Systems_manager
Chapter 35: AWS Systems Manager
Section titled “Chapter 35: AWS Systems Manager”Operational Insights and Management
Section titled “Operational Insights and Management”35.1 Overview
Section titled “35.1 Overview”AWS Systems Manager is a unified interface that enables you to view and control your infrastructure on AWS. It provides operational insights and helps you manage applications and infrastructure.
AWS Systems Manager Overview+------------------------------------------------------------------+| || +------------------------+ || | AWS Systems Manager | || +------------------------+ || | || +---------------------+---------------------+ || | | | | || v v v v || +----------+ +----------+ +----------+ +----------+ || | Insights | | Actions | | Apps | | Change | || | | | | | Manager | | Manager | || | - Dash | | - Run | | - Deploy | | - Change | || | - Inventory| | Command| | - Config | | - Request| || | - Comp | | - Patch | | | | - Approve| || +----------+ +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Key Capabilities
Section titled “Key Capabilities”| Capability | Description |
|---|---|
| Insights | Dashboard, Inventory, Compliance |
| Actions | Run Command, Automation, Patch Manager |
| Applications | Application Manager, Parameter Store |
| Change Management | Change Calendar, Change Templates |
35.2 Systems Manager Components
Section titled “35.2 Systems Manager Components”Node Management
Section titled “Node Management” Systems Manager Node Management+------------------------------------------------------------------+| || Managed Instances || +------------------------------------------------------------+ || | | || | Requirements: | || | +------------------------------------------------------+ | || | | - SSM Agent installed | | || | | - IAM role with SSM permissions | | || | | - Network connectivity to SSM endpoints | | || | +------------------------------------------------------+ | || | | || | Supported Platforms: | || | +------------------------------------------------------+ | || | | - Amazon EC2 (Linux, Windows) | | || | | - On-premises servers (hybrid) | | || | | - Edge devices (IoT) | | || | | - EC2 Spot Instances | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Hybrid Activation || +------------------------------------------------------------+ || | | || | Steps to activate on-premises servers: | || | +------------------------------------------------------+ | || | | 1. Create activation in SSM | | || | | 2. Install SSM Agent on server | | || | | 3. Register server with activation code | | || | | 4. Server appears as managed instance | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Session Manager
Section titled “Session Manager” Session Manager Architecture+------------------------------------------------------------------+| || +------------------------+ || | Session Manager | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Browser | | CLI | | SSH | || | Access | | Access | | Access | || | | | | | | || | - No SSH | | - AWS | | - Port | || | keys | | CLI | | 22 | || | - Audit | | - Plugin | | closed | || | logs | | | | | || +----------+ +----------+ +----------+ || | | | || +---------------------+---------------------+ || | || v || +------------------------+ || | Managed Instance | || +------------------------+ || |+------------------------------------------------------------------+Session Manager Benefits
Section titled “Session Manager Benefits” Session Manager Benefits+------------------------------------------------------------------+| || Security Benefits || +------------------------------------------------------------+ || | - No SSH ports open (port 22 closed) | || | - No bastion hosts required | || | - No SSH keys to manage | || | - IAM-based access control | || +------------------------------------------------------------+ || || Compliance Benefits || +------------------------------------------------------------+ || | - Session logging to S3 | || | - Session logging to CloudWatch | || | - Audit trail of all commands | || | - Session recording available | || +------------------------------------------------------------+ || || Operational Benefits || +------------------------------------------------------------+ || | - One-click access from console | || | - Cross-platform support (Linux, Windows) | || | - No firewall changes needed | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.3 Run Command
Section titled “35.3 Run Command”Run Command Overview
Section titled “Run Command Overview” Run Command Architecture+------------------------------------------------------------------+| || +------------------------+ || | Run Command | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Documents| | Targets | | Execution| || | | | | | | || | - AWS | | - Tags | | - Rate | || | owned | | - Instance| | Control| || | - Custom | | IDs | | - Concurrent || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Common SSM Documents
Section titled “Common SSM Documents” Common SSM Documents+------------------------------------------------------------------+| || AWS-Managed Documents || +------------------------------------------------------------+ || | | || | Command Documents: | || | +------------------------------------------------------+ | || | | - AWS-RunShellScript (Linux) | | || | | - AWS-RunPowerShellScript (Windows) | | || | | - AWS-UpdateSSMAgent | | || | | - AWS-InstallPatchBaseline | | || | | - AWS-ConfigureDocker | | || | | - AWS-RunAnsiblePlaybook | | || | | - AWS-RunChefRecipe | | || | +------------------------------------------------------+ | || | | || | Automation Documents: | || | +------------------------------------------------------+ | || | | - AWS-UpdateLinuxAmi | | || | | - AWS-UpdateWindowsAmi | | || | | - AWS-CreateImage | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Run Command CLI
