Features To Love About AWS EC2 Systems Manager
Amazon EC2 Systems Manager (SSM) is a collection of capabilities that can automate management tasks such as collecting system inventory, applying operating system patches, automating the creation of Amazon Machine Images (AMIs), and configuring operating systems and applications at scale. With SSM you can remotely and securely manage the configuration of managed instances.
In this blog post, I will share the features I love about AWS EC2 Systems Manager.
Patch Manager Feature
This feature helps keep the software up-to-date and meet compliance policies. It allows us to select and deploy operating systems and software patches automatically across large groups of instances, whether it is AWS EC2 or on-premises. Auto-Approve authorization can be set for select categories of patches that need installation. Maintenance windows can be scheduled for patches so they are only applied during preset times.
At a recent client site we:
- Installed SSM agents on all the EC2 instances with the Instance Profile attached for integration with SSM.
- Updated the SSM agent version using Run Command as and when a new version is released.
- Deployed Cloud watch log agents and configured them using the SSM Run Commands with the help of SSM Documents such as AWS-ConfigureAWSPackage and AWS-ConfigureCloudWatch.
- Deployed software using the AWS-RunPowerShellScript SSM Document.
- Created Maintenance Windows and Patch Baselines to deploy the security patches on the EC2 Instances.
- Collected the Compliance reports on the Patch baselines and shared reports with the customer.
We were able to patch 200 servers in less than a day. If this was done with manual patching, the result would most likely have been 2-3 days. SSM is good for customers who don’t have access to Microsoft SCCM or other patch tools.
Resource groups are a way to create a logical group of resources associated with a particular workload such as different layers of an application stack, or production versus development environments.
AWS Systems Manager automatically aggregates and displays operational data for each resource group through a dashboard so you have a clear view of your infrastructure compliance and performance. With Systems Manager, you can view API call logs from AWS CloudTrail, resource configuration changes from AWS Config, software inventory, and patch compliance status by resource group.
Inventory is used to collect the Operating System level information such as the software installed on the servers, network configurations, windows services, updates and other system properties.
AWS Systems Manager allows us to safely automate common and repetitive IT operations and management tasks across AWS resources. With Systems Manager, we can create documents that specify a specific list of tasks or use community published documents.
AWS Systems Manager provides us safe, secure remote management of our instances at scale without logging into our servers, replacing the need for bastion hosts, SSH, or remote PowerShell. It provides a simple way of automating common administrative tasks across groups of instances such as registry edits, user management, and software and patch installations.
Maintenance Window improves the availability and reliability of our services and applications. It lets us schedule a safe and convenient time to run administrative and maintenance tasks – such as installing patches and configuration changes across the group of instances that require an interruption of services and causes downtime.
The State Manager will define the consistent configuration of OS and applications across the fleet of systems. It will retain the configurations intact by running its association to make the configurations intact all the time.
Parameter Store is used to store, reference configuration and sensitive information. Rather than storing the data in configuration files, or referencing them in the plain text while running the run command or the association on the instances, we can leverage Parameter Store to obtain this information onto our instances. These parameters can also be used to secure and encrypt, using KMS keys. Also, the permissions to the Parameter Store can also be controlled so that the right set of users has access.