Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:Invent 2018

•

2 likes•2,386 views

In this hands-on, instructor-led lab, we use the AWS Management Console to deploy a new workload, create an inventory, and set up patch management. We demonstrate the importance of tagging and the ways in which it can support your operations activities. Learn the benefits of infrastructure-as-code for development and deployment of your environment, and perform operations-as-code to gain insights into your workload status. To participate in this lab, attendees must bring their own laptop and have a personal, nonproduction AWS account.

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inventory and Patch Management
Using AWS Systems Manager
Brian Carlson
Operational Excellence Lead,
Well-Architected
A R C 3 3 2
Chris Kozlowski
Sr. Technical
Account Manager

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The increased speed and agility of the
cloud is best supported using the same
engineering discipline and practices that
you apply to code.
Dynamic and elastic access to resources
increases the speed and agility of your
organization and benefits from equally
dynamic operations.
Why are we here?

“The operational excellence pillar includes the ability to run and
monitor systems to deliver business value and to continually
improve supporting processes and procedures. The
operational excellence pillar provides an overview of design
principles, best practices, and questions.”
What is the Operational Excellence Pillar?

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Design Principles
• Perform operations as code
• Annotated documentation
• Make frequent, small, reversible changes
• Refine operations procedures frequently
• Anticipate failure
• Learn from all operational failures

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is the Operational Excellence Pillar?
Prepare Operate Evolve

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC*
AWS Management
Console
1. Your own device for console access
2. An AWS account that you are able to use for testing.
(Should not used for production or other purposes.)
3. An available region within your account with capacity to add 2
additional VPCs
4. Download the Lab Guide at https://bit.ly/2QqQ15V
https://s3-us-west-2.amazonaws.com/aws-well-architected-
labs/Operations/ARC332+Lab+Guide.html
Requirements

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2
IAM
1. Create an Administrator IAM user and group
2. Log in with your IAM Administrator user
3. Create an Amazon Elastic Compute Cloud
(Amazon EC2) Key Pair
Lab Setup

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stack
AWS CloudFormation
Template
1. Deploy the Lab CloudFormation template
https://s3-us-west-2.amazonaws.com/aws-well-architected-labs/
Operations/OE_Single_VPC+_2-Tier_Application_Lab.json
2. Examine the environment in CloudFormation Designer
3. Deploy your stack
Deploy the lab environment

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
State Manager
Inventory
Stack
AWS Systems Manager
1. Set up Systems Manager
2. Create a second CloudFormation stack
3. Track your resources using Inventory
4. Review associations with State Manager
Understanding the Resources in your Environment

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Documents
Patch Manager
1. Create a Patch Baseline
2. Assign a Patch Group
3. Scan your instances
4. Patch your instances
Patch Management

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Patch
Manager
Amazon
EC2
Maintenance
Windows
1. Create a Patch Maintenance Window
2. Assign Targets
3. Assign Tasks
4. After the maintenance window review the results
Automating Patching with Maintenance Windows

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
MFA
Maintenance
Windows
State Manager
Stack
IAM
Bucket
Topic
Removing lab resources
1. Delete your CloudFormation stacks
2. Delete your State Manager association
3. If you created a…
• Amazon Simple Storage Service (Amazon S3) bucket, delete
it
• Amazon Simple Notification Service (Amazon SNS) Topic,
delete it
• Maintenance window, delete it
4. For your Administrator User account:
• If you don’t plan to use it, delete it
• If you do plan to use it, enabling MFA is recommended

Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Brian Carlson
Operational Excellence Lead
Well-Architected
crlsonb@amazon.com
Chris Kozlowski
Sr. Technical
Account Manager
kozlowck@amazon.com

Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.

How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud wi...

Amazon Web Services

AWS Monitoring & Logging

Jason Poley

Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...

Amazon Web Services

Using AWS Control Tower to govern multi-account AWS environments at scale - G...

Amazon Web Services

AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard. AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.

Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks

Amazon Web Services

AWS Infrastructure Services Amazon infrastructure services (Amazon EC2, Amazon S3, Amazon EBS, and Amazon VPC) form the backbone platform for hundreds of thousands of AWS customers. In this hands-on workshop we will take you to walk through these infrastructure services and how you can use them to match capacity and costs requirement. This hands-on workshop is designed to combine best practices with the sharing of practical implementation experience. Reasons to Attend: Understand how to use Amazon EC2 and related considerations Understand the differences between Amazon S3 and Amazon EBS and related use cases Learn how to optimise your costs by combining On Demand, Reserved and Spot Instances Learn how to create a VPC and subnets and related configurations Discover additional resources that you can access to learn more Discover news and updates of AWS infrastructure services

AWS Security & Compliance

Amazon Web Services

AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...

Edureka!

