Do you want to know how to run Microsoft Windows workloads in the cloud using best practices? In this session, we dive deep into how to use AWS Directory Service to create a fully managed Active Directory in AWS. We provide guidance and tips from the experts on how to get the most out of Amazon EC2 Systems Manager. During this interactive hands-on session, participants will install and configure Active Directory, create Amazon EC2 instances that automatically join and unjoin an Active Directory Domain, and then show some great features of Systems Manager to show how customers can better manage Windows workloads on AWS.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Building Manageable
Windows Workloads
R y a n P o t h e c a r y & L e e P e t f o r d
U K P r o s e r v e T e a m
N o v e m b e r 2 9 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• AWS Directory Service overview and exercises
• Amazon EC2 Systems Manager overview and exercises

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Qwiklabs & Workshop Guide
• https://event.aws.qwiklabs.com
• https://s3.amazon.com/arc324/workshop.pdf

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Directory Service
A R C 3 2 4 — B u i l d i n g a M a n a g e a b l e W i n d o w s W o r k l o a d

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Directory Service
AWS Directory Service
Directory
Service
Simple ADAD Connector
Cloud Directory Amazon EC2

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workshop Design

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Directory Service

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Directory Service Labs
A R C 3 2 4 — B u i l d i n g a M a n a g e a b l e W i n d o w s W o r k l o a d

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager
A R C 3 2 4 — B u i l d i n g a M a n a g e a b l e W i n d o w s W o r k l o a d

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager
A set of capabilities that:
• enable automated configuration
• support ongoing management of systems at scale
• work across all of your Windows and Linux workloads
• run in Amazon EC2 or on-premises
• carry no additional charge to use

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager
Run Command State Manager Inventory Maintenance
Window
Patch Manager Automation Parameter Store

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Run Command
• Remotely execute shell scripts, PowerShell scripts
• Bootstrap an instance, configure the OS, install software
• Execute commands for a particular case, or trigger using Amazon
CloudWatch Events
Remotely perform common administrative tasks at scale

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inventory
• Collect instance and OS details, network
configurations, installed software, and patches
• Use Custom Inventory and extend the inventory schema
• Track licensing usage and identify zero-day vulnerabilities
• Track inventory-state changes over time and generate non-
compliance notifications via AWS Config integration
Collect, query, and audit instance software inventory

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Parameter Store
• Encrypt sensitive information using your own KMS keys
• Reference your parameters in Run Command, State Manager,
or Automation service
• Use with AWS Identity and Access Management (IAM) to
manage access in a granular fashion
• Eliminate ongoing maintenance challenge of critical
enterprise assets
Centralized management of IT assets such as passwords
and connection strings

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
State Manager
• Define configuration policy using simple JSON-based documents
• Example: Configure firewall and update anti-malware definitions
• Control how configuration policy is applied
(schedule, target instances)
• Monitor instance compliance
Periodically re-apply configuration policies to manage
drift

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Maintenance Window
• Define one or more recurring windows of time during which it is
acceptable for disruptive actions to occur
• Periodically invoke Patch Manager or Run Command
• Improve availability and reliability of your workloads by
automatically performing tasks in a well-defined window of time
Schedule disruptive tasks in well-defined window to
minimize downtime

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Patch Manager
• Express custom patch policies as patch baselines
• Example: apply critical patches on day one, but wait seven days for
non-critical patches
• Perform patching during scheduled maintenance windows
• Generate patch-compliance reports
• Eliminate manual intervention and reduce time-to-deploy for critical
updates and zero-day vulnerabilities
Roll OS patches using custom-defined rules

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automation Service
• Simplify Amazon Machine Image (AMI) maintenance
• Source AMI launch instance  configure instance  new AMI
• Use to create your “gold” image from an Amazon EC2 AMI
• Integrate into CI/CD pipeline
• Orchestrate instance launches, Run Command execution, AWS
Lambda functions, image creation, and instance terminations
Automate common tasks using simplified workflows

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Systems Manager Labs
A R C 3 2 4 — B u i l d i n g a M a n a g e a b l e W i n d o w s W o r k l o a d

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!