Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Deep Dive on Amazon EC2 Systems Manager
Manish Mohite,
Solutions Architect

2. AWS Management Services

3. AWS Shared Responsibility for IAAS

4. Why should I care?
Hybrid Cross-platform Scalable
Secure Easy-to-write
automation
Reduced TCO

5. Systems Manager capabilities
Run Command Maintenance
Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure,
and Administer
Track and
Update
Shared
Capabilities

6. Run Command
• Example: Running shell and PowerShell scripts
• Easily define new tasks using simple JSON-based Documents – no
specialized skillset required
• Leverage Documents built by AWS and the broader community
• Delegate access, perform audit, receive notifications
• Helps improve security posture by eliminating the need to SSH or RDP
Perform common administrative tasks remotely at scale

7. State Manager
• Example: Configuring firewall and updating anti-malware definitions
• Define new policies using simple JSON-based Documents
• Control how and when a configuration is applied and maintained
• Helps enforce enterprise-wide compliance of configuration policies
Define and maintain a consistent configuration of OS and
applications

8. Automation Service
• Optimized for building and maintaining Amazon Machine Images
(AMIs)
• Start with an AMI  perform automation steps like OS patching and
drive updates  produce a new AMI
• Express your workflow as automation steps in a JSON-based
Document
• Support for Run Command, Lambda functions
• Eliminates the overhead in managing ‘golden’ enterprise images
Automate common tasks using simplified workflows

9. Documents

10. Parameter Store
• Parameters reference-able via a Run Command, State Manager,
and Automation Service
• Granular access control limits unwanted data access
• Encrypt sensitive information using your own KMS keys
• Eliminates on-going maintenance challenge of critical enterprise
assets
Centralized management of IT assets such as passwords
and connection strings

11. Maintenance Window
• Define one or more recurring windows of time during which it is
acceptable for disruptive actions to occur
• Built-in integration with Run Command and Patch Manager
• Helps improve availability and reliability of your workloads by
automatically performing tasks in a well-defined window of time
Schedule disruptive tasks in well-defined window to
minimize downtime

12. Inventory
• Example: Instance and OS details, network configuration, list
of files, installed software and patches
• Collect data from predefined inventory types or write a custom one
using JSON Document
• AWS Config integration enables tracking the history of changes
• Simplifies management scenarios, such as licensing usage tracking
and identifying zero-day vulnerabilities
Scalable way of collecting, querying, and auditing detailed
software inventory information

13. Patch Manager
• Express custom patch policies as patch baselines, e.g., apply critical
patches on day 1 but wait 7 days for non-critical patches
• Perform patching during scheduled maintenance windows
• Built-in patch compliance reporting
• Eliminates manual intervention and reduces time-to-deploy for critical
updates and zero-day vulnerabilities
Roll out Windows OS patches using custom-defined rules
and pre-scheduled maintenance windows

14. Systems Manager availability
• No charge – only pay for AWS resources you manage
• Available in multiple regions

15. And what’s a managed instance?

16. Activate hybrid instances

17. Activate hybrid instances

18. How do I…
Execute a command on multiple instances?
Run Command

19. How it works
 Select a document from the bank of available
documents, author new ones, share them
 Select managed instances from your Amazon EC2
instances or on-premises instances by tag or id
 Set the parameters for command customization
 Save the output to Amazon S3 for traceability
1
2
3
4

20. Wait, what’s a document?
{
"schemaVersion": "2.0",
"description": "Installs a Windows Feature",
"parameters": {
"feature": {
"type”: "String",
"description": "Specify a package to install"
}
},
"mainSteps": [ {
"action": "aws:runPowerShellScript",
"name": "run",
"inputs": { "commands": "Install-WindowsFeature {{feature}}" }
} ]
}

21. Ok now I can run it, select a document

22. Select an instance

23. Set the parameters

24. Validate or get the equivalent CLI

25. View and manage your commands

27. How do I…
Bootstrap my instance AND maintain my state?
State Manager

28. How it works
 Select a document from the bank of available
documents, author new ones, share them (again)
 Select managed instances from your Amazon EC2 or
on-premises instances by tag or id (still)
 Set the parameters for command customization
 Set a schedule for your state review
1
2
3
4

29. Select a document

30. Select instances

31. Define a schedule

32. Set parameters

34. View and manage your associations

35. How do I…
Know what’s installed on my instances?
Inventory

36. How it works
 It’s a state! It works just the same way1

37. The document is selected

38. Select your instances

39. Select your Schedule

40. Select the parameters

42. You can put custom inventory
Aws ssm put-inventory
--instance-id "ID”
--items '[{"CaptureTime": "2016-08-22T10:01:01Z", "TypeName":
"Custom:RackInfo", "Content":[{"RackLocation": "Bay B/Row C/Rack
D/Shelf E"}], "SchemaVersion": "1.0"}]'

43. Ok, now what can I do with it?

44. You can request instances for their inventory
aws ssm get-inventory --filters
Key=AWS:InstanceInformation.PlatformType,
Values=Windows,
Type=Equal
Key=AWS:InstanceInformation.ResourceType,
Values=ManagedInstance,
Type=Equal

45. Follow the configuration

47. How do I…
Apply changes on a schedule?
Maintenance Window

48. How it works
 Create a window from a schedule (CRON compatible)
 Select managed instances from your Amazon EC2 or
on-premises instances by tag or id (still)
 Select the tasks for command customization
1
2
3

50. Register a target

51. Register a task

52. Specify parameters and execution model

53. How do I…
Patch my Windows Amazon EC2 Instances?
Patch Manager

54. How it works
 Create a baseline for your patches
 Select a patch group from your Amazon EC2 instances
by tag
 Create a Maintenance Window for applying your
patches (by tag)
1
2
3

55. Create a baseline

56. Attach the patch group to your policy (by tag)

57. Tag Your Instances

58. How do I…
Automate my processes?
Automation

59. How it works
 Run an automation document directly in the console or
via API from a document
 Leverage Maintenance Windows to have regular (or
event-based) automation documents executed
1
2

60. Select a document

61. Specify the parameters

62. What can I do ?
 Everything that a document allows 
• Automate processes *inside* and *outside* the instances
Up-to-date
AMIs
Processes
Lambda AMI Run CommandEC2
Supports
Build
Processes

63. How do I…
Secure my secrets?
Parameter Store

65. Integrated
AWS IAM Amazon CloudTrailAWS KMS

66. Using Parameter Store
 Leverage in your EC2 Systems Manager Documents
 Integrate in your code or command lines
• AWS SDK and Lambda
• AWS PowerShell CmdLets
• AWS CLI

67. Customer challenges
Traditional IT toolset
not built for cloud
scale infrastructure
Maintaining
enterprise-wide
visibility is challenging
Deploying multiple
products is a
significant overhead
Licensing costs &
complexity
Managing cloud and hybrid environments using
a traditional toolset is complex and costly

68. Integrated services
AWS ConfigAWS IAM Amazon S3 Amazon CloudTrailAWS CloudWatch
Events

69. How to get started
 Create an AWS Account
 Oh, EC2 Systems Manager is free! Try it!
 Contact us and come meet us
 AWS and partners offer training and certification

70. Remember to complete
your evaluations!