Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.
2. What to expect from the session
• Learn how to perform 4 common tasks:
• Streamline instance management at scale
• Automate AMI building and deployment
• Monitor fleet configuration and inventory
• Ensure instances are patch compliant
4. Our customers told us:
Traditional IT toolset
not built for cloud
scale infrastructure
Maintaining
enterprise-wide
visibility is challenging
Deploying multiple
products is a
significant overhead
Licensing costs &
complexity
Managing cloud and hybrid environments using
a traditional toolset can be complex and costly
6. Introducing Amazon EC2 Systems Manager
A set of capabilities that enable automated configuration and
ongoing management of systems at scale, across all of your
Windows and Linux workloads,
running in Amazon EC2 or on-premises.
7. Systems Manager - Capabilities
Run Command Maintenance
Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Configuration and
Administration
Update and
Track
Shared
Capabilities
12. How it works
Select a document from the bank of available documents,
author new ones, share them
Select managed instances from your Amazon EC2
instances or on-premises instances by tag or id
Set the parameters for command customization
Save the output to Amazon S3 for traceability
1
2
3
4
13. Wait, what’s a document?
{
"schemaVersion": "2.0",
"description": "Installs a Windows Feature",
"parameters": {
"feature": {
"type”: "String",
"description": "Specify a package to install"
}
},
"mainSteps": [ {
"action": "aws:runPowerShellScript",
"name": "run",
"inputs": { "commands": "Install-WindowsFeature {{feature}}" }
} ]
}
15. Setup instances for Management
- Instance Role
- The AmazonEC2RoleforSSM managed policy –
Enables an instance to communicate with the System
Manager API).
- Bootstrap/Install Agent (Windows AMI pre-installed)
17. Run Command
• Important Benefits:
• Delegate access, perform audit, receive notifications.
• Allow users to run only specific commands with granular permissions.
• Helps improve security posture by eliminating the need to SSH or RDP
• Leverage Documents built by AWS and the broader community or
create your own.
• Use API endpoint to interface with other processes.
Perform common administrative tasks remotely at scale
18. Many use cases:
Bootstrap, Configure and Manage Software
- Example: CM Tools, 3rd party agents.
Diagnostics and Monitoring
- Example: Start or stop a service, run file system monitoring..
Operating System Configuration
- Example: Add/Remove user, Change local files.
Centrally Gather Configuration Information
- Example: Check software updates, gather logs.
20. Parameter Store
• Parameters reference-able via a Run Command, State Manager,
and Automation Service
• Granular access control limits unwanted data access
• Encrypt sensitive information using your own KMS keys
• Eliminates on-going maintenance challenge of critical enterprise
assets
Centralized management of IT assets such as passwords
and connection strings
21. Use Case: Secure Domain Join
Administrator sets the join parameters:
Parameters used on the script:
PowerShellAWS CLI
Requires an IAM
Policy to grant access to the
key in KMS
23. Automating AMI Maintenance
Companies maintain ‘Golden Images’
• Triggers: patching, hardening, application bake-in
• Never-ending
• Time consuming, especially when builds fail
• Overhead of maintaining build service
24. Automation Service
• Optimized for building and maintaining Amazon Machine Images
(AMIs)
• Start with an AMI à perform automation steps like OS patching and
drive updates à produce a new AMI
• Pro-Active event notifications.
• Support for Run Command, Lambda functions
• Parameter Store integration
Automate common tasks using simplified workflows
25. How it works
Run an automation document directly in the console or
via API from a document
Leverage Maintenance Windows to have regular (or
event-based) automation documents executed
1
2
27. How do I…
Know what’s installed on my instances?
Inventory
28. Inventory
• Example: Instance and OS details, network configuration, list
of files, installed software and patches
• Simplifies management scenarios, such as licensing usage tracking
and identifying software versions vulnerable to zero-day attacks.
Scalable way of collecting, querying, and auditing detailed
software inventory information
31. How do I…
Ensure patch compliance for my instances?
Patch Manager
32. Patch Manager
• End-to-End patching
• Easy to automate
• Integrated with other AWS Services
• Eliminates manual intervention and reduces time-to-deploy for critical
updates and zero-day vulnerabilities
Roll out Windows OS patches using custom-defined rules
and pre-scheduled maintenance windows
33. How it works
Create a baseline for your patches
Select a patch group from your Amazon EC2 instances by
tag
Create a Maintenance Window for applying your patches
(by tag)
1
2
3
34. How it works
Instance A
Patch Group:Prod
Patch Baseline
- Critical, High
- 5 days or older
1
Maintenance Window
- Sundays @ 1AM
- 2 hrs. long
- Task: Patching
2 3
Patch Compliance
2
up to
date
0
missing
updates
1
error
4
Instance B
Patch Group:Prod Patch Group:Prod
35. Patch Manager – Patch Baseline
• Auto-approval rules for patches
• Rule criteria
• Product (WS2012 R2)
• MSRC Classification (Critical)
• Approve After (5 days)
• Approved and Rejected patches (KB2032276, KB2124261)
• Register target instances using Patch Group tags
• Example: For Patch Group:Prod instances, approve all Critical
updates for Windows Server 2012 R2 5 days after release, except for
KB2032276
37. To summarize
• We covered how to:
• Streamline instance management at scale
• Automate AMI building and deployment
• Monitor fleet configuration and inventory
• Ensure instances are patch compliant
Run Command
Automation
Inventory
Patch Manager
38. How to get started
Create an AWS Account
Oh, EC2 Systems Manager is free! Try it!
Management Tools Blog:
https://aws.amazon.com/blogs/mt/
Come meet our experts and partners!