The document discusses various aspects of AWS Systems Manager (SSM), including run command functionality, state manager, maintenance window, patch management, and automation. It highlights prerequisites, types of documents, and specific use cases for each feature, emphasizing how these tools aid in managing Amazon EC2 and hybrid infrastructure efficiently. The content also outlines the integration of these tools with AWS services, ensuring streamlined operations and compliance management.

1. Systems Manager
Discussion
Manjunath Gowda
Co-Founder
Tensult.com

2. About Us
www.tensult.com

3. Agenda
• Basics of SSM
• Documents
• Run Command
• State Manager
• Maintenance Window
• Patch Management
• Automation

4. Basics of SSM
• Prerequisites – Right OS version and Internet access to Instances.
• Roles needed for the SSM.
• SSM Agent
• Managed Instance.
• SSM Service
• Workflow

5. Document:
• Document defines the actions that Systems Manager performs on your
managed instances.
• Can be Amazon provided documents or can be custom defined by us
to meet our requirements.
• Types:
• Command Document
• Policy Document
• Automation Document.
• Make sure you use the latest version to have all functionalities.
• Can be shared with different accounts or can be made public.

6. Run Command:
• Run Command lets you remotely and securely manage the
configuration of your managed instances.
• Automate common administrative tasks and perform ad hoc
configuration changes at scale.
• Detailed status information of commands.(Pending, In progress,
delayed, success, delivery timedout, execution timedout, failed)
• Integrated with Cloudwatch Events and SNS.

7. Usecases:
• Install or bootstrap Application.
• Building deployment Pipeline.
• Capture logs when the instance is terminating.
• Joining Instances to windows domain.
• Bastion Host

8. Demo

9. State Manager:
• Automates the process of keeping your Amazon EC2 and hybrid
infrastructure in a state that you define.
• Works by creating Security Associations.
• An association binds a policy document and one or more targets.
• SAs can be run on demand or on schedule.
• Target can be chosen manually or based on tag values.
• Can be used to execute Linux shell scripts or Windows PowerShell
scripts at different times during the lifecycle of an instance.

10. Usecases:
• Update the SSM agent or EC2config service once a month.
• Maintenance window uses SA in the backend.
• Makes Admin life easy for repetitive tasks.
• Backup to be run once a day at abc time.
• Keep the port 21 always closed.
• Make sure SSH and http service is always running.
• Run a particular shell script at a particular time.

11. Demo

12. Maintenance Window:
• Lets you define a schedule on when to perform potentially disruptive actions on
your instances such as patching an operating system (OS), updating drivers, or
installing software.
• Maintenance window has:
• Schedule
• Duration.
• Set of registered Targets.
• Set of registered Tasks.
• Below type of tasks can be run on targets:
• Commands by using Systems Manager Run Command
• Automation workflows by using Systems Manager Automation
• Functions by using AWS Lambda
• State machines by using AWS Step Functions

13. Usecases:
• Installing applications, updating patches, installing or updating SSM
Agent, or executing PowerShell commands and Linux shell scripts by
using a Systems Manager Run Command task.
• Building Amazon Machine Images (AMIs), boot-strapping software,
and configuring instances by using Systems Manager Automation.
• Executing AWS Lambda functions that trigger additional actions such
as scanning your instances for patch updates.
• Running AWS Step Function state machines to perform tasks such as
removing an instance from an Elastic Load Balancing environment,
patching the instance, and then adding the instance back to the Elastic
Load Balancing environment.

14. Demo

15. Patch Management:
• Patch Manager automates the process of patching managed instances.
• Works in two modes:
• Can scan instances to see a report of missing patches.
• You can scan and automatically install all missing patches.
• Uses Patch Baseline(can be AWS provided or custom) to decide on which patches
to be applied and after how many days to apply.
• Works in conjunction with Maintenance window to do the patching at non peak
hours.
• Tag your instances with the Key of “Patch Group” and any value. This will be
mapped to the Patch Baseline.
• Monitor the patching to verify the compliance and investigate failures.
• Works with Onprem instances too.
• Note : AWS does not test the patches so you please do.

16. Demo

17. Automation:
• Helps simplify common instance and system maintenance and
deployment tasks.
• Automation enables you to do the following:
• Pre-install and configure applications and agents in your Amazon Machine
Images (AMIs) using a streamlined and repeatable process that you can audit.
• Build workflows to configure and manage instances and AWS resources.
• Create your own custom workflows, or use pre-defined workflows maintained
by AWS.
• Receive notifications about Automation tasks and workflows by using Amazon
CloudWatch Events
• Monitor Automation progress and execution details by using the EC2 console.

18. Usecases:
• Simplify AMI Patching Using Automation, Lambda, and Parameter
Store.
• Using Automation with Jenkins
• Patch an AMI and Update an Auto Scaling Group

19. Demo

20. Questions?