Amazon services ec2

Ismaeel Enjreny

Security Architectures on AWS

Amazon Web Services

Deep Dive on Amazon EC2 Systems Manager

Amazon Web Services

Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.

Deep dive into AWS IAM

Amazon Web Services

Introduction to Threat Detection and Remediation on AWS

Amazon Web Services

In this talk, we will introduce several methods of threat detection and remediation on AWS, including GuardDuty, Macie, WAF, Shield, Lambda, AWS Config, Systems Manager and Inspector. We will do a brief overview of each of these services, and then talk about how to put them all together, to have a comprehensive thread detection and remediation solution. We will also discuss how to use these services across multiple AWS accounts and regions, to cover the governance needs of enterprise AWS deployments.

AWS Security Fundamentals

Amazon Web Services

This session is designed to introduce you to fundamental cloud computing and AWS security concepts that will help you prepare for the Security Week sessions, demos, and labs. We will ensure you have an AWS account and understand EC2, prepare you to get set up on the AWS Command Line Interface (CLI) to access the AWS Management Console, introduce you to in source repositories, discuss SSH access and necessary SDKs, and more.

Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...

Amazon Web Services

In this workshop, we present best practices for establishing an AWS Landing Zone. We provide a demonstration of the automated AWS Landing Zone solution, and we show you how it builds a multi-account architecture that is enterprise-ready for application deployment and compliant with common operations, security, and procurement processes. You have the opportunity to modify the code for custom deployments. Leave the workshop with an understanding of the mechanism to update the AWS Landing Zone using a CI/CD pipeline, how to create new AWS accounts using the built-in account vending machine, and how the AWS Landing Zone solution components integrate to provide a secure, scalable starting environment for your cloud journey. We encourage you to attend the full AWS Landing Zone track. Search for #awslandingzone in the session catalog.

AWS Control Tower

CloudHesive

Introduction to AWS Security

Amazon Web Services

Introduction to AWS IAM

Knoldus Inc.

AWS의 다양한 Compute 서비스(EC2, Lambda, ECS, Batch, Elastic Beanstalk)의 특징 이해하기 - 김...

Amazon Web Services Korea

IAM Best Practices

Amazon Web Services

(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch

Amazon Web Services

You may already know that you can use Amazon CloudWatch to view graphs of your AWS resources like Amazon Elastic Compute Cloud instances or Amazon Simple Storage Service. But, did you know that you can monitor your on-premises servers with Amazon CloudWatch Logs? Or, that you can integrate CloudWatch Logs with Elasticsearch for powerful visualization and analysis? This session will offer a tour of the latest monitoring and automation capabilities that we’ve added, how you can get even more done with Amazon CloudWatch.

Implementing your landing zone - FND210 - AWS re:Inforce 2019

Amazon Web Services

One of the first questions that customers ask during their cloud journeys is how to establish and build AWS environments or landing zones. In this session, we discuss best practices for establishing a scalable approach and necessary landing zone framework. We present an overview of the approach and solutions to help you implement a landing zone. We also introduce the AWS Landing Zone, which is an automated solution for setting up a robust, flexible AWS environment, and we discuss how it reduces the time needed to get started. Finally, we provide a high level overview of AWS Control Tower and how it fits into the overall approach.

Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...

Amazon Web Services

Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. Enabled with a few clicks in the AWS Management Console, Amazon GuardDuty can immediately begin analyzing billions of events across your AWS accounts for signs of risk. It does not require you to deploy and maintain software or security infrastructure, meaning it can be enabled quickly with no risk of negatively impacting existing application workloads.

AWS Lambda

Scott Leberknight

Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...

Amazon Web Services

Estate and Patch Management Infrastructure and Operations as Code

Amazon Web Services

Nirav Kothari: Well-Architected - Operational Excellence Instructor Led Lab.pdf

Amazon Web Services

This hands-on, instructor-led lab will use the AWS Management Console to deploy a new workload, and set up estate and patch management. In this lab we will demonstrate the importance of tagging and the ways in which it can support you operations activities. You will leverage the benefits of infrastructure as code for development and deployment of your environment. You will also perform Operations as Code to gain insights to your workload status, and to maintain your environment.

What's hot

Amazon EC2 and Amazon VPC Hands-on Workshop

Amazon Web Services

AWS Security & Compliance

Amazon Web Services

AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...

Edureka!

Amazon services ec2

Ismaeel Enjreny

Security Architectures on AWS

Amazon Web Services

Deep Dive on Amazon EC2 Systems Manager

Amazon Web Services

Deep dive into AWS IAM

Amazon Web Services

Introduction to Threat Detection and Remediation on AWS

Amazon Web Services

AWS Security Fundamentals

Amazon Web Services

Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...

