11 Febbraio 2019

Understanding AWS System Manager - Part 2

AWS Systems Manager allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources. This is the 2nd part of the series.

AWS System Manager features

AWS Systems Manager allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources. This is the 2nd part of the series.

Run Command

AWS Systems Manager provides you safe, secure remote management of your instances at scale without logging into your servers, replacing the need for bastion hosts, SSH, or remote PowerShell. It provides a simple way of automating common administrative tasks across groups of instances such as registry edits, user management, and software and patch installations. Through integration with AWS Identity and Access Management (IAM), you can apply granular permissions to control the actions users can perform on instances. All actions taken with Systems Manager are recorded by AWS CloudTrail, allowing you to audit changes throughout your environment.


State Manager

AWS Systems Manager provides configuration management, which helps you maintain consistent configuration of your Amazon EC2 or on-premises instances. With Systems Manager, you can control configuration details such as server configurations, anti-virus definitions, firewall settings, and more. You can define configuration policies for your servers through the AWS Management Console or use existing scripts, PowerShell modules, or Ansible playbooks directly from GitHub or Amazon S3 buckets. Systems Manager automatically applies your configurations across your instances at a time and frequency that you define. You can query Systems Manager at any time to view the status of your instance configurations, giving you on-demand visibility into your compliance status.



AWS Systems Manager collects information about your instances and the software installed on them, helping you to understand your system configurations and installed applications. You can collect data about applications, files, network configurations, Windows services, registries, server roles, updates, and any other system properties. The gathered data enables you to manage application assets, track licenses, monitor file integrity, discover applications not installed by a traditional installer, and more.


Patch Manager

AWS Systems Manager helps you select and deploy operating system and software patches automatically across large groups of Amazon EC2 or on-premises instances. Through patch baselines, you can set rules to auto-approve select categories of patches to be installed, such as operating system or high severity patches, and you can specify a list of patches that override these rules and are automatically approved or rejected. You can also schedule maintenance windows for your patches so that they are only applied during preset times. Systems Manager helps ensure that your software is up-to-date and meets your compliance policies.


Maintenance Window

AWS Systems Manager lets you schedule windows of time to run administrative and maintenance tasks across your instances. This ensures that you can select a convenient and safe time to install patches and updates or make other configuration changes, improving the availability and reliability of your services and applications.



AWS Systems Manager allows you to safely automate common and repetitive IT operations and management tasks across AWS resources. With Systems Manager, you can create documents that specify a specific list of tasks or use community published documents. These documents can be scheduled in a maintenance window, triggered based on changes to AWS resources through Amazon CloudWatch events, or executed directly through the AWS Management Console, CLIs, and SDKs. You can track the execution of each step in the documents as well as require approvals for each step. You can also incrementally roll out changes and automatically halt when errors occur.


Parameter Store

AWS Systems Manager provides a centralized store to manage your configuration data, whether plain-text data such as database strings or secrets such as passwords. This allows you to separate your secrets and configuration data from your code. Parameters can be tagged and organized into hierarchies, helping you manage parameters more easily. For example, you can use the same parameter name, "db-string", with a different hierarchical path, "dev/db-string” or “prod/db-string", to store different values. Systems Manager is integrated with AWS Key Management Service (KMS), allowing you to automatically encrypt the data you store. You can also control user and resource access to parameters using AWS Identity and Access Management (IAM). Parameters can be referenced through other AWS services, such as Amazon Elastic Container Service, AWS Lambda, and AWS CloudFormation.


Resource Groups

Resource groups are a way to create a logical group of resources associated with a particular workload such as different layers of an application stack, or production versus development environments. For example, you can group different layers of an application, such as the frontend web layer and the backend data layer. Resource groups can be created, updated, or removed programmatically through the API.



Insights Dashboard

AWS Systems Manager automatically aggregates and displays operational data for each resource group through a dashboard. Systems Manager eliminates the need for you to navigate across multiple AWS consoles to view your operational data. With Systems Manager you can view API call logs from AWS CloudTrail, resource configuration changes from AWS Config, software inventory, and patch compliance status by resource group. You can also easily integrate your AWS CloudWatch Dashboards, AWS Trusted Advisor notifications, and AWS Personal Health Dashboard performance and availability alerts into your Systems Manager dashboard. Systems Manager centralizes all relevant operational data, so you can have a clear view of your infrastructure compliance and performance.


Session Manager

AWS Systems Manager provides a browser-based interactive shell and CLI for managing Windows and Linux EC2 instances, without the need to open inbound ports, manage SSH keys, or use bastion hosts. Administrators can grant and revoke access to instances through a central location by using AWS Identity and Access Management (IAM) policies. This allows you to control which users can access each instance, including the option to provide non-root access to specified users. Once access is provided, you can audit which user accessed an instance and log each command to Amazon S3 or Amazon Cloud Watch Logs using AWS CloudTrail.



AWS Systems Manager helps you securely distribute and install software packages, such as software agents. Systems Manager Distributor allows you to centrally store and systematically distribute software packages while you maintain control over versioning. You can use Distributor to create and distribute software packages and then install them using Systems Manager Run Command and State Manager. Distributor can also use Identity and Access Management (IAM) policies to control who can create or update packages in your account. You can use the existing IAM policy support for Systems Manager Run Command and State Manager to define who can install packages on your hosts.


