Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lior Pollack, Solutions Architect
21/06/2017
Operations and Security at Cloud Scale
With Amazon EC2 Systems Manager

2. What to expect from the session
• Learn how to perform 4 common tasks:
• Streamline instance management at scale
• Automate AMI building and deployment
• Monitor fleet configuration and inventory
• Ensure instances are patch compliant

3. Key challanges
Secure Scalable
Integrated
Built for the Cloud
Hybrid
Managing cloud and hybrid environments using a
traditional toolset can be complex and costly

4. Our customers told us:
Traditional IT toolset
not built for cloud
scale infrastructure
Maintaining
enterprise-wide
visibility is challenging
Deploying multiple
products is a
significant overhead
Licensing costs &
complexity
Managing cloud and hybrid environments using
a traditional toolset can be complex and costly

5. AWS Management Services

6. Introducing Amazon EC2 Systems Manager
A set of capabilities that enable automated configuration and
ongoing management of systems at scale, across all of your
Windows and Linux workloads,
running in Amazon EC2 or on-premises.

7. Systems Manager - Capabilities
Run Command Maintenance
Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Configuration and
Administration
Update and
Track
Shared
Capabilities

8. How do I…
Execute commands on multiple instances?
Run Command

9. Run Command - Scale
--max-concurrency
--max-errors Access
Control
API

10. Run Command Example: Replacing a Bastion

11. Redefined Architecture (eliminate SSH and ..)
Cloudwatch
Event
Config
Rule
SNS

12. How it works
Select a document from the bank of available documents,
author new ones, share them
Select managed instances from your Amazon EC2
instances or on-premises instances by tag or id
Set the parameters for command customization
Save the output to Amazon S3 for traceability
1
2
3
4

13. Wait, what’s a document?
{
"schemaVersion": "2.0",
"description": "Installs a Windows Feature",
"parameters": {
"feature": {
"type”: "String",
"description": "Specify a package to install"
}
},
"mainSteps": [ {
"action": "aws:runPowerShellScript",
"name": "run",
"inputs": { "commands": "Install-WindowsFeature {{feature}}" }
} ]
}

14. And what’s a managed instance?

15. Setup instances for Management
- Instance Role
- The AmazonEC2RoleforSSM managed policy –
Enables an instance to communicate with the System
Manager API).
- Bootstrap/Install Agent (Windows AMI pre-installed)

16. DEMO
Run Command

17. Run Command
• Important Benefits:
• Delegate access, perform audit, receive notifications.
• Allow users to run only specific commands with granular permissions.
• Helps improve security posture by eliminating the need to SSH or RDP
• Leverage Documents built by AWS and the broader community or
create your own.
• Use API endpoint to interface with other processes.
Perform common administrative tasks remotely at scale

18. Many use cases:
Bootstrap, Configure and Manage Software
- Example: CM Tools, 3rd party agents.
Diagnostics and Monitoring
- Example: Start or stop a service, run file system monitoring..
Operating System Configuration
- Example: Add/Remove user, Change local files.
Centrally Gather Configuration Information
- Example: Check software updates, gather logs.

19. How do I…
Secure my secrets?
Parameter Store

20. Parameter Store
• Parameters reference-able via a Run Command, State Manager,
and Automation Service
• Granular access control limits unwanted data access
• Encrypt sensitive information using your own KMS keys
• Eliminates on-going maintenance challenge of critical enterprise
assets
Centralized management of IT assets such as passwords
and connection strings

21. Use Case: Secure Domain Join
Administrator sets the join parameters:
Parameters used on the script:
PowerShellAWS CLI
Requires an IAM
Policy to grant access to the
key in KMS

22. How do I…
Standardize and Maintain by OS Images?
Automation

23. Automating AMI Maintenance
Companies maintain ‘Golden Images’
• Triggers: patching, hardening, application bake-in
• Never-ending
• Time consuming, especially when builds fail
• Overhead of maintaining build service

24. Automation Service
• Optimized for building and maintaining Amazon Machine Images
(AMIs)
• Start with an AMI à perform automation steps like OS patching and
drive updates à produce a new AMI
• Pro-Active event notifications.
• Support for Run Command, Lambda functions
• Parameter Store integration
Automate common tasks using simplified workflows

25. How it works
Run an automation document directly in the console or
via API from a document
Leverage Maintenance Windows to have regular (or
event-based) automation documents executed
1
2

26. Demo
Automation

27. How do I…
Know what’s installed on my instances?
Inventory

28. Inventory
• Example: Instance and OS details, network configuration, list
of files, installed software and patches
• Simplifies management scenarios, such as licensing usage tracking
and identifying software versions vulnerable to zero-day attacks.
Scalable way of collecting, querying, and auditing detailed
software inventory information

29. Inventory
• End-to-End inventory collection (EC2/on-prem/Workspaces)
• Windows/Linux
• Powerful query
• Extensible inventory schema using JSON Document
• Integrated with AWS services

30. DEMO
Inventory

31. How do I…
Ensure patch compliance for my instances?
Patch Manager

32. Patch Manager
• End-to-End patching
• Easy to automate
• Integrated with other AWS Services
• Eliminates manual intervention and reduces time-to-deploy for critical
updates and zero-day vulnerabilities
Roll out Windows OS patches using custom-defined rules
and pre-scheduled maintenance windows

33. How it works
Create a baseline for your patches
Select a patch group from your Amazon EC2 instances by
tag
Create a Maintenance Window for applying your patches
(by tag)
1
2
3

34. How it works
Instance A
Patch Group:Prod
Patch Baseline
- Critical, High
- 5 days or older
1
Maintenance Window
- Sundays @ 1AM
- 2 hrs. long
- Task: Patching
2 3
Patch Compliance
2
up to
date
0
missing
updates
1
error
4
Instance B
Patch Group:Prod Patch Group:Prod

35. Patch Manager – Patch Baseline
• Auto-approval rules for patches
• Rule criteria
• Product (WS2012 R2)
• MSRC Classification (Critical)
• Approve After (5 days)
• Approved and Rejected patches (KB2032276, KB2124261)
• Register target instances using Patch Group tags
• Example: For Patch Group:Prod instances, approve all Critical
updates for Windows Server 2012 R2 5 days after release, except for
KB2032276

36. DEMO
Patch Manager

37. To summarize
• We covered how to:
• Streamline instance management at scale
• Automate AMI building and deployment
• Monitor fleet configuration and inventory
• Ensure instances are patch compliant
Run Command
Automation
Inventory
Patch Manager

38. How to get started
Create an AWS Account
Oh, EC2 Systems Manager is free! Try it!
Management Tools Blog:
https://aws.amazon.com/blogs/mt/
Come meet our experts and partners!

39. Thank you!
Lior Pollack, Solutions Architect