AWS Systems Manager: All you need to know.

AWS Systems Manager (SSM)

SSM (AWS Systems Manager) is an agent-based platform for managing servers across any infrastructure, including AWS, on-premises, and other clouds. For managing EC2 instances, Amazon used to offer loosely connected services like EC2 Run Command for executing remote commands and AWS OpsWorks for configuration management through Chef Agents. However, there used to be a gap where no one solution could be utilised to easily and efficiently manage all servers. As a result, SSM steps in to fill the hole.

Features of SSM

Run command

This enables us to run ad-hoc remote commands on managed servers. Previously, we would utilise Ansible, Bastion Hosts and other similar services to run ad-hoc commands to our remote servers. All of these solutions need a significant amount of setup before they can be used, and there are no simple ways to determine who is doing what. By integrating with AWS Identity and Access Management (IAM), SSM provides significantly better control over controlling remote command executions. It keeps remote command records for auditing purposes. SSM documentation may also be created for frequently used commands.

State Manager

Things change with time, thus maintaining compliance with the best security and operational principles in our environment is a problem. State Manager makes it extremely simple to maintain the proper state for our application environment by allowing us to run a collection of commands utilising SSM documents on a regular basis. If we don't want to allow SSH in any of our instances, we may schedule an SSM document that shuts off the SSH demon on all of our servers every 30 minutes.

Automation

This is an upgrade to the previously discussed Run Command feature, which allows us to run remote commands on instances. Automation provides for more than just remote instructions; for example, as part of the execution, we may use AWS APIs. We may combine many stages to complete complicated tasks by using an SSM automation type document. Please keep in mind that Automation documents are run on SSM Service and have a maximum execution time of 1,000,000 seconds per AWS account per region.

Inventory

Most of the time, we want to know what applications and services are running on our servers. SSM Inventory lets us link an SSM document to a managed instance, which collects inventory data on a regular basis and makes it available for examination afterwards.

Patch Manager

One of the most crucial features for keeping our environment up to date with new patches. Using SSM Patch Manager, we can define patch baselines and apply them to managed instances during Maintenance Windows. This is done automatically whenever the Maintenance Window time arrives, reducing the possibility of a manual oversight.

Maintenance Windows

SSM offers the ability to schedule a set of tasks to execute on our environment on a regular basis. We can perform Patch fixes, install software, and upgrade the OS during this period. We may utilise SSM Run commands and Automation features during maintenance windows.

Compliance

This is an SSM reporting method that tells us if our instances are patch baseline or States Manager association compliant. This capability may be used to drill deeper into issues and resolve them using SSM Run commands or Automation.

Parameter Store

By leveraging the AWS KMS service, this functionality eliminates the possibility of exposing database passwords and other sensitive parameters we'd like to include in our SSM Documents. This is a minor component of SSM, but it is necessary for the service to function properly.

Documents

SSM comes with a number of pre-made documents that may be used with Run Commands, Automation, and States Manager. We can also create our own unique documents. SSM Document permissions are connected with AWS IAM, allowing us to use AWS IAM policies to manage who has execution privileges on which documents.

Concurrency

To run commands or automation documents in parallel, SSM lets you to specify a percentage or count of target instances. We may also halt operations if the number of target instances throwing errors reaches a certain threshold.

Security

Security is the critical component of any system, and the SSM agent runs as root on the servers which can help us understand its security better.

• The SSM agent retrieves pending orders from the SSM service and executes them on the instance via a pull mechanism.
• Communication between the SSM agent and the service takes place through a secure channel that employs the HTTPS protocol.
• Because the SSM agent code is open source, we know exactly what it does.
• To log all API calls, the SSM service may be linked with AWS CloudTrail.

To know about

Conclusion:

Overall, AWS Systems Manager is a feature-rich production-ready AWS tool that allows you to manage your servers from anywhere.

Reference

• https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html
• https://dev.classmethod.jp/articles/ssh-vs-session-manager-ec2-connection/