AWS Systems manager 2019

© 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Rodney Bozo – Sr. Solutions Architect
AWS Systems Manager
Gain operational insights and take action
10/15/19

© 2019, Amazon Web Services, Inc. or its Affiliates.
Agenda
• Quick introduction
• Overview of AWS Systems Manager
• Demo of the most popular features
• Run Command
• State Manager
• Automation
• Patch Manager
• Session Manager

Rodney Bozo’s background
• I have been with AWS for over 3 years. Management Tools SA, focusing on
AWS Systems Manager.
• Prior to AWS, I was working at a large Washington D.C. based private
university, where I was charged with managing the infrastructure supporting
135K users.
• Before that, I worked at Microsoft Partner ISVs for almost 10 years. Also,
engineering and architecture firms, Managed Service Providers, etc.,
supporting mostly Microsoft workloads for about 20 years.

Management & Governance
Optimize
Analyze and reduce cost, improve
efficiency and security posture
Act
Take operational
action on resources
Audit
Audit resource configurations,
user access, and policy enforcement
Monitor
Monitor resources
and applications

AWS Management & Governance
Monitor resources and applications
Optimize to reduce cost and improve security posture
Manage resources and take operational action
Audit user activity and resource configurations
Amazon CloudWatch
AWS Trusted Advisor
AWS Cost and Usage Report
AWS Cost Explorer
AWS Systems Manager
AWS CloudTrail
AWS Config

Cloud Management Challenges
Managing cloud and hybrid environments using a traditional toolset
is complex and costly
Traditional IT toolset not
built for cloud scale
infrastructure
Deploying multiple
products is a
significant overhead
Licensing costs
and complexity
Maintaining
enterprise-wide visibility
is challenging

Customer Challenges
Operate safely and
securely at scale
Map resources to
applications and
environments
Diverse set of tools
for managing hybrid
cloud
Complex licensing
and hard to manage
the management
infrastructure
Ability to build
custom solutions to
meet specific
business needs

Operate Safely and At Scale
The operations cockpit for any cloud at any scale
Support AWS, On-Premises,
and Other Clouds
Use cross-platform capabilities manage
both Windows and Linux
Group
The building blocks of your applications
Visualize
Operational insights for applications
Brings other AWS services in a single console
Act
Using AWS best practices with built-in safeties

Extensible
Hybrid Compliance Open Source Cross-platform Extensible
Works in hybrid
and multi-cloud
environments
Use existing tools
like Ansible,
PowerShell DSC, and
InSpec for
configuration
and Compliance
SSM Agent is open-
sourced on GitHub
Windows and
Linux support
Extensible
capabilities to collect
custom inventory
from instances

AWS Systems Manager Customers & Partners

AWS Systems Manager Capabilities
Resource Groups
Run Command
Inventory
Patch Manager
Automation
Parameter Store
Maintenance Window
State Manager
Session Manager
Distributor OpsCenter

Manage Resources at Scale
Resource groups
Define the building blocks
of your application
Give a meaning to a collection
of AWS resources (as an app, env,
or business unit)
Group AWS resources based on
tags using a simple query
Save a search as a heterogeneous
group of (dynamic) resources
Interact with a group directly rather than
individual resources

Improved Visibility and Control
Setup operational
dashboards
Build and customize your
own ops-dashboards
Leverage your existing Amazon
CloudWatch dashboards
Leverage your existing
CloudWatch metrics
Monitor Compliance
Visualize your application’s metrics

Compliance with Patch Manager
Corp Data Center
Individual instances
not grouped
Patch Group=WebServers
Patch Group=WebServers
Default Patch Baseline
for the OS
Web Server
Patch Baseline
Patch Manager
Maintenance
Window
Compliance Notifications!