Amazon Web Services

AWS Control Tower

CloudHesive

Introduction to AWS Security

Amazon Web Services

Introduction to AWS IAM

Knoldus Inc.

AWS의 다양한 Compute 서비스(EC2, Lambda, ECS, Batch, Elastic Beanstalk)의 특징 이해하기 - 김...

Amazon Web Services Korea

IAM Best Practices

Amazon Web Services

(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch

Amazon Web Services

Implementing your landing zone - FND210 - AWS re:Inforce 2019

Amazon Web Services

Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...

Amazon Web Services

AWS Lambda

Scott Leberknight

Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...

Amazon Web Services

What's hot (20)

Amazon EC2 and Amazon VPC Hands-on Workshop

AWS Security & Compliance

AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...

Amazon services ec2

Security Architectures on AWS

Deep Dive on Amazon EC2 Systems Manager

Deep dive into AWS IAM

Introduction to Threat Detection and Remediation on AWS

AWS Security Fundamentals

Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...

AWS Control Tower

Introduction to AWS Security

Introduction to AWS IAM

AWS의 다양한 Compute 서비스(EC2, Lambda, ECS, Batch, Elastic Beanstalk)의 특징 이해하기 - 김...

IAM Best Practices

(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch

Implementing your landing zone - FND210 - AWS re:Inforce 2019

Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...

AWS Lambda

Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...

Similar to Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:Invent 2018

Estate and Patch Management Infrastructure and Operations as Code

Amazon Web Services

Nirav Kothari: Well-Architected - Operational Excellence Instructor Led Lab.pdf

Amazon Web Services

Simplify Operations, Compliance and Governance using AWS Systems Manager

Amazon Web Services

This session will discuss how government organizations can employ AWS Systems Manager to gain insights into their environments and simplify operational tasks such as patching the OS or loading applications, for both on-premises instances as well as those within AWS. We will also look into how SSM can simplify governance and compliance from Central IT perspective by demonstrating how Systems Manager can automate credential rotation on servers in order to maintain compliance for various regulatory or compliance workloads.

Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...

Amazon Web Services

Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...

Amazon Web Services

In this workshop, create guardrails to ensure governance is applied and identify when people stray. This session will deep dive into AWS Landing Zone, AWS Organizations, AWS Config, and Identity and Access Management. We will focus on the Operational Excellence and Security pillar best practices, of the AWS Well-Architected Framework, using a multi-account strategy. We address the architectural and operational decisions you need to make. In the cloud, you can start at the core and create defense in depth at the individual resource level. This session is designed for security and compliance practitioners interested in estate management, auditing of infrastructure, advanced IAM techniques, and overall governance management.

Operationalizing Microsoft Workloads (WIN320) - AWS re:Invent 2018

Amazon Web Services

In this session, we discuss best practices and approaches for managing your Microsoft Windows-based infrastructure on AWS. We describe the AWS services that can help you manage Windows servers at scale and realize the maximum benefit of the cloud. In addition, we show you how to build simple and effective solutions to manage logging, configuration drift, inventory, licensing, and more. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.

Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...

Amazon Web Services

Designing for Operability: Getting the Last Nines in Five-Nines Availability ...

Amazon Web Services

Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...

Amazon Web Services

As customers migrate to the cloud, IT needs to maintain structured compliance and governance while providing developers with the flexibility to manage cloud resources at scale. In this session, learn how AWS management tools provide a set of services to track changes to resources, audit actions, manage change, and gain insights. We also show how you can use built-in safety controls to automatically perform actions and remediation across multiple regions and accounts. This session is beneficial to IT and system administrators who are interested in using native AWS tools to operate secure and compliant infrastructure on AWS.

Build End-to-End IT Lifecycle Management on AWS with ServiceNow (ENT330) - AW...

Amazon Web Services

In this workshop, cloud architects, IT service management (ITSM) leads, and IT managers learn how to launch and operate governed cloud workloads on AWS by leveraging AWS management tools on the ServiceNow platform. Attendees have the option of managing the provisioning process for an Amazon WorkSpaces desktop through ServiceNow. This workshop simulates the launching of AWS services using the AWS Service Catalog Connector for ServiceNow and the operational activities established to demonstrate the ITSM process integration within ServiceNow (workflows, CMDB updates, incident management, change management).

Operations for Containerized Applications (CON334-R1) - AWS re:Invent 2018

Amazon Web Services

Containers make it easy for developers to standardize every part of the software lifecycle. For operators, this means making it easier to implement automated processes for testing, deployment, scaling, and monitoring. In this session, we dive deep into what it takes to successfully operate container workloads. We cover CI/CD, infrastructure provisioning, communications management. We also discuss ways to improve velocity while maintaining reliability when operating distributed containerized applications.

AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...

