, but not how to do it. Running the configuration produces a MOF file. The MOF file can be applied to one or more servers to achieve the desired configuration for those servers. PowerShell DSC resources do the actual work of enforcing configuration.

Ansible playbooks

You can create State Manager associations that run Ansible playbooks by using the AWS-ApplyAnsiblePlaybooks SSM document.

Chef recipes

You can create State Manager associations that run Chef recipes by using the AWS-ApplyChefRecipes SSM document. State Manager is a capability of AWS Systems Manager. You can target Linux-based Systems Manager managed nodes with the AWS-ApplyChefRecipes SSM document. This document offers the following benefits for running Chef recipes:

  • Supports multiple releases of Chef (Chef 11 through Chef 14).
  • Automatically installs the Chef client software on target instances.
  • Optionally runs Systems Manager compliance checks on target instances, and stores the results of compliance checks in an Amazon Simple Storage Service (Amazon S3) bucket.
  • Runs multiple cookbooks and recipes in a single run of the document.
  • Optionally runs recipes in why-run mode, to show which recipes change on target instances without making changes.
  • Optionally applies custom JSON attributes to chef-client runs.
  • You can use GitHub or Amazon S3 buckets as sources for Chef cookbooks and recipes that you specify in an AWS-ApplyChefRecipes document.
  • Though AWS can't officially support cookbooks on the Chef Supermarket website, many of them work with the AWS-ApplyChefRecipes document. The following are examples of criteria to determine when you're testing a community cookbook:
    • The cookbook should support the Linux-based operating systems of the Systems Manager managed nodes that you're targeting.
    • The cookbook should be valid for the Chef client version (Chef 11 through Chef 14) that you use.
    • The cookbook is compatible with Chef Infra Client, and, doesn't require a Chef server.
  • Before you create a State Manager association that runs Chef recipes, be aware that the document run installs the Chef client software on your Systems Manager managed nodes, unless you set the value of Chef client version to None. This operation uses an installation script from Chef to install Chef components on your behalf. Before you run an AWS-ApplyChefRecipes document, be sure your enterprise can comply with any applicable legal requirements, including license terms applicable to the use of Chef software.
  • Systems Manager can deliver compliance reports to an S3 bucket, the Systems Manager console, or make compliance results available in response to Systems Manager API commands. To run Systems Manager compliance reports, the instance profile attached to Systems Manager managed instances must have permissions to write to the S3 bucket. The instance profile must have permissions to use the Systems Manager PutComplianceItem API.

Update PV drivers on Windows EC2 instances

Amazon Windows Amazon Machine Images (AMIs) contain a set of drivers to permit access to virtualized hardware. These drivers are used by Amazon Elastic Compute Cloud (Amazon EC2) to map instance store and Amazon Elastic Block Store (Amazon EBS) volumes to their devices. We recommend that you install the latest drivers to improve stability and performance of your EC2 instances for Windows Server.

Run command

Execute SSM documents on Managed Instances without logging in or using a remote session. Allows to executed parameterized SSM documents on servers and view outputs

Change Management

Maintenance Windows

Maintenance Windows helps you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system, updating drivers, or installing software or patches. With Maintenance Windows, you can schedule actions on numerous other AWS resource types, such as Amazon Simple Storage Service (Amazon S3) buckets, Amazon Simple Queue Service (Amazon SQS) queues, AWS Key Management Service (AWS KMS) keys, and many more.

Each maintenance window has

  • a schedule,
  • a maximum duration,
  • a set of registered targets, and
  • a set of registered tasks.

You can add tags to your maintenance windows when you create or update them. You can also specify dates that a maintenance window shouldn't run before or after, and you can specify the international time zone on which to base the maintenance window schedule.

Maintenance windows support running four types of tasks:

  • Commands in Run Command
  • Workflows in Automation
  • Functions in AWS Lambda
  • Tasks in AWS Step Functions