Compliance as Code
Author
Compliance checks in InSpec (human
readable, open-source DSL) on GitHub
Run Compliance scans
Using Run Command or periodic scans
using State Manager
View Compliance
On Compliance UI or APIs

Safe and Secure Operations
corp data center
VPC1
Tags
VPC2
Tags
IAM
Run Command Amazon
CloudWatch
Events
CloudTrail
Auditing

Gain Insights FROM Instances
corp data center
Account 1
Account 2
Inventory
Amazon S3
Data Lake
Amazon
QuickSight
AWS
Config
Any BI
Tool!

Easy to Use Automation
Run the automationRole and permissionInputAutomation
document

Wait, what’s a Document?
• Documents are used to express sequence of actions
• Identified using Amazon Resource Names (ARNs)
• Create/Edit Documents, versions, view history, and share
• Parameter validation reduces human error
• Authored in JSON/YAML
• Amazon published AWS-named Documents

3 types of Documents used by State Manager
• Command Documents – State Manager uses command documents to apply a
configuration. These actions can be run on one or more targets at any point
during the lifecycle of an instance. Can target instances based upon tags.
• Policy Documents - Policy documents enforce a policy on your targets. If the
policy document is removed, the policy action (for example, collecting
inventory) no longer happens.
• Automation Documents - State Manager uses automation documents to apply
a configuration. These actions can be run on one or more targets at any
point during the lifecycle of an instance. Need to Specify Instance Ids, but
can grab Instance IDs based upon Tags with native AWS API Calls.

Secrets and Config Data Management
Rotate
password
/app/test/db_password /app/prod/db_password
Dev Test Prod
App
Change notifications
(event-based)
Email
notification

Manage Configuration Drift
Instances
State manager

Interactive Access to Instances with Session Manager
• Interactive browser-based shell and CLI for
EC2 instances
• No need to open inbound ports, manage
SSH keys or certs
• Grant/Revoke access from IAM
• Session auditing and logging
• Support for AWS PrivateLink
CloudTrailIAM
Shell or CLI
VPC1
EC2 instances
Auditing and LoggingAccess Control

Distribute Software Packages
Supports
Installing with safety
Windows network drivers
CloudWatch metrics & logs
A single base agent to install and
manage custom software packages
Upload, share, and manage package
updates and upgrades
Install custom packages or AWS
agents

Other Features
Integrated with AWS
services such as
IAM: granular RBAC
CloudTrail: audited actions
CloudWatch Events:
notification and remediation
Config: configuration history
Available in all AWS
regions including
GovCloud
Accessible through
AWS PrivateLink
SSM Agent is
installed on
AWS Windows
Server, Amazon
Linux and Ubuntu
AMIs
Systems Manager is
SOC, ISO and
PCI compliant,
HIPAA enabled

Future Direction
Operate any
environment
Continuous
Compliance and
remediation
Intelligent
Automation and
Insights
Open and
Extensible
Unified
Experiences
Supports hybrid,
other clouds and
disconnected
environments
Open Source
management artifacts
with Community
contributions and
Partner Solutions
Enterprise grade
Solutions.
Integrations across
AWS Services
CloudTrail smart events
and Operational
Insights
ML recommendations
One-Click policy via
Config Rules with
Systems Manager
remediation

Useful Links
AWS Management Tools Blog
https://aws.amazon.com/blogs/mt/category/management-tools/amazon-ec2-systems-manager/
AWS Blog
https://aws.amazon.com/blogs/aws/category/amazon-ec2-systems-manager/
Product Page
https://aws.amazon.com/systems-manager/
Feedback
ec2-ssm-feedback@amazon.com
Hands-on Labs
https://workshop.aws-management.tools/ssm/
1
2
3
4
5

Shameless Plug
• Management & Governance Track with 71
sessions
• Breakout Sessions (recorded for
YouTube), Workshops, Chalk Talks, and
Builder Sessions
• Customer Meetings (formerly Executive
Briefing Center)

Thank you!

AWS Systems manager 2019

More Related Content

What's hot (20)

Similar to AWS Systems manager 2019 (20)

More from John Varghese (20)

Recently uploaded (20)

AWS Systems manager 2019