Amazon Web Services

Whether you are a traditional enterprise making a shift to the cloud or are already all-in, AWS EC2 management capabilities enable you to perform common tasks of inventory collection, and patch and image management of your infrastructure at scale. In this session, we'll provide a brief overview of these powerful capabilities and bring it all together with a demo of real-world hybrid-cloud management scenario.

Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...

Amazon Web Services

"In this workshop, cloud architects, Cloud Center of Excellence (CCOE) team members, and IT managers learn how to launch and operate governed cloud workloads on AWS by leveraging AWS management tools. They extend a sample catalog containing Amazon EC2, Amazon S3, and so on, and enable catalog users to only manage the resources they create. They then perform the IT service management process integration using ServiceNow as an example solution.

Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...

Amazon Web Services

In this workshop, we present best practices for establishing an AWS Landing Zone. You will see a demonstration of the automated AWS Landing Zone solution and how it builds a multi-account architecture that is enterprise-ready for application deployment and compliant with common operations, security, and procurement processes, as well as experience how to modify the code for custom deployments. You will leave the workshop with an understanding of the mechanism to update the Landing Zone using a CI/CD pipeline, how to create new AWS accounts using the built-in account vending machine, and how the AWS Landing Zone solution components integrate to provide a secure, scalable starting environment for your cloud journey. We encourage you to attend the full AWS Landing Zone track. Search for #awslandingzone in the session catalog.

PaaS – From Code to Running Application using AWS Elastic Beanstalk (DEV323) ...

Amazon Web Services

Come learn how Elastic Beanstalk can help you go from code to running application in a matter of minutes, without the need to provision or manage any of the underlying Amazon Web Services (AWS) resources. Hear how Qualcomm is able to migrate application to AWS faster than before through Forge, an internally built application platform that leverages Elastic Beanstalk to simplify the development and deployment of applications to AWS with security and organizational best practices out of the box.

Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...

Amazon Web Services

In this session, you’ll learn how to enable governance compliance and undertake operational and risk auditing of your AWS account through a combination of continuous monitoring auditing and evaluation of your AWS resources. With AWS management tools you can see a history of AWS API calls for your account, review changes in configurations and relationships among AWS resources, and dive into detailed resource configuration histories. You can determine your overall compliance with the configurations specified in your internal guidelines and you can give developers and systems administrators a secure and compliant means to create and manage AWS resources.

Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018

Amazon Web Services

With Amazon Elasticsearch Service's simplicity comes a multitude of opportunity to use it as a back end for real-time application and infrastructure monitoring. With this wealth of opportunities comes sprawl - developers in your organization are deploying Amazon Elasticsearch Service for many different workloads and many different purposes. Should you centralize into one Amazon Elasticsearch Service domain? What are the tradeoffs in scale and cost? How do you control access to the data and dashboards? How do you structure your indexes - single tenant or multi-tenant? In this session, we'll explore whether, when, and how to centralize logging across your organization to minimize cost and maximize value and learn how Autodesk has built a unified log analytics solution using Amazon Elasticsearch Service.

Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...

Amazon Web Services

The AWS Landing Zone solution provides a consolidated collection of AWS best practices, prescriptive guidance, and templates for automatically configuring and securing AWS multi-accounts, networks, and core services. In this workshop, you will learn the Landing Zone solution design. With your laptop, you will go through demonstrations of AWS Landing Zone deployment, automated new account creation using the built-in account vending machine, and Landing Zone customization for additional services. You will leave the workshop with an understanding of the AWS Landing Zone solution mechanisms, CI/CD deployment pipeline, and Landing Zone extension methods. This workshop is intended for architects, IT administrators, and engineers of consulting and technology partners as well as customers who will design, deploy, extend, or operate AWS Landing Zones. We encourage you to attend the full AWS Landing Zone track including SEC303; search for #awslandingzone in the session catalog.

Earn Your DevOps Black Belt: Deployment Scenarios with AWS CloudFormation (DE...

Amazon Web Services

AWS CloudFormation, in combination with other tools for continuous integration and delivery pipelines, can help automate and standardize frequent deployments for many types of applications, from traditional compute and autoscaling groups to serverless applications. In this session, we will present several use cases combining CloudFormation with build and pipeline automation tools to achieve repeatable, consistent and compliant deployments without sacrificing agility.

Deep Dive on AWS CloudFormation

Amazon Web Services

AWS CloudFormation enables software and DevOps engineers to harness the power of infrastructure as code. As organizations automate the modeling and provisioning of applications and workloads with AWS CloudFormation repeatable processes and reliable deployments become more critical. This session guides you through various techniques to improve your infrastructure automation including protecting your AWS resources and stacks with safety guardrails while monitoring infrastructure changes. In addition, we will cover efficient ways to provide resources across accounts and regions as show you how to test and improve the reliability of your deployments.

Similar to Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:Invent 2018 (20)