How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud with Amazon EC2 Systems Manager - April 2017 AWS Online Tech Talks & Workshops
Similar to How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud with Amazon EC2 Systems Manager - April 2017 AWS Online Tech Talks & Workshops
Day 5 - AWS Autoscaling Master Class - The New Capacity PlanAmazon Web Services
Similar to How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud with Amazon EC2 Systems Manager - April 2017 AWS Online Tech Talks & Workshops (20)
The 7 Things I Know About Cyber Security After 25 Years | April 2024
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud with Amazon EC2 Systems Manager - April 2017 AWS Online Tech Talks & Workshops
2. What to Expect from the Session
Learn how to:
• Automate AMI building and deployment
• Monitor fleet configuration and inventory
• Ensure instances are patch compliant
3. What we heard from customers
• Traditional IT tools not built for the cloud
• Managing resources at scale is difficult
• Lack of visibility into configuration and
execution history
• Multiple vendors; complex licensing
Managing cloud and hybrid environments using
traditional tools is complex and costly
4. Introducing Amazon EC2 Systems Manager
A set of capabilities that enable automated configuration and
ongoing management of systems at scale, across all your
Windows and Linux workloads, running in Amazon EC2 or
on-premises
5. Systems Manager Capabilities
Run Command Maintenance
Windows
Inventory
State Manager Parameter Store
Patch Manager
Automation
Configuration,
Administration
Update and
Track
Shared
Capabilities
7. Automation – What we heard
Automation pain point: AMI building
• Triggers: patching, hardening, application bake-in
• Never-ending
• Time consuming, especially when builds fail
• Overhead of maintaining build service
8. Automation
Introducing Automation
• Simplified automation solution
• Perfect for AMI updates, instance deployment & config
• Pro-active event notifications
• AWS optimized (EC2 Run Command, AWS Lambda, AWS
CloudTrail, IAM, and Amazon CloudWatch integrations)
9. Automation – Getting Started
1. Create an
automation
document
2. Run automation 3. Monitor your
automation
13. Automation – IAM Setup
1. Create a Service Role for Automation
• Permission for Automation service to operate in your account
2. Attach PassRole policy to user’s account
3. Launch instances with SSM role (AmazonEC2RoleforSSM)
16. Inventory
What we heard:
• Accurate software inventory is critical for understanding fleet
configuration and license usage
• Legacy solutions not optimized for cloud
• Self-hosting requires additional overhead
21. Inventory – Configuration
Create an Inventory association
1. Select instances (by instance ID or tag)
2. Select scan frequency (hours, minutes, days, NOW)
3. Select Inventory Types to gather
• Instance information
• Applications
• AWS Components
• Network configuration
• Windows Updates
• Custom Inventory
22. Inventory – Custom Inventory Type
Custom Inventory Collection
• Extensible: record any attribute for a given instance
• Examples: rack location, BIOS version, firewall settings
Two ways to record custom inventory types
1. Agent/on-instance: Write a cron job to record custom
inventory files to a predefined path
2. API: Use PutInventory API
23. Inventory Manager
Query
• Search by inventory attribute
• Partial and inverse searches
• Windows 2012 r2 instances running SQL Server 2016 where
Windows Update KB112342 is not installed
Integration with AWS Config
• Record inventory changes over time
• Use AWS Config Rules to monitor changes, notify
• Meet compliance and governance mandates
25. Patch Manager
What we heard about patching enterprise systems:
• Time consuming, tedious, repetitive
• Existing solutions are inadequate
• Enterprise patching is manual and complex
• Errors result in downtime, compliance issues
26. Patch Manager
Announcing Patch Manager
• End-to-End Patching
• Easy to Automate
• Integrated with other AWS Services
• First release: Windows OS patching
27. Patch Manager – Getting Started
1. Create a Patch
Baseline to define
approved patches
3. Maintenance
Window executes
patching
4. Audit results
with Patch
Compliance
2. Create a
Maintenance Window
to schedule patching for
a set of instances
28. Patch Manager - Overview
Instance A
Patch Group:Prod
Patch Baseline
- Critical, High
- 5 days or older
1
Maintenance Window
- Sundays @ 1AM
- 2 hrs. long
- Task: Patching
2 3
Patch Compliance
2
up to
date
0
missing
updates
1
error
4
Instance B
Patch Group:Prod Patch Group:Prod
29. Patch Manager – Patch Baseline
• Auto-approval rules for patches
• Rule criteria
• Product (WS2012 R2)
• MSRC Classification (Critical)
• Approve After (5 days)
• Approved and Rejected patches (KB2032276, KB2124261)
• Register target instances using Patch Group tags
• Example: For Patch Group:Prod instances, approve all Critical
updates for Windows Server 2012 R2 5 days after release, except for
KB2032276
30. Patch Manager – Maintenance Window
• Define and control when disruptive operations occur
• Schedule (2nd Tuesday of the month)
• Duration
• Target instances (tags or instance IDs)
• Tasks (Run Command)
Patch task uses Run Command with AWS-ApplyPatchBaseline
max instances to patch at a time, error threshold
31. Patch Manager – Patching your instances
• Register the instances you want to patch as targets
• Register the AWS-ApplyPatchBaseline command as a
task
• Patching will happen during maintenance window
• Patch compliance data collected
32. Patch Manager – Patch Compliance
• Fleet-wide summary of patch status
• Dashboard shows counts of compliant and non-compliant
instances