AWS Systems Manager

What is AWS Systems Manager?

AWS Systems Manager is an AWS management Service that helps you manage your applications and infrastructure running in the AWS Cloud. It helps you manage your EC2 instances, On-prem instances, or VMs at scale. Systems Manager allows you automatically collect software inventory, apply OS patches(software updates about security vulnerabilities and bug fixes), create system images, and configure Windows and Linux operating systems.

With AWS Systems Manager, you will get operational insights and data about the state of your infrastructure which will help you easily manage your infrastructure. Using this you can easily detect the underlying problems in the infrastructure. It is a free service used to patch for enhanced compliance (AWS Systems Manager provides a patching facility).

AWS Systems Manager works for both Windows and Linux OS. It is integrated with CloudWatch metrics, CloudWatch Dashboard, and AWS Config.

Apart from that, you can create groups of resources across different AWS Services like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances and view the aggregated operational data by resource group for monitoring, troubleshooting, and taking action on your groups of resources.

Features of AWS Systems Manager

The features of AWS Systems Manager are split into four core feature groups.

1. Operations Management

Explorer:

• AWS Systems Manager Explorer is a personalizable dashboard that displays information about Operations data (OpsData) and Operational work items (OpsItems).
• It also provides key insights and analysis into the operational health and performance of your AWS infrastructure and environment.
• With this feature, we can aggregate operational data from across AWS accounts and AWS Regions to help prioritize and identify where action may be required.
• The reports of AWS SSM Explorer can be exported to the Amazon S3 bucket.

Ops Center:

• OpsCenter is a central location to view, investigate, and resolve operational issues related to your AWS environment and resources.

Incident Manager:

• Incident Manager helps you identify, mitigate and recover from critical incidents affecting your AWS-hosted applications.
• The incident lifecycle phases are:
  • Alerting and Engagement
  • Triage
  • Investigation and Mitigation
  • Post-incident Analysis
• It enables faster resolution of critical application availability and performance issues.
• With Incident Manager, you can automatically take action when a critical issue is detected by a CloudWatch alarm or an EventBridge event.

2. Application Management

Application Manager:

• Application Manager helps you analyze and rectify issues with your AWS resources in the context of your applications.
• Using Application Manager, you can discover your application components, define your application components, view operational data, perform patching, etc.

AppConfig:

• AppConfig is a capability of AWS Systems Manager which helps you to create, manage, and quickly deploy application configurations.
• It supports controlled deployments to applications and includes built-in validation checks and monitoring.

Parameter Store:

• Parameter Store provides secure, hierarchical storage for configuration data management and secrets management.
• This allows you to separate your secrets and configuration data from your code.
• You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values.
• You can store values as plain text or encrypted data with SecureString.

3. Change Management

Automation:

• AWS Systems Manager allows you to automate operational tasks across your AWS resources.
• It also allows you to safely automate common and repetitive IT operations and management tasks.
• You can use JSON documents to specify a specific list of tasks in Systems Manager, or you can utilize community-published documents.
• These documents can be executed directly through the AWS Management Console, CLIs, and SDKs, scheduled in a maintenance window, or triggered based on changes to AWS resources through Amazon CloudWatch Events.
• You can execute the entire Systems Manager automation document in one action or choose to execute it one step at a time.

Few terms in Automation

• A Step is an initiated action performed in the Automation execution. It will be associated with an action or a plugin.
• The Automation document defines the Automation functionality/workflow. This Automation workflow consists of one or more steps
• Automation action determines the inputs, behavior, and outputs of the step.
• Automation queue: For example, When you run more than 30 Automation executions then SSM adds the excess executions to a queue and displays the status of 'Pending'. When an Automation execution reaches a 'Terminal' state, the first execution in the queue starts.

Change Manager:

• Change Manager is an enterprise change management framework for requesting, approving, implementing, and reporting operational changes to your application configuration and infrastructure.

Maintenance Windows:

• Maintenance Windows helps you define a schedule for when to perform potentially disruptive actions on your nodes such as patching an operating system, updating drivers, or installing software or patches.
• This means that you can install patches and updates or make other configuration changes at a time that is convenient and safe for you, boosting the availability and reliability of your services and applications.

