This document discusses automating the centralized deployment of software agents on AWS using Systems Manager. It describes using Systems Manager features like Run Command, Automation, State Manager and Distributor to package agent software and deploy it across accounts and regions. A demo architecture is shown where agents are packaged and stored in a shared services account, then deployed to member accounts through a State Manager association triggered by an automation workflow. Key benefits noted are decoupling agent updates from golden AMIs and the ability to deploy exceptions not included in AMIs.

1. SINGAPORE

2. Automating the Deployment
of Software Agents Centrally
Using AWS Systems Manager
Chathra Serasinghe | 28th of January 2023

3. About me
• Senior Engineer - Versent
• AWS Ambassador
• AWS Community Builder
• AWS User group Singapore – Volunteer
• Over 10+ Cloud/DevOps Certifications(AWS,Kubernetes..)
• Musician
• Film Playback Singer – Sri Lanka
• Music Director – Sri Lanka

4. Agenda
• What is a Software Agent?
• Agent Deployment Use cases
• Foundational AWS Services
• Demo Architecture
• Demo Video

5. What is a Software Agent?
• A self-contained software program
• Typically packaged as msi,rpm,deb..
• Acting as representative of something
• Goal-oriented
• Carries out a task and embodies knowledge for a purpose
• Can communicate with other entities for its tasks

6. Agent Deployment Use Cases
• Endpoint security
• Threat intelligence
• Software asset management
• Inventory
• License management

7. Foundational AWS Services

8. Systems Manager
• Helps you manage your EC2s and On-premise systems at a scale
• Apply OS patches
• Configure Windows and Linux operating systems
• Free service*- (Most of the important features are free)
• But its underrated

9. Systems Manager
• Prerequisites:
• SSM Agent installed
• Access Control
• Instance profile role with appropriate permissions
AmazonSSMManagedInstanceCore policy
• Privilege to manage the System Manager Service
• Connectivity to System Manager endpoints
• Managed instances must also allow HTTPS (port 443) outbound traffic to the
System Manager endpoints
• Create VPC endpoints(Only for private instances with no internet access)

10. Systems Manager features
• Run Command
• Automation
• Patch Manager
• State Manager
• Maintainance Windows
• Parameter Store
• Distributor
• and many more….

11. Systems Manager - Automation
• Help to orchestrate operation playbooks at scale
• Able to run automations centrally across multiple AWS Regions and AWS
accounts or AWS Organizations organizational units (OUs)
• Enhanced integrations
• Ability to call and run AWS API actions
E.g. :- creating a Cloudformation Stack
• Ability to run scripts(Powershell,Python)
• AWS service catalog self-service actions

12. Systems Manager - State Manager
• Associates SSM document(Predefined or Own) with instances
• You can run State Manager associations
• Automatically once when provisioned
• At a particular cron schedule
• At a given interval (hourly, daily)
• On demand

13. Systems Manager - State Manager
• Targets types
• Node ID
• Tag
• Resource group
• All managed nodes within a given account.
• When State Manager detects any configuration changes,
• It automatically re-applied to the nodes originally targeted

14. Systems Manager - Distributor
• Allows you to securely store and distribute packages
• Software Agents
• Drivers
• Able to share with other AWS accounts
• Distributor lets you package your own software or finds AWS-provided
agent software packages
• Version Control
• Control access to packages using IAM

15. Systems Manager - Distributor
• Create Package
• Zip files
• Software files (msi,rpm,deb..)
• Install/uninstall/update scripts
• Manifest file(manifest.json)

16. manifest.json {
"schemaVersion": "2.0",
"version": "1.0.2",
"publisher": "Chathra",
"packages": {
"amazon": {
"_any": {
"x86_64": {
"file": "Linux-snowagent-6.4.3-x64.rpm.zip"
}
}
},
"redhat": {
"_any": {
"x86_64": {
"file": "Linux-snowagent-6.4.3-x64.rpm.zip"
}
}
},
"windows": {
"_any": {
"x86_64": {
"file": "windowsserver-snowagent-6.10.1-x64.msi.zip"
}
}
}
},
"files": {
"Linux-snowagent-6.4.3-x64.rpm.zip": {
"checksums": {
"sha256": "bec38c965b3733fa3af4bf7885563562c32dc73f59ba41fda771abe03d309da9"
}
},
"windowsserver-snowagent-6.10.1-x64.msi.zip": {
"checksums": {
"sha256": "33c11cd310789fb849f96c5fc16870579f7665870a23273e4fdcb9b348a20d5c"
}
}
}
}

17. Systems Manager - Distributor
• Methods of installing package
• Run Command
• State Manager Association(Recommended)
• Automatically install on new instances if target requirements met

18. Control Tower
• Landing zone
• Preconfigured multi-account environment based on best practice blueprints
• Secure
• Scalable
• Control tower helps to automate the landing zone
• Well-Architected

19. Customizations for Control Tower
Reference: AWS Documentation

20. Demo Architecture

21. Management Account
Member account
Agent Distribution
Event rule
(daily)
Automation
State Manager
Association
Instances
Customization for
Control Tower Pipeline
Custom control
tower
configuration
AWS Control Tower
Deploy Stack sets
manifest.yaml
Creates
Deploys agent
Agent Package artifacts
(zip files and
manifest.json)
triggers
update commit
Shared Services Account
SSM Document(Agent
Package)

22. Key Takeaways
• This method is useful when you don’t want to include the agent in Golden
AMIs
• Decoupling - Agent updates are not dependent with Golden AMI
• When you have Exceptions (e.g.:- Virtual Appliances), you must implement a
suitable tagging strategy.
• You cannot utilize this approach if you cannot install SSM agent
• Incompatible/Older OS versions (e.g.:- Red hat 5)
• Due to company security policies

23. Thank You!