AWS Systems Manager is a collection of features that enable IT Operations that we will explore throughout this lab.
There are set up tasks and pre-requisites that must be satisfied prior to using Systems Manager to manage your EC2 instances or on-premises systems in hybrid environments. * You must use a supported operating system * Supported operating systems include versions of Windows, Amazon Linux, Ubuntu Server, RHEL, and CentOS * The SSM Agent must be installed * The SSM Agent for Windows also requires PowerShell 3.0 or later to run some SSM documents * Your EC2 instances must have outbound internet access * You must access Systems Manager in a supported region * Systems Manager requires IAM roles * for instances that will process commands * for users executing commands
SSM Agent is installed by default on: * Amazon Linux base AMIs dated 2017.09 and later * Windows Server 2016 instances * Instances created from Windows Server 2003-2012 R2 AMIs published in November 2016 or later
There is no additional charge for AWS Systems Manager. You only pay for your underlying AWS resources managed or created by AWS Systems Manager (e.g., Amazon EC2 instances or Amazon CloudWatch metrics). You only pay for what you use as you use it. There are no minimum fees and no upfront commitments.
If you are in a supported region the remaining step is to configure the IAM role for instances that will process commands.
a. Navigate to the IAM console b. In the navigation pane, choose Roles. c. Then choose Create role. d. In the Select type of trusted entity section, verify that the default AWS service is selected. e. In the Choose the service that will use this role section, scroll past the first reference to EC2 (EC2 Allows EC2 instances to call AWS services on your behalf) and choose EC2 from within the field of services. This will open the Select your use case section further down the page. f. In the Select your use case section, choose EC2 Role for AWS Systems Manager to select it. g. Then choose Next: Tags. h. Leave the Tags page as default and click Next: Review
a. Enter a Role name, such as
b. Accept the default in the Role description.
c. Choose Create role.
a. Navigate to the EC2 Console and choose Instances. b. Select the first instance and then choose Actions, Instance Settings, and Attach/Replace IAM Role. c. Under Attach/Replace IAM Role, select ManagedInstancesRole from the drop down list and choose Apply. d. After you receive confirmation of success, choose Close. e. Repeat this process, assigning ManagedInstancesRole to each of the 3 remaining instances.
If desired, you can use a more restrictive permission set to grant access to Systems Manager.
You can use AWS Systems Manager Inventory to collect operating system (OS), application, and instance metadata from your Amazon EC2 instances and your on-premises servers or virtual machines (VMs) in your hybrid environment. You can query the metadata to quickly understand which instances are running the software and configurations required by your software policy, and which instances need to be updated.
a. Scroll down in the window to the Corresponding managed instances section. Inventory currently contains only the instance data available from the EC2 b. Choose the InstanceID of one of your systems. c. Examine each of the available tabs of data under the Instance ID heading.
a. Choose Inventory in the navigation bar. b. Choose Setup Inventory in the top left corner of the window
a. Under Specify targets by, select Specifying a tag
b. Under Tags specify
Environment for the key and
OELabIPM for the value
You can select all managed instances in this account, ensuring that all managed instances will be inventoried. You can constrain inventoried instances to those with specific tags, such as Environment or Workload. Or you can manually select specific instances for inventory.
a. For Collect inventory data every, accept the default 30 Minute(s)
a. Review the options and select the defaults
a. Check the box next to Sync inventory execution logs to an S3 bucket under the Advanced options. b. Provide an S3 bucket name. c. (Optional) Provide an S3 bucket prefix.
You can create multiple Inventory specifications. They will each be stored as associations within Systems Manager State Manager.
In State Manager, an association is the result of binding configuration information that defines the state you want your instances to be in to the instances themselves. This information specifies when and how you want instance-related operations to run that ensure your Amazon EC2 and hybrid infrastructure is in an intended or consistent state.
An association defines the state you want to apply to a set of targets. An association includes three components and one optional set of components: * A document that defines the state * Target(s) * A schedule * (Optional) Runtime parameters.
When you performed the Setup Inventory actions, you created an association in State Manager.
a. Choose the single Association id that is the result of your Setup Inventory action.
b. Examine each of the available tabs of data under the Association ID heading.
c. Choose Edit.
d. Enter a name under Name - optional to provide a more user friendly label to the association, such as
InventoryAllInstances (white space is not permitted in an Association Name).
Inventory is accomplished through the following:
* The activities defined in the AWS-GatherSoftwareInventory command document.
* The parameters provided in the Parameters section are passed to the document at execution.
* The targets are defined in the Targets section.
In this example there is a single target, the wildcard. The wildcard matches all instances making them all targets. * The schedule for this activity is defined under Specify schedule and Specify with to use a CRON/Rate expression on a 30 minute interval. * There is the option to specify Output options. >Note
If you change the command document, the Parameters section will change to be appropriate to the new command document.
The inventory activity can take up to 10 minutes to complete. While waiting for the inventory activity to complete, you can proceed with the next section.
You can use AWS Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant.
By default, Configuration Compliance displays compliance data about Systems Manager Patch Manager patching and Systems Manager State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements. You can also port data to Amazon Athena and Amazon QuickSight to generate fleet-wide reports.