Section titled “Run Command CLI”# Send command to instances by tagaws ssm send-command \ --document-name "AWS-RunShellScript" \ --document-version "1" \ --targets '[{"Key":"tag:Environment","Values":["Production"]}]' \ --parameters '{"commands":["sudo yum update -y","sudo reboot"]}' \ --timeout-seconds 600 \ --max-concurrency "50%" \ --max-errors "0"
# Send command to specific instancesaws ssm send-command \ --document-name "AWS-RunPowerShellScript" \ --instance-ids "i-1234567890abcdef0" \ --parameters '{"commands":["Get-Service","Get-Process"]}'
# List commandsaws ssm list-commands
# Get command invocation detailsaws ssm get-command-invocation \ --command-id "cmd-123" \ --instance-id "i-1234567890abcdef0"
# Cancel commandaws ssm cancel-command \ --command-id "cmd-123"35.4 Automation
Section titled “35.4 Automation”Automation Overview
Section titled “Automation Overview” Systems Manager Automation+------------------------------------------------------------------+| || +------------------------+ || | Automation | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Documents| | Executions| | Actions | || | | | | | | || | - Steps | | - Start | | - AWS: | || | - Inputs | | - Stop | | Change | || | - Outputs| | - Resume | | Instance| || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Automation Document Structure
Section titled “Automation Document Structure”schemaVersion: '0.3'description: 'Update Linux AMI with latest packages'assumeRole: '{{AutomationAssumeRole}}'parameters: SourceAmiId: type: String description: 'Source AMI ID' InstanceIamRole: type: String description: 'IAM role for instance' TargetAmiName: type: String description: 'Name for new AMI' default: 'UpdatedLinuxAmi-{{global:DATE}}'mainSteps: - name: launchInstance action: 'aws:runInstances' inputs: ImageId: '{{ SourceAmiId }}' InstanceType: t3.medium IamInstanceProfile: Name: '{{ InstanceIamRole }}' MinInstances: 1 MaxInstances: 1 outputs: - name: InstanceId selector: '$.Instances[0].InstanceId' type: String - name: updateInstance action: 'aws:runCommand' inputs: DocumentName: AWS-RunShellScript InstanceIds: - '{{ launchInstance.InstanceId }}' Parameters: commands: - sudo yum update -y - name: createImage action: 'aws:createImage' inputs: InstanceId: '{{ launchInstance.InstanceId }}' Name: '{{ TargetAmiName }}' outputs: - name: ImageId selector: '$.ImageId' type: String - name: terminateInstance action: 'aws:changeInstanceState' inputs: InstanceIds: - '{{ launchInstance.InstanceId }}' DesiredState: terminatedoutputs: - createImage.ImageId35.5 Patch Manager
Section titled “35.5 Patch Manager”Patch Manager Overview
Section titled “Patch Manager Overview” Patch Manager Architecture+------------------------------------------------------------------+| || +------------------------+ || | Patch Manager | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Patch | | Patch | | Patch | || | Baselines| | Groups | | Scans | || | | | | | | || | - OS | | - Tags | | - Scan | || | Patches| | - Schedule| | - Install| || | - Custom | | | | - Report | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Patch Baseline
Section titled “Patch Baseline” Patch Baseline Configuration+------------------------------------------------------------------+| || AWS-Managed Patch Baselines || +------------------------------------------------------------+ || | | || | - AWS-AmazonLinux2DefaultPatchBaseline | || | - AWS-UbuntuDefaultPatchBaseline | || | - AWS-RHELDefaultPatchBaseline | || | - AWS-CentOSDefaultPatchBaseline | || | - AWS-WindowsDefaultPatchBaseline | || | | || +------------------------------------------------------------+ || || Custom Patch Baseline || +------------------------------------------------------------+ || | | || | Configuration: | || | +------------------------------------------------------+ | || | | - Operating system (Linux/Windows) | | || | | - Approved patches | | || | | - Rejected patches | | || | | - Classification filters (Security, Bugfix, etc.) | | || | | - Severity levels | | || | | - Auto-approval rules | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.6 Parameter Store
Section titled “35.6 Parameter Store”Parameter Store Overview
Section titled “Parameter Store Overview” Parameter Store Hierarchy+------------------------------------------------------------------+| || / (root) || |-- /my-application || | |-- /production || | | |-- /database || | | | |-- /host || | | | |-- /port || | | | |-- /username || | | | |-- /password (SecureString) || | | |-- /api || | | |-- /key (SecureString) || | |-- /development || | |-- /database || | |-- /host || | |-- /password (SecureString) || |-- /aws || | |-- /service || | |-- /ami-amazon-linux-latest || | |-- /amzn2-ami-hvm-x86_64-gp2 || |+------------------------------------------------------------------+Parameter Types
Section titled “Parameter Types” Parameter Store Types+------------------------------------------------------------------+| || String || +------------------------------------------------------------+ || | - Plain text values | || | - No encryption | || | - Example: /app/config/timeout = "30" | || +------------------------------------------------------------+ || || StringList || +------------------------------------------------------------+ || | - Comma-separated values | || | - No encryption | || | - Example: /app/regions = "us-east-1,us-west-2,eu-west-1" | || +------------------------------------------------------------+ || || SecureString || +------------------------------------------------------------+ || | - Encrypted using KMS | || | - For sensitive data | || | - Example: /app/db/password = "MySecretPassword123" | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.7 Inventory
Section titled “35.7 Inventory”Inventory Overview
Section titled “Inventory Overview” Systems Manager Inventory+------------------------------------------------------------------+| || Collected Data || +------------------------------------------------------------+ || | | || | Application Data: | || | +------------------------------------------------------+ | || | | - Installed applications | | || | | - Application versions | | || | | - Install dates | | || | +------------------------------------------------------+ | || | | || | Instance Data: | || | +------------------------------------------------------+ | || | | - Instance ID, type, region | | || | | - Operating system | | || | | - IP addresses | | || | | - Security groups | | || | +------------------------------------------------------+ | || | | || | Network Data: | || | +------------------------------------------------------+ | || | | - Network configuration | | || | | - Open ports | | || | | - DNS settings | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.8 CLI Commands
Section titled “35.8 CLI Commands”# Describe instance informationaws ssm describe-instance-information
# Send commandaws ssm send-command \ --document-name "AWS-RunShellScript" \ --instance-ids "i-1234567890abcdef0" \ --parameters '{"commands":["ls -la"]}'
# Get command invocationaws ssm get-command-invocation \ --command-id "cmd-123" \ --instance-id "i-1234567890abcdef0"
# Start sessionaws ssm start-session \ --target "i-1234567890abcdef0"
# Terminate sessionaws ssm terminate-session \ --session-id "session-123"
# Put parameteraws ssm put-parameter \ --name "/app/db/host" \ --value "db.example.com" \ --type String
# Get parameteraws ssm get-parameter \ --name "/app/db/host"
# Get parameter (with decryption)aws ssm get-parameter \ --name "/app/db/password" \ --with-decryption
# Get parameters by pathaws ssm get-parameters-by-path \ --path "/app/production" \ --recursive
# Create activation (hybrid)aws ssm create-activation \ --default-instance-name "MyServer" \ --iam-role "SSMServiceRole"
# Start automation executionaws ssm start-automation-execution \ --document-name "AWS-UpdateLinuxAmi" \ --parameters '{"SourceAmiId":["ami-12345678"]}'
# Describe automation executionsaws ssm describe-automation-executions
# Create patch baselineaws ssm create-patch-baseline \ --name "MyPatchBaseline" \ --operating-system AMAZON_LINUX_2 \ --approval-rules PatchRules='[{PatchFilterGroup={PatchFilters=[{Key=CLASS,Values=[Security]}]},ApproveAfterDays=7}]'35.9 Best Practices
Section titled “35.9 Best Practices”Systems Manager Best Practices
Section titled “Systems Manager Best Practices” Systems Manager Best Practices+------------------------------------------------------------------+| || 1. Use Session Manager instead of SSH || +------------------------------------------------------------+ || | - No open ports required | || | - Audit logging enabled | || +------------------------------------------------------------+ || || 2. Use Parameter Store for configuration || +------------------------------------------------------------+ || | - Centralize configuration | || | - Use SecureString for secrets | || +------------------------------------------------------------+ || || 3. Implement patch baselines || +------------------------------------------------------------+ || | - Regular patching schedule | || | - Test patches before production | || +------------------------------------------------------------+ || || 4. Use Automation for common tasks || +------------------------------------------------------------+ || | - Automate AMI creation | || | - Automate instance updates | || +------------------------------------------------------------+ || || 5. Enable Inventory collection || +------------------------------------------------------------+ || | - Track software inventory | || | - Monitor compliance | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.10 Exam Tips
Section titled “35.10 Exam Tips”
Key Exam Points+------------------------------------------------------------------+| || 1. Session Manager provides secure shell access without SSH || || 2. Run Command executes commands on managed instances || || 3. Automation automates operational tasks || || 4. Patch Manager manages OS patching || || 5. Parameter Store stores configuration and secrets || || 6. Managed instances require SSM Agent and IAM role || || 7. Hybrid activation enables on-premises management || || 8. Inventory collects system metadata || || 9. Documents define actions (AWS-owned or custom) || || 10. State Manager maintains configuration state || |+------------------------------------------------------------------+35.11 Summary
Section titled “35.11 Summary” Chapter 35 Summary+------------------------------------------------------------------+| || Systems Manager Core Capabilities || +------------------------------------------------------------+ || | - Insights: Dashboard, Inventory, Compliance | || | - Actions: Run Command, Automation, Patch Manager | || | - Applications: Parameter Store, Application Manager | || | - Change Management: Change Calendar, Templates | || +------------------------------------------------------------+ || || Key Components || +------------------------------------------------------------+ || | - Session Manager: Secure shell access | || | - Run Command: Execute commands on instances | || | - Automation: Automate operational tasks | || | - Patch Manager: OS patching | || | - Parameter Store: Configuration management | || +------------------------------------------------------------+ || || Requirements for Managed Instances || +------------------------------------------------------------+ || | - SSM Agent installed | || | - IAM role with SSM permissions | || | - Network connectivity to SSM endpoints | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Previous Chapter: Chapter 34: AWS CDK - Cloud Development Kit Next Part: Part 8: Monitoring & Logging