AWS Systems Manager

AWS Systems Manager

  • Systems Manager provides visibility and control of the infrastructure on AWS.
  • helps to view operational data from multiple AWS services and automates operational tasks across AWS resources.
  • A managed instance is an EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager.
  • works with managed instances, which are configured for use with Systems Manager.
  • helps configure and maintain managed instances.
  • helps maintain security and compliance by scanning the managed instances and reporting on (or taking corrective action on) any policy violations it detects.
  • supported machine types include EC2 instances, on-premises servers, and virtual machines (VMs), including VMs in other cloud environments.
  • supported operating system types include Windows Server, multiple distributions of Linux, and Raspbian.

Operations Management

Capabilities that help manage the AWS resources

  • Trusted Advisor is an online tool that provides real-time guidance to help you provision the resources following AWS best practices.
  • AWS Personal Health Dashboard provides information about AWS Health events that can affect your account
  • OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to AWS resources

Application Management

SSM Parameter Store

  • SSM Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management.
  • can store data such as passwords, database strings, AMI IDs and license codes as parameter values.
  • supports values as plain text or encrypted data using the SecureString parameter.
  • uses AWS KMS to encrypt the parameter value.
  • parameters can be referenced by using the unique name specified during parameter creation.
  • supports versioning of configuration/secrets.
  • provides high availability as Parameter Store is hosted in multiple AZs in an AWS Region.
  • can be configured for change notifications and invoke automated actions for both parameters and parameter policies
  • is integrated with Secrets Manager and can be used to retrieve Secrets Manager secrets when using other AWS services that already support references to Parameter Store parameters
  • does not support password rotation, use Secrets Manager instead.

SSM Parameter Store vs Secrets Manager

AWS Secrets Manager vs Systems Parameter Store

Change Management

Capabilities for taking action against or changing the AWS resources

Systems Manager Automation

  • helps automate common maintenance and deployment tasks for e.g. create and update AMIs, apply driver and agent updates, reset passwords on Windows instances, reset SSH keys on Linux instances, and apply OS patches or application updates.

Maintenance Windows

  •  helps set up recurring schedules for managed instances to run administrative tasks like installing patches and updates without interrupting business-critical operations.

Node Management

Capabilities for managing the EC2 instances, on-premises servers and virtual machines (VMs) in the hybrid environment, and other types of AWS resources (nodes)

Systems Manager Configuration Compliance

  • helps scan fleet of managed instances for patch compliance and configuration inconsistencies.
  • helps collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant.
  • provides, by default, displays compliance data about Patch Manager patching and State Manager associations, but can be customized

Session Manager

  • helps manage EC2 instances through an interactive one-click browser-based shell or through the AWS CLI.
  • provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
  • helps comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to the EC2 instances.

Systems Manager Run Command

  • Run Command allows you to automate common administrative tasks and perform one-time configuration changes at scale.
  • helps to remotely and securely manage the configuration of the managed instances at scale.
  • helps perform on-demand changes like updating applications or running Linux shell scripts and Windows PowerShell commands on a target set of dozens or hundreds of instances.

Patch Manager

  • helps automate the process of patching managed instances with both security-related and other types of updates.
  • helps apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.)
  • enables scanning of instances for missing patches and applies them individually or to a large group of instances by using EC2 instance tags.
  • provides options to scan the instances and report compliance on a schedule, install available patches on a schedule, and patch or scan instances on-demand as needed.
  • Patch baselines
    • defines which patches should and shouldn’t be installed
    • can include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches
    • helps install security patches on a regular basis by scheduling patching to run as a Systems Manager maintenance window task.
  • Patch group
    • helps associate a set of instances with a specific patch baseline
    • requires instances to be tagged with a tag key Patch Group
    • an instance can only be part of one Patch Group
    • a patch group can be registered with only one patch baseline

Systems Manager Inventory

  • provides visibility into the EC2 and on-premises computing environment
  • collect metadata from the managed instances about applications, files, components, patches, and more on the managed instances
  • collects only metadata from the managed instances and doesn’t access proprietary information or data.
  • supports custom metadata in addition to the pre-configured metadata
  • supports inventory data collection from multiple regions and AWS Accounts
  • supports inventory data storage in a single centralized location like S3 which can then be queried using Athena.

Systems Manager State Manager

  • is a secure and scalable configuration management service that helps automate the process of keeping the managed instances in a defined state.
  • helps ensure that the instances are bootstrapped with specific software at startup, joined to a Windows domain (Windows instances only), or patched with specific software updates.
  • A State Manager association is a configuration that is assigned to the managed instances which defines the state that you want to maintain on the instances.

Shared Resources

Capabilities for managing and configuring the AWS resources

Systems Manager Document (SSM document)

  • SSM document defines the actions that the Systems Manager performs.
  • SSM document types include 
    • Command documents, which are used by State Manager and Run Command, and 
    • Automation documents, which are used by Systems Manager Automation.
  • SSM Document can be defined in JSON or YAML and define parameters and actions.

Systems Manager Agent

  • is software that can be installed and configured on an EC2 instance, an on-premises server, or a virtual machine (VM)
  • makes it possible for the Systems Manager to update, manage, and configure these resources
  • must be installed on each instance to use with Systems Manager
  • usually comes preinstalled with a lot of Amazon Machine Images (AMIs), while it must be installed manually on other AMIs, and on on-premises servers and virtual machines for the hybrid environment

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which of the following tools from AWS allows the automatic collection of software inventory from EC2 instances and helps apply OS patches?
    1. AWS Code Deploy 
    2. Systems Manager
    3. EC2 AMI’s
    4. AWS Code Pipeline
  2. A Developer is writing several Lambda functions that each access data in a common RDS DB instance. They must share a connection string that contains the database credentials, which are a secret. A company policy requires that all secrets be stored encrypted. Which solution will minimize the amount of code the Developer must write?
    1. Use common DynamoDB table to store settings
    2. Use AWS Lambda environment variables
    3. Use Systems Manager Parameter Store secure strings
    4. Use a table in a separate RDS database
  3. A company has a fleet of EC2 instances and needs to remotely execute scripts for all of the instances. Which Amazon EC2 systems Manager feature allows this?
    1. Systems Manager Automation
    2. Systems Manager Run Command
    3. Systems Manager Parameter Store
    4. Systems Manager Inventory
  4. As a part of compliance check it was found that EC2 instances launched by the deployment team were not in compliance to latest security patches. The team had all tagged the resources. Which AWS service can help make the instances complaint?
    1. AWS Inspector
    2. AWS GuardDuty
    3. AWS Systems Manager
    4. AWS Shield
  5.  

References