Part 3 - Inventory Management using Operations as Code

Management Tools: Systems Manager

AWS Systems Manager is a collection of features that enable IT Operations that we will explore throughout this lab.

There are set up tasks and pre-requisites that must be satisfied prior to using Systems Manager to manage your EC2 instances or on-premises systems in hybrid environments. * You must use a supported operating system * Supported operating systems include versions of Windows, Amazon Linux, Ubuntu Server, RHEL, and CentOS * The SSM Agent must be installed * The SSM Agent for Windows also requires PowerShell 3.0 or later to run some SSM documents * Your EC2 instances must have outbound internet access * You must access Systems Manager in a supported region * Systems Manager requires IAM roles * for instances that will process commands * for users executing commands

SSM Agent is installed by default on: * Amazon Linux base AMIs dated 2017.09 and later * Windows Server 2016 instances * Instances created from Windows Server 2003-2012 R2 AMIs published in November 2016 or later

There is no additional charge for AWS Systems Manager. You only pay for your underlying AWS resources managed or created by AWS Systems Manager (e.g., Amazon EC2 instances or Amazon CloudWatch metrics). You only pay for what you use as you use it. There are no minimum fees and no upfront commitments.

3.1 Setting up Systems Manager

1. Use your administrator account to access the Systems Manager console at https://console.aws.amazon.com/systems-manager/.

2. Choose Managed Instances from the navigation bar. If you have not satisfied the pre-requisites for Systems Manager, you will arrive at the AWS Systems Manager Managed Instances page.

  • As a user with AdministratorAccess permissions, you already have User Access to Systems Manager.
  • The Microsoft Windows AMIs used to create the instances in your environment are dated 2019.10. They are supported operating systems and have the SSM Agent installed by default.
  • If you are in a supported region the remaining step is to configure the IAM role for instances that will process commands.

    3. Create an Instance Profile for Systems Manager managed instances:

    a. Navigate to the IAM console b. In the navigation pane, choose Roles. c. Then choose Create role. d. In the Select type of trusted entity section, verify that the default AWS service is selected. e. In the Choose the service that will use this role section, scroll past the first reference to EC2 (EC2 Allows EC2 instances to call AWS services on your behalf) and choose EC2 from within the field of services. This will open the Select your use case section further down the page. f. In the Select your use case section, choose EC2 Role for AWS Systems Manager to select it. g. Then choose Next: Tags. h. Leave the Tags page as default and click Next: Review

    4. Under Attached permissions policy, verify that AmazonEC2RoleforSSM is listed, and then choose Next: Review.

    5. In the Review section:

    a. Enter a Role name, such as ManagedInstancesRole. b. Accept the default in the Role description. c. Choose Create role.

    6. Apply this role to the instances you wish to manage with Systems Manager:

    a. Navigate to the EC2 Console and choose Instances. b. Select the first instance and then choose Actions, Instance Settings, and Attach/Replace IAM Role. c. Under Attach/Replace IAM Role, select ManagedInstancesRole from the drop down list and choose Apply. d. After you receive confirmation of success, choose Close. e. Repeat this process, assigning ManagedInstancesRole to each of the 3 remaining instances.

    7. Return to the Systems Manager console and choose Managed Instances from the navigation bar. Periodically choose Managed Instances until your instances begin to appear in the list. Over the next couple of minutes your instances will populate into the list as managed instances.

Note
If desired, you can use a more restrictive permission set to grant access to Systems Manager.

3.2 Create a Second CloudFormation Stack

1. Create a second CloudFormation stack using the procedure in 2.1 with the following changes:

  • In the Specify Details section, define a Stack name, such as OELabStack2.
  • Specify the InstanceProfile using the ManagedInstancesRole you defined.
  • Define the Workload Name as Prod.

Systems Manager: Inventory

You can use AWS Systems Manager Inventory to collect operating system (OS), application, and instance metadata from your Amazon EC2 instances and your on-premises servers or virtual machines (VMs) in your hybrid environment. You can query the metadata to quickly understand which instances are running the software and configurations required by your software policy, and which instances need to be updated.