4. Node Management

Fleet Manager

• Fleet Manager is a unified user interface (UI) experience that helps you remotely manage your nodes running on AWS or on-premises.
• With Fleet Manager, you can view the health and performance status of your entire server fleet from one console.

Session Manager:

• Session Manager allows you to manage your instances at scale safely and securely without having to log into your servers, eliminating the need for bastion hosts, SSH, or remote PowerShell.
• It also helps to manage EC2 instances through an interactive one-click browser-based shell or the AWS CLI.
• You can use AWS Systems Manager Session Manager to tunnel SSH (Secure Shell) and SCP (Secure Copy) traffic between a client and a server.

Patch Manager:

• Patch Manager allows you to choose and apply operating system and software patches to large groups of Amazon EC2 or on-premises instances automatically.
• It also enables you to scan instances for missing patches and apply missing patches individually or, to large groups of instances by using EC2 instance tags.

Other Features of AWS Systems Manager

Run Command:

• AWS Systems Manager Run Command helps to manage the configuration of your managed instances at scale remotely and securely without logging into your servers, replacing the need for bastion hosts, SSH, or remote PowerShell.
• By using Run Command, you can automate common administrative tasks and make one-time configuration changes in bulk, and at an enterprise scale.

State Manager:

• AWS Systems Manager State Manager enables you to manage the state of your Amazon EC2 or on-premises instances.
• You can manage configuration parameters such as server configurations, anti-virus definitions, firewall settings, etc with Systems Manager.
• You can look for the status of your instance configurations in AWS Systems Manager at any time, giving you on-demand visibility into your compliance status.

Distributor:

• AWS Systems Manager’s Distributor feature enables you to securely store and distribute software packages in your organization.
• You can use this feature with existing Systems Manager features like Run Command and State Manager to control the lifecycle of the packages running on your instances.

Compliance:

• Compliance is a feature of AWS Systems Manager that allows you to scan a fleet of managed nodes for patch compliance and inconsistencies in configuration.
• AWS Systems Manager shows statistics and data about patching in Patch Manager and associations in State Manager by default. You can also customize the service by creating your compliance categories to meet your specific needs.
• You can collect and bundle the data from many AWS accounts and Regions and then plug it into specific resources that are not compliant.

Inventory:

• The Inventory feature of AWS Systems Manager allows you to automate the process of collecting software inventory from managed instances.
• This will allow you to better understand your system configurations and installed applications.
• You specify the type of metadata to collect, the instances from where the metadata should be collected, and a schedule for metadata collection.

AWS Systems Manager Agent

AWS Systems Manager Agent also known as SSM Agent is an Amazon software that operates on Amazon EC2 instances, edge devices, and on-premises servers and virtual computers (VMs). It is because of the SSM Agent, that AWS Systems Manager can update, manage, and configure resources.

The SSM agent receives the requests from the Systems Manager service and runs them as described in the request. SSM Agent makes use of Amazon Message Delivery Service (service prefix: ec2messages) to send the status and execution information back to the AWS Systems Manager service.

SSM Agent must be installed on each instance you want to use with the Systems Manager. On a few AMIs and instance types, SSM Agent is installed by default. For those instances which do not have an SSM Agent pre-installed, you need to install it manually. You can also configure a custom AMI to preinstall SSM Agent.

How does AWS Systems Manager work?

Let us understand the working of the AWS Systems Manager with a process flow

1. Access Systems Manager: You can use AWS Console to access Systems Manager. Also, you can make use of AWS Command Line Interface (CLI), AWS Tools for Windows PowerShell, or the AWS SDK to manage resources programmatically
2. Choose a Systems Manager capability: There are multiple capabilities and features of Systems Manager which will help you perform actions on your AWS resources. This example shows only a few capabilities of the Systems Manager.
3. Verification and processing: Systems Manager verifies your configurations, and IAM permissions of your user/role/group to perform the specified action. If the targeted action is on a managed instance, then the SSM Agent which is installed and running on the instance will act. Here the configuration changes given by SSM Agent are implemented. Else if the targeted action is on other resources/instances, then the Systems Manager performs the specified action or communicates with other AWS services to act on behalf of the Systems Manager.
4. Reporting: Systems Manager, SSM Agent, and other AWS services that acted on behalf of the Systems Manager can report the status. If configured, the Systems Manager itself can send the status details to other AWS services.
5. Systems Manager operations management capabilities: The operational management capabilities of the AWS Systems Manager will assist in investigating, will provide operational insights, and provide automated solutions to troubleshoot the issues. To achieve this, operations management features such as Explorer, OpsCenter, and Incident Manager need to be enabled as these will help aggregate operations data or create artifacts such as operational work items (OpsItems) and incidents.