Run Command

Run Command is a system managed service that remotely and securely perform configuration actions on your EC2 or on-premise instances.

This allow you to execute command on remote instances without using SSH connection.

  1. Managed instances: an instance that can be managed via System Manager.

  2. Document. A System Manager document defines configurations of your system, a list of steps executed in sequence. Two types of documents exists:

    1. Pre definded documents:

    2. Custom documents

  3. Command: simply the action that must be taken on a set of instances. A command consists on document, set of targets, and set of paramethers you want to pass. In addition you can define read control for your command, notifications, send the output to S3

  4. Command invocation: an instantiation of command for a particolar instance where you want to execute the action on.

Use Cases

  • Monitoring your System;

  • Join instances to a windows domain;

  • On demand patching;

  • Deploy code to instances;

  • Process management (start and stop services);

  • Run bootstrap scripts on applications;

  • User and account management (you can run commands to create new users on linux system).

Key Benefits of Run Command

  • Fully managed service with no additional task or costs;

  • It provides a single view of configuration changes at scale;

  • Because you don’t need to open more SSH to connect to the instance, you can remotely administer the instance and perform tasks at scale.


Integrating with CloudTrail, you can also have a audit log of which actions was made and from who. Run Command is also integrated with IAM, so you can lock some documents to be executed only by the right user or group, on the right instance.

State Manager

State manager is a tool we can use to control how and when configurations are applied. We can for example configure firewall (on linux or windows), turn on or off SSH or RDP protocols, we can start inventory and so on. Specially designed to follow and respect compliance items.

Running State Manager

State Manager is directly connect to RunCommand. In fact, State Manager execute RunCommand every “x” interval defined.

Create an association

For example, you want to launch a shell script, select “Create Association”, select “AWS-RunShellScript” document, select the instances; you can schedule the execution of this command every 30 minutes, every X hours or every Sunday at XX:XX.

For example, I definded to run the command:

apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade

Every 30 minutes.

Try imagine now to execute the virus scan, defining it by State manager, and obtain the certification for compliance that the command is executed every day at “x” hour. You will receive all the logs to ensure the execution, the right log recorded on S3 etc.


Or try imagine to stop SSH connection on selected instances during night, to protect unwanted access during night time.

It is very useful for compliance items, since you can define via oputput an S3 bucket as well send the infos via SNS as well connecting to CloudTrail to record every execution made.

Parameter Store

In parameter store, we take care of your credentials and other important things like private keys and so on. For example, try imagine you have many instances that shares for example database credentials; with Parameter Store you can define your credentials centrally and distribute to the script, making easy to update credentials on all script without touching them.

I can also decide to store these credentials encrypted, and have an extra layer of security.

As Parameter store is part of System Manager, it is very easy to access the credentials via RunCommand or State Manager; if you need to access the credentials on instance, you can use AWS-CLI to get them.

Parameter Store Usage

It is simple to use Parameter Store: Create Parameter, define “Name”, define which kind of security you need for the data: String, String list, Secure String, and the value (in this example as a string).

For example, you define the Windows password of your instances as a string. On State Manager, define the task that need the Windows password like the following (this command change the password of administrator user):

Net.exe user administrator {{ssm:AdminPass}}

(where AdminPass is the name of the created parameter store).

Go to State Manager and create an association: use AWS-RunPowerShellScript (yes, targets are windows servers), select the instances that are involved, and put the command explained before on “Commands” field. Choose an interval of execution and save the Association.


The command is going to change the admin password on all windows instances. It will take the time needed for execute the command, you’ll have all output on your instances listing on State Manager.


Inventory Services

On Inventory Service, you can have informations about your system as:

  • Instance detail and OS Details;

  • Network Configuration

  • Software and patches


You can collect everything you want on Inventory (licensing, userge of an application, etc). For example, if you want to know how many MSSQL server you have on your account, you can simply query the inventory service. Another example, find out the unpatches instances.

You can also integrate inventory with AWS Config, so you can have also the inventory of the changes happened during time on all infrastucture you earn.

For example, the document for collect the inventory items from your instances, go to Documents, select “AWS-GatherSoftwareInventory” (it’s a policy, this mean you must use State Manager not RunCommand to run it); go on State Manager, create an association of this document and the instances you want to inventory software, the schedule and eventually the parameters (which pieces of software you want to inventory). Of course you can run immediatly the command to populate your inventory.


It is very useful now to find over where and which are the outdated software that you need to patch or update (example: bind-utils had a few safety problems, so it is important to update it to the last available release).


After creating the association, if for example you define a weekly execution of the job, the Status of the Association will be pending. You can, of course, execute manually the command immediatly.


After the execution, on managed instances you can see on the Inventory tab all the software collected by the last execution of inventory; you can make filters, using attributes, to find your resorces.


Using Inventory Services and AWS Config together.


Using Inventory and Config together you can have a complete view of what changes and when.


(For managed instances, be sure that the clock is correctly defined and configured with dpkg-reconfigure tzdata or you will have unpredictable results!).


Il blog di msg4u

Una raccolta di articoli piĆ¹ o meno tecnici per sfruttare al meglio cloud e posta elettronica.