Post on 21-Jan-2018
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ananth Vaidyanathan, Sr. Product Manager
August 14, 2017
Deep Dive with
Amazon EC2 Systems Manager
Fleet Management Automation
Customer challenges
Traditional IT toolset
not built for cloud
scale infrastructure
Maintaining
enterprise-wide
visibility is challenging
Deploying multiple
products is a
significant overhead
Licensing costs &
complexity
Managing cloud and hybrid environments using
a traditional toolset is complex and costly
Customers IT infrastructure is increasingly spread across on-premises and in
the private and public cloud
Introducing Amazon EC2 Systems Manager
A set of capabilities that...
... provide insights and compliance
...safe and secure operations
...enable automated configuration with granular control...
...across all of your Windows and Linux workloads...
...running on Amazon EC2 or on-premises…
...at no additional charge
Why should I care?
Manage hybrid
Architecture
Cross-platform
(Windows/Linux)
Scalable and
auditable
Improve security
and compliance
Easily automate
repetitive tasks
Reduce TCO
Systems Manager Customers and Partners
Amazon EC2 Systems Manager – components
Run Command State Manager Inventory Maintenance Window
Patch Manager Automation Parameter StoreParameter Store Documents
Amazon EC2 Systems Manager ServicesService Description
Run Command Safely automate common administrative tasks on your instances at scale without
SSH or RDP access
Inventory Collect and query software inventory
Patch Manager Select and deploy OS patches automatically
State Manager Define and maintain consistent OS configurations such as firewall settings and anti-
malware definitions to comply with policies
Maintenance
Windows
Create recurring time windows to run administrative or any disruptive tasks
Automation Create streamlined workflows to update Amazon Machine Images (AMI) for
example
Parameter Store Centralized location to store, control access, and easily reference configuration
data and secrets
Documents Easily author configurations use across Systems Manager services
What is a Document?{"schemaVersion":"2.2","description":"Cross-platform demo document","mainSteps": [{"action":"aws:runPowerShellScript","precondition": {
"StringEquals": ["platformType", "Windows"]},"name":"WindowsOpenPorts","inputs": {
"runCommand": ["netstat -a"]}
},{
"action":"aws:runShellScript","precondition": {
"StringEquals": ["platformType", "Linux"]},"name":"LinuxOpenPorts","inputs": {
"runCommand": ["netstat -lntu"]}
}]
}
• Written in JSON and consist of
steps executed in sequence
• Documents can be versioned
(also support $DEFAULT and
$LATEST)
• Cross-platform
• Share documents across
accounts or share publicly to the
community
Safe and secure ops at scale without SSH/RDP
• Remotely manage thousands of
Windows and Linux instances running on
Amazon EC2 or on-premises
• Control user actions and scope with
secure, granular access control
• Safely execute changes with rate control
to reduce blast radius
• Audit every user action with change
tracking
AWS cloudcorporate data
center
IT Admin, DevOps
Engineer
Role-based Access
Control
Maintain Software Compliance, Reduce Risk
• Bootstrap instances on launch with image
builds that are compliant
• Roll out Windows and Linux patches
based on corporate policies and org-wide
maintenance windows
• Get notified on malwares (e.g. Petya
ransomware), vulnerabilities, blacklisted
apps with recommended actions
Create compliant
software images
Deploy instances
Automate online patch
management
Automate using extensible framework
• Generic framework to express your
workflow as automation steps
• Automate golden image creation
• Fix unreachable EC2 instances
• Reset forgotten passwords
• Create custom workflows
Automation
Document
Run the automation
Role and permissioninput
Maintain updated view of software inventory
• Discover inventory across accounts
• EC2 instances and OS details
• Installed software and patches
• List of files, network configuration
• Custom inventory types
• Audit software, maintain historical
record of changes using AWS Config
• Identify zero-day vulnerabilities
• Create data lake in Amazon S3
bucket for analytics
AWS cloudCorporate data
center
Amazon
Athena queries
Amazon
QuickSight
Amazon S3
data lake
Custom
Analytic Tool
Multi-account,
across regions
Manage configuration drift
• Control configuration details such as
anti-virus settings, iptables, etc.
• Compare actual deployments against
specified configuration policy
• Automatically re-apply policies if state
drift is detected
• OS changes
• Local users and permissions
State
Manager
instances
Document
Store and retrieve configuration secrets
• Store any configuration data or
parameter in hierarchies with RBAC
• Option to encrypt secret data like
passwords using KMS
• Enforce password policies using
parameter lifetime and change
notifications
• Use across AWS services such as
Lambda, AWS CodeDeploy, and ECS
parameter
store
instances
secrets
Change
Notification
No more storing secrets in plain text!
Cross-account view of Inventory
• S3 as a data lake: Sync Inventory data across regions and accounts
to a single S3 bucket
• Use Athena and/or QuickSight to query software inventory
information
Other use cases for Systems Manager
• Run PowerShell DSC, Ansible Playbooks or Salt States on SSM
• Eliminate need for bastion hosts; simplify your architecture
• Instance health monitoring, system checks
• Joining instances securely to a domain
• Take scheduled VSS snapshots of your instances
• Collect logs from terminating instances in an Auto Scaling Group
Demo!
Partner and open source ecosystem
• Enables partners to build monetizable value-added solutions like
HIPAA and PCI compliance, custom compliance reporting
• All services available through API/CLI/SDKs to support custom
workflows
• Systems Manager agent is open sourced and allows community to
build custom data collectors
• Configuration platform: support for Ansible Playbooks/Salt
States/PowerShell DSC with improved security
FAQs
• Does Systems Manager require an agent?
• How often do I update the agent?
• What kind of IAM policy is needed to get started?
• How do I use SSM to set up on-premises servers or VMs?
• What OS platforms are supported?• Supported Linux operating systems:
• Amazon Linux 2014.03 and later
• Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS
• RHEL 6.5+, CentOS 6.3+, SUSE 12+
• Supported Windows operating systems:
• Windows Server 2003+, including R2 versions
• Do instances need network access?
Links
• Learn more at https://aws.amazon.com/ec2/systems-
manager/
• AWS Blog –
https://aws.amazon.com/blogs/aws/category/amazon-
ec2-systems-manager/
• AWS Management Tools Blog –
https://aws.amazon.com/blogs/mt/
Ananth VaidyanathanSr. Product Manager
E: ananva@amazon.com
https://aws.amazon.com/ec2/systems-manager/