Use Cases of AWS Systems Manager

Centralize operational data: Accumulate and aggregate the data in a unified single console and obtain functional insights/judgments across AWS services such as Amazon CloudWatch, AWS CloudTrail, and AWS Config, as well as third-party tools.

Automatically resolve application issues: Leverage operational data to manage applications easily and to identify issues rapidly across the associated AWS resource groups.

Implement best practices: Automate proactive processes (such as patching and resource changes) as well as reactive processes to quickly identify and rectify operational issues before they affect users.

Remediate security events: Alter your security and compliance profile and examine security events after the fact to prevent a future recurrence.

AWS Systems Manager Monitoring

Monitoring is an essential aspect of any system to maintain reliability, availability, and performance. Now we shall discuss the monitoring in AWS Systems Manager.

CloudTrail logs

AWS Systems Manager is integrated with AWS CloudTrail which provides a record of actions taken by a user, role, or an AWS service in Systems Manager. Using CloudTrail, you can log Systems Manager’s API calls.

CloudWatch logs

Amazon CloudWatch agent can be configured to collect metrics and logs from the instances instead of using SSM Agent for these tasks. The CloudWatch agent enables you to gather more metrics on EC2 instances than are available using SSM Agent. Using CloudWatch Logs, you can monitor data in real-time, search and filter log data by creating one or more metric filters, and archive and recover recorded data when you need it.

Amazon EventBridge

Using Amazon EventBridge, you can configure rules to accomplish a target event when there are any alerts or changes in the Systems Manager resources.

Amazon Simple Notification Service (SNS)

You can configure Amazon SNS to send notifications about the status of commands that you send using Run Command or Maintenance Windows

Amazon CloudWatch Logs and SSM Agent logs

SSM Agent writes information about executions, scheduled actions, errors, and health statuses to log files on each instance. For more efficient instance monitoring, you can configure either SSM Agent itself or the CloudWatch Agent to send this log data to CloudWatch Logs for analysis.

AWS Systems Manager Pricing

AWS Systems Manager is a free service and there is no charge for most of the components. Using SSM, you only pay for those resources that are managed as part of the Systems Manager service.

However, there are some exceptions with OpsCenter, API Interactions, Automation, Distributor, On-Premises Instance Tier, AWS AppConfig, and Parameter store as they cost a small amount of money.

Benefits of AWS Systems Manager

Manage Hybrid Cloud Systems: AWS Systems Manager helps you manage your systems running on AWS Cloud and in your on-premises data center through a single interface. Systems Manager also makes use of SSM agents to communicate securely with SSM service and executes management tasks while managing resources for Windows and Linux operating systems.

Easy to use Automation: AWS Systems Manager makes easy automation of complicated and redundant tasks. SSM has a simple interface to specify management tasks and select a group of resources to manage. Besides these, the tasks can also be configured to run automatically.

Improve Visibility and Control: AWS Systems Manager provides you complete control and visibility over your resources and infrastructure on AWS Cloud. It also helps you easily understand and control the current state of your EC2 instance and OS configurations.

Maintain Security and Compliance: AWS Systems Manager helps keep your systems secure and compliant with your defined environment and configuration policies.

Reduce Costs: AWS Systems Manager helps optimize and reduce costs by providing the best tools that help automate and maintain configurations. Most of the systems are automated to reduce time on manual updates and to eliminate the risk associated with non-compliant systems

Secure Role-Based Management: Integrating with AWS IAM allows you to use various granular policies and permissions to control the user actions performed. This is done to improve the security posture of the AWS Systems Manager. You can also audit changes throughout your environment as all the actions taken by AWS Systems Manager are recorded by Amazon CloudTrail.