AWS Systems Manager
Chapter 35: AWS Systems Manager
Section titled “Chapter 35: AWS Systems Manager”Operational Insights and Management
Section titled “Operational Insights and Management”35.1 Overview
Section titled “35.1 Overview”AWS Systems Manager is a unified interface that enables you to view and control your infrastructure on AWS. It provides operational insights and helps you manage applications and infrastructure.
AWS Systems Manager Overview+------------------------------------------------------------------+| || +------------------------+ || | AWS Systems Manager | || +------------------------+ || | || +---------------------+---------------------+ || | | | | || v v v v || +----------+ +----------+ +----------+ +----------+ || | Insights | | Actions | | Apps | | Change | || | | | | | Manager | | Manager | || | - Dash | | - Run | | - Deploy | | - Change | || | - Inventory| | Command| | - Config | | - Request| || | - Comp | | - Patch | | | | - Approve| || +----------+ +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Key Capabilities
Section titled “Key Capabilities”| Capability | Description |
|---|---|
| Insights | Dashboard, Inventory, Compliance |
| Actions | Run Command, Automation, Patch Manager |
| Applications | Application Manager, Parameter Store |
| Change Management | Change Calendar, Change Templates |
35.2 Systems Manager Components
Section titled “35.2 Systems Manager Components”Node Management
Section titled “Node Management” Systems Manager Node Management+------------------------------------------------------------------+| || Managed Instances || +------------------------------------------------------------+ || | | || | Requirements: | || | +------------------------------------------------------+ | || | | - SSM Agent installed | | || | | - IAM role with SSM permissions | | || | | - Network connectivity to SSM endpoints | | || | +------------------------------------------------------+ | || | | || | Supported Platforms: | || | +------------------------------------------------------+ | || | | - Amazon EC2 (Linux, Windows) | | || | | - On-premises servers (hybrid) | | || | | - Edge devices (IoT) | | || | | - EC2 Spot Instances | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || || Hybrid Activation || +------------------------------------------------------------+ || | | || | Steps to activate on-premises servers: | || | +------------------------------------------------------+ | || | | 1. Create activation in SSM | | || | | 2. Install SSM Agent on server | | || | | 3. Register server with activation code | | || | | 4. Server appears as managed instance | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Session Manager
Section titled “Session Manager” Session Manager Architecture+------------------------------------------------------------------+| || +------------------------+ || | Session Manager | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Browser | | CLI | | SSH | || | Access | | Access | | Access | || | | | | | | || | - No SSH | | - AWS | | - Port | || | keys | | CLI | | 22 | || | - Audit | | - Plugin | | closed | || | logs | | | | | || +----------+ +----------+ +----------+ || | | | || +---------------------+---------------------+ || | || v || +------------------------+ || | Managed Instance | || +------------------------+ || |+------------------------------------------------------------------+Session Manager Benefits
Section titled “Session Manager Benefits” Session Manager Benefits+------------------------------------------------------------------+| || Security Benefits || +------------------------------------------------------------+ || | - No SSH ports open (port 22 closed) | || | - No bastion hosts required | || | - No SSH keys to manage | || | - IAM-based access control | || +------------------------------------------------------------+ || || Compliance Benefits || +------------------------------------------------------------+ || | - Session logging to S3 | || | - Session logging to CloudWatch | || | - Audit trail of all commands | || | - Session recording available | || +------------------------------------------------------------+ || || Operational Benefits || +------------------------------------------------------------+ || | - One-click access from console | || | - Cross-platform support (Linux, Windows) | || | - No firewall changes needed | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.3 Run Command
Section titled “35.3 Run Command”Run Command Overview
Section titled “Run Command Overview” Run Command Architecture+------------------------------------------------------------------+| || +------------------------+ || | Run Command | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Documents| | Targets | | Execution| || | | | | | | || | - AWS | | - Tags | | - Rate | || | owned | | - Instance| | Control| || | - Custom | | IDs | | - Concurrent || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Common SSM Documents