3.3 Using Systems Manager Inventory to Track Your Instances

1. Under Insights in the AWS Systems Manager navigation bar, choose Inventory.

a. Scroll down in the window to the Corresponding managed instances section. Inventory currently contains only the instance data available from the EC2 b. Choose the InstanceID of one of your systems. c. Examine each of the available tabs of data under the Instance ID heading.

2. Inventory collection must be specifically configured and the data types to be collected must be specified

a. Choose Inventory in the navigation bar. b. Choose Setup Inventory in the top left corner of the window

3. In the Setup Inventory screen, define targets for inventory:

a. Under Specify targets by, select Specifying a tag b. Under Tags specify Environment for the key and OELabIPM for the value >>Note
You can select all managed instances in this account, ensuring that all managed instances will be inventoried. You can constrain inventoried instances to those with specific tags, such as Environment or Workload. Or you can manually select specific instances for inventory.

4. Schedule the frequency with which inventory is collected. The default and minimum period is 30 minutes

a. For Collect inventory data every, accept the default 30 Minute(s)

5. Under parameters, specify what information to collect with the inventory process

a. Review the options and select the defaults

6. (Optional) If desired, you may specify an S3 bucket to receive the inventory execution logs (you will need to create a destination bucket for the logs prior to proceeding):

a. Check the box next to Sync inventory execution logs to an S3 bucket under the Advanced options. b. Provide an S3 bucket name. c. (Optional) Provide an S3 bucket prefix.

7. Choose Setup Inventory at the bottom of the page (it can take up to 10 minutes to deploy a new inventory policy to an instance).

8. To create a new inventory policy, from Inventory, choose Setup inventory.

9. To edit an existing policy, from State Manager in the left navigation menu, select the association and choose Edit.

Note
You can create multiple Inventory specifications. They will each be stored as associations within Systems Manager State Manager.

Systems Manager: State Manager

In State Manager, an association is the result of binding configuration information that defines the state you want your instances to be in to the instances themselves. This information specifies when and how you want instance-related operations to run that ensure your Amazon EC2 and hybrid infrastructure is in an intended or consistent state.

An association defines the state you want to apply to a set of targets. An association includes three components and one optional set of components: * A document that defines the state * Target(s) * A schedule * (Optional) Runtime parameters.

When you performed the Setup Inventory actions, you created an association in State Manager.

3.4 Review Association Status

1. Under Actions in the navigation bar, select State Manager. At this point, the Status may show that the inventory activity has not yet completed.

a. Choose the single Association id that is the result of your Setup Inventory action. b. Examine each of the available tabs of data under the Association ID heading. c. Choose Edit. d. Enter a name under Name - optional to provide a more user friendly label to the association, such as InventoryAllInstances (white space is not permitted in an Association Name).

Inventory is accomplished through the following: * The activities defined in the AWS-GatherSoftwareInventory command document. * The parameters provided in the Parameters section are passed to the document at execution. * The targets are defined in the Targets section. >Important
In this example there is a single target, the wildcard. The wildcard matches all instances making them all targets. * The schedule for this activity is defined under Specify schedule and Specify with to use a CRON/Rate expression on a 30 minute interval. * There is the option to specify Output options. >Note
If you change the command document, the Parameters section will change to be appropriate to the new command document.

2. Navigate to Managed Instances under Shared Resources in the navigation bar. An Association Status has been established for the inventoried instances under management.

4. Navigate to Compliance under Insights in the navigation bar. Here you can view the overall compliance status of your managed instances in the Compliance Summary and the individual compliance status of systems in the Corresponding managed instances section below.

Note
The inventory activity can take up to 10 minutes to complete. While waiting for the inventory activity to complete, you can proceed with the next section.

Systems Manager: Compliance

You can use AWS Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant.

By default, Configuration Compliance displays compliance data about Systems Manager Patch Manager patching and Systems Manager State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements. You can also port data to Amazon Athena and Amazon QuickSight to generate fleet-wide reports.