Systems Manager
Allows you to centralize operational tasks from
multiple Amazon services and automate tasks across your AWS resources
Features
·
create logical group of resources
such as applications, different layers of an application stack or production
versus development environments
·
you can select a resource group and
view its recent API activity, resource configuration changes, related
notifications, operational alerts, software inventory and patch compliance
status
·
collects information about your
instances and the software installed on them
·
Allows you to safely automate common
and repetitive IT operations and management tasks across AWS resources
·
Provides a browser-based interactive
shell and CLI for managing Windows and Linux instances without the need to open
inbound ports, manage SSH keys, or use bastion hosts. Administrators can grant
and revoke access to instances through a central location using IAM policies
·
Helps ensure that your software is up
to date and meets your compliance polices
·
lets you schedule windows of time to
run administrative and maintenance tasks across your instances
SSM AGENT
is the tool that processes Systems Manager requests and configures your machine
as specified in the request. SSM Agent must be installed on each instance you
want to use with Systems Manager. On some instance types, SSM Agent is
installed by default. On others, you must install it manually.
Capabilities
·
Automation
o Allows
you to safely automate common and repetitive IT operations and management tasks
across AWS resources
o A step is defined as an initiated action
performed in the Automation execution on a per-target basis. You can execute
the entire Systems Manger automation document in one action or choose one step
at a time
o Concepts
§ Automation document -
defines the Automation workflow
§ Automation action -
the Automation workflow includes one or more steps. Each step is associated
with a particular action or plug-in. The action determines the inputs,
behaviour and outputs of the step
§ Automation queue -
if you attempt to run more than 25 Automations simultaneously, Systems Manager
adds the additional executions into a queue and displays a status of Pending.
When an Automation reaches a terminal state, the first execution in the queue
starts.
o you
can schedule Systems Manager automation document execution.
·
Resource
Groups
o A
collection of AWS resources that are all in the same AWS region and that match
criteria provided in a query
o Use
Systems Manager tools such as Automation to simplify management tasks on your
groups of resources. You can also use groups as the basis for viewing
monitoring and configuration insights in Systems Manager.
·
Built-in
insights
o Show
detailed information about a single, selected resource group
o includes
recent API calls through CloudTrail,
recent configuration changes through Config,
instance software inventory listings, instance patch compliance views, and
instance configuration compliance views
o Dashboards
by CloudWatch
·
Systems
Manager Activation
o Enable
hybrid and cross-cloud management. You can register any server, whether
physical or virtual to be managed by Systems Manager
·
Inventory
Manager
o Automates
the process of collecting software inventory from managed instances
o You
specify the types of metadata to collect, the instances from where the metadata
should be collected , and a schedule for metadata collection
·
Configuration
Compliance
o Scans
your fleet of managed instances for patch compliance and configuration
inconsistencies
o View
compliance history and change tracking for Patch Manager data and State Manager
associations by using AWS Config
o Customize
Systems Manager Compliance to create your own compliance types
·
Run
Command
o Remotely
and securely manage the configuration of your managed instances at scale
o Managed
Instances - any EC2 instance or on-premise server or virtual machine in your
hybrid environment that is configured for Systems Manager
§
Execute a document (Script) or a
single command
v
Stop, Start, Terminate, re-size
instances
v
Attach detach resize EBS volumes
v
Create Snapshots, backup DynamoDB
tables
v
Apply Patches and Updates
v
Run an Ansible
Playbook
§
Run across multiple instances (
Resource Groups)
§
Rate Control / Error Control
§
Results in the console
·
Session
Manager
o Manage
your EC2 instances through an interactive one-click browser-based shell or
through the AWS CLI
§
no need for SSH
o Makes
it easy to comply with corporate policies that require controlled access to
instances, strict security practices, and fully auditable logs with instance
access details, while still providing end users with simple one-click cross
platform access to your Amazon EC2 instances
·
Distributor
o Lets
you package your own software or find AWS-provided agent software packages to
install on Systems Manager managed instances
o After
you create a package in Distributor, which creates an Systems Manager document,
you can install the package in one of the following ways
§ One
time by using the Systems Manager Run Command
§ On
a schedule by using Systems Manager State Manager
·
Patch
Manager
o Automate
the process of patching your managed instances
o Enables
you to scan instances for missing patches and apply missing patches individually
or to large groups of instances by using EC2 instance tags
o For
security patches, Patch Manager uses
patch baselines that include rules for auto approving patches within
days of their release, as well as a list of approved and rejected patches.
o Patch
Manager process flow
§
Inventory >List Software on an
instance(s) via Tags or groups or manually select etc
§
Inventory + Run Command (cmd history) > Patch Software (or scan for
vulnerabilities)
§
Patch manager + maintenance Window
> Patch OS
§
Patch Manager > gives you
compliance status
§
State manager > ensure instances
are in a constant state (compliance)
·
Maintenance
Window
o Set
up recurring schedules for managed instances to execute administrative taks like installing patches and updates without interrupting
business-critical operations.
o Supports
running four types of tasks
§ Systems
Manager Run Command commands
§ Systems
Manager Automation workflows
§ AWS
Lambda functions
§ AWS
Step Functions tasks
·
Systems
Man Document (SSM)
o Defines
the actions Systems Manager performs
o Types
of SSM Documents
|
TYPE |
Use with |
Details |
|
Command
Document |
Run
Command, State
Manager |
Run
Command uses command documents to execute commands. State Manager uses
command documents to apply a configuration. These actions can be run on one
or more targets at any point during the lifecycle of an instance |
|
Policy
document |
State
Manager |
Policy
documents enforce a policy on your targets. If the policy document is
removed, the policy action no longer happens |
|
Automation
document |
Automation |
Use
automation documents when performing common maintenance and deployment tasks
such as creating or updating an AMI |
|
Package
document |
Distributor |
In
Distributor, a package is represented by a Systems Manager document. A
package document includes attached ZIP archive files that contain software or
assets to install on managed instances. Creating a package in Distributor
creates the package document |
o Can
be JSON or YAML
o You
can create and save different versions of documents. You can then specify a
default version for each document
o If
you customize the steps and actions in a document you can create your own
o You
can tag your documents to help you quickly identify one or more documents based
on the tags you`ve assigned to them
·
State
Manager
o A
service that automates the process of keeping your EC2 and hybrid
infrastructure in a state that you define
o A
State Manager association is a configuration that is assigned to your managed
instances. The configuration defines the state that you want to maintain on
your instances. The association also specifies actions to take when applying
the configuration
·
Parameter
Store
o Provides
secure, hierarchical storage for configuration data and secrets management
o you
can store values as plain text or encrypted data
o Parameters
work with Systems Manager capabilities such as Run Command, State Manager, and
Automation
Monitoring
·
SSM Agents writes information about
executions, scheduled actions, errors, and health statuses to log files on each
instance. For more efficient monitoring, can be configured via the SSM agent or
the CloudWatch agent to send to CloudWatch logs
·
Using CloudWatch Logs, you can
monitor log data in real time, search and filter log data by creating one or
more metric filters, and archive / retrieve historical data when you need it
·
Log System Manager API calls with
CloudTrail
Security
·
Systems Manager is linked directly to
IAM for access controls
Pricing
·
For your own packages you pay for
what you use. Upon transferring a package into a distributor, you will be
charged based on the size and duration of storage for that package, the number
of Get and Describe API calls made, and the amount of out-of-Region and
on-premise data transfer out of your Distributor for those packages.
·
You charged based on the number
and type of Automation steps
Limits
|
Resource |
Default
Limit |
|
Total
amount of time of execution per month |
1,000,000
seconds |
|
Total
number of execution steps per month |
25,000 |
|
Concurrent
executing automations |
25 |
|
Additional
automations that can be queued |
75 |
|
Max amount
of time that an automation can run in the context of a user |
12 hours,
if longer than a service role must execute |
|
System
Manager Documents |
200
per Region /account |
|
Max
parameters per account |
10,000 |
|
Max active
sessions per account |
100 |
|
Max number
of sessions per instance |
2 |
|
Max number
of Distributor packages per account |
200 |
|
Max size of
a distributor package |
20 GB |
Recover SSH
key access
·
detach EBS volume and mount on
another instance than edit the key in the volume and reattach
·
AWSSupport-ResetAccess (automation)
document
o aws ssm start-automation-execution
--document-name AWSSupport-ResetAccess --parameters 'InstanceId=LINUXINSTANCEID'