Section titled “Common SSM Documents” Common SSM Documents+------------------------------------------------------------------+| || AWS-Managed Documents || +------------------------------------------------------------+ || | | || | Command Documents: | || | +------------------------------------------------------+ | || | | - AWS-RunShellScript (Linux) | | || | | - AWS-RunPowerShellScript (Windows) | | || | | - AWS-UpdateSSMAgent | | || | | - AWS-InstallPatchBaseline | | || | | - AWS-ConfigureDocker | | || | | - AWS-RunAnsiblePlaybook | | || | | - AWS-RunChefRecipe | | || | +------------------------------------------------------+ | || | | || | Automation Documents: | || | +------------------------------------------------------+ | || | | - AWS-UpdateLinuxAmi | | || | | - AWS-UpdateWindowsAmi | | || | | - AWS-CreateImage | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Run Command CLI
Section titled “Run Command CLI”# Send command to instances by tagaws ssm send-command \ --document-name "AWS-RunShellScript" \ --document-version "1" \ --targets '[{"Key":"tag:Environment","Values":["Production"]}]' \ --parameters '{"commands":["sudo yum update -y","sudo reboot"]}' \ --timeout-seconds 600 \ --max-concurrency "50%" \ --max-errors "0"
# Send command to specific instancesaws ssm send-command \ --document-name "AWS-RunPowerShellScript" \ --instance-ids "i-1234567890abcdef0" \ --parameters '{"commands":["Get-Service","Get-Process"]}'
# List commandsaws ssm list-commands
# Get command invocation detailsaws ssm get-command-invocation \ --command-id "cmd-123" \ --instance-id "i-1234567890abcdef0"
# Cancel commandaws ssm cancel-command \ --command-id "cmd-123"35.4 Automation
Section titled “35.4 Automation”Automation Overview
Section titled “Automation Overview” Systems Manager Automation+------------------------------------------------------------------+| || +------------------------+ || | Automation | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Documents| | Executions| | Actions | || | | | | | | || | - Steps | | - Start | | - AWS: | || | - Inputs | | - Stop | | Change | || | - Outputs| | - Resume | | Instance| || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Automation Document Structure
Section titled “Automation Document Structure”schemaVersion: '0.3'description: 'Update Linux AMI with latest packages'assumeRole: '{{AutomationAssumeRole}}'parameters: SourceAmiId: type: String description: 'Source AMI ID' InstanceIamRole: type: String description: 'IAM role for instance' TargetAmiName: type: String description: 'Name for new AMI' default: 'UpdatedLinuxAmi-{{global:DATE}}'mainSteps: - name: launchInstance action: 'aws:runInstances' inputs: ImageId: '{{ SourceAmiId }}' InstanceType: t3.medium IamInstanceProfile: Name: '{{ InstanceIamRole }}' MinInstances: 1 MaxInstances: 1 outputs: - name: InstanceId selector: '$.Instances[0].InstanceId' type: String - name: updateInstance action: 'aws:runCommand' inputs: DocumentName: AWS-RunShellScript InstanceIds: - '{{ launchInstance.InstanceId }}' Parameters: commands: - sudo yum update -y - name: createImage action: 'aws:createImage' inputs: InstanceId: '{{ launchInstance.InstanceId }}' Name: '{{ TargetAmiName }}' outputs: - name: ImageId selector: '$.ImageId' type: String - name: terminateInstance action: 'aws:changeInstanceState' inputs: InstanceIds: - '{{ launchInstance.InstanceId }}' DesiredState: terminatedoutputs: - createImage.ImageId35.5 Patch Manager
Section titled “35.5 Patch Manager”Patch Manager Overview
Section titled “Patch Manager Overview” Patch Manager Architecture+------------------------------------------------------------------+| || +------------------------+ || | Patch Manager | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Patch | | Patch | | Patch | || | Baselines| | Groups | | Scans | || | | | | | | || | - OS | | - Tags | | - Scan | || | Patches| | - Schedule| | - Install| || | - Custom | | | | - Report | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Patch Baseline
Section titled “Patch Baseline” Patch Baseline Configuration+------------------------------------------------------------------+| || AWS-Managed Patch Baselines || +------------------------------------------------------------+ || | | || | - AWS-AmazonLinux2DefaultPatchBaseline | || | - AWS-UbuntuDefaultPatchBaseline | || | - AWS-RHELDefaultPatchBaseline | || | - AWS-CentOSDefaultPatchBaseline | || | - AWS-WindowsDefaultPatchBaseline | || | | || +------------------------------------------------------------+ || || Custom Patch Baseline || +------------------------------------------------------------+ || | | || | Configuration: | || | +------------------------------------------------------+ | || | | - Operating system (Linux/Windows) | | || | | - Approved patches | | || | | - Rejected patches | | || | | - Classification filters (Security, Bugfix, etc.) | | || | | - Severity levels | | || | | - Auto-approval rules | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.6 Parameter Store
Section titled “35.6 Parameter Store”Parameter Store Overview
Section titled “Parameter Store Overview” Parameter Store Hierarchy+------------------------------------------------------------------+| || / (root) || |-- /my-application || | |-- /production || | | |-- /database || | | | |-- /host || | | | |-- /port || | | | |-- /username || | | | |-- /password (SecureString) || | | |-- /api || | | |-- /key (SecureString) || | |-- /development || | |-- /database || | |-- /host || | |-- /password (SecureString) || |-- /aws || | |-- /service || | |-- /ami-amazon-linux-latest || | |-- /amzn2-ami-hvm-x86_64-gp2 || |+------------------------------------------------------------------+Parameter Types
Section titled “Parameter Types” Parameter Store Types+------------------------------------------------------------------+| || String || +------------------------------------------------------------+ || | - Plain text values | || | - No encryption | || | - Example: /app/config/timeout = "30" | || +------------------------------------------------------------+ || || StringList || +------------------------------------------------------------+ || | - Comma-separated values | || | - No encryption | || | - Example: /app/regions = "us-east-1,us-west-2,eu-west-1" | || +------------------------------------------------------------+ || || SecureString || +------------------------------------------------------------+ || | - Encrypted using KMS | || | - For sensitive data | || | - Example: /app/db/password = "MySecretPassword123" | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.7 Inventory
Section titled “35.7 Inventory”Inventory Overview
Section titled “Inventory Overview” Systems Manager Inventory+------------------------------------------------------------------+| || Collected Data || +------------------------------------------------------------+ || | | || | Application Data: | || | +------------------------------------------------------+ | || | | - Installed applications | | || | | - Application versions | | || | | - Install dates | | || | +------------------------------------------------------+ | || | | || | Instance Data: | || | +------------------------------------------------------+ | || | | - Instance ID, type, region | | || | | - Operating system | | || | | - IP addresses | | || | | - Security groups | | || | +------------------------------------------------------+ | || | | || | Network Data: | || | +------------------------------------------------------+ | || | | - Network configuration | | || | | - Open ports | | || | | - DNS settings | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.8 CLI Commands
Section titled “35.8 CLI Commands”# Describe instance informationaws ssm describe-instance-information
# Send commandaws ssm send-command \ --document-name "AWS-RunShellScript" \ --instance-ids "i-1234567890abcdef0" \ --parameters '{"commands":["ls -la"]}'
# Get command invocationaws ssm get-command-invocation \ --command-id "cmd-123" \ --instance-id "i-1234567890abcdef0"
# Start sessionaws ssm start-session \ --target "i-1234567890abcdef0"
# Terminate sessionaws ssm terminate-session \ --session-id "session-123"
# Put parameteraws ssm put-parameter \ --name "/app/db/host" \ --value "db.example.com" \ --type String
# Get parameteraws ssm get-parameter \ --name "/app/db/host"
# Get parameter (with decryption)aws ssm get-parameter \ --name "/app/db/password" \ --with-decryption
# Get parameters by pathaws ssm get-parameters-by-path \ --path "/app/production" \ --recursive
# Create activation (hybrid)aws ssm create-activation \ --default-instance-name "MyServer" \ --iam-role "SSMServiceRole"
# Start automation executionaws ssm start-automation-execution \ --document-name "AWS-UpdateLinuxAmi" \ --parameters '{"SourceAmiId":["ami-12345678"]}'
# Describe automation executionsaws ssm describe-automation-executions
# Create patch baselineaws ssm create-patch-baseline \ --name "MyPatchBaseline" \ --operating-system AMAZON_LINUX_2 \ --approval-rules PatchRules='[{PatchFilterGroup={PatchFilters=[{Key=CLASS,Values=[Security]}]},ApproveAfterDays=7}]'35.9 Best Practices
Section titled “35.9 Best Practices”Systems Manager Best Practices
Section titled “Systems Manager Best Practices” Systems Manager Best Practices+------------------------------------------------------------------+| || 1. Use Session Manager instead of SSH || +------------------------------------------------------------+ || | - No open ports required | || | - Audit logging enabled | || +------------------------------------------------------------+ || || 2. Use Parameter Store for configuration || +------------------------------------------------------------+ || | - Centralize configuration | || | - Use SecureString for secrets | || +------------------------------------------------------------+ || || 3. Implement patch baselines || +------------------------------------------------------------+ || | - Regular patching schedule | || | - Test patches before production | || +------------------------------------------------------------+ || || 4. Use Automation for common tasks || +------------------------------------------------------------+ || | - Automate AMI creation | || | - Automate instance updates | || +------------------------------------------------------------+ || || 5. Enable Inventory collection || +------------------------------------------------------------+ || | - Track software inventory | || | - Monitor compliance | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+35.10 Why This Matters in DevOps/SRE
Section titled “35.10 Why This Matters in DevOps/SRE”Systems Manager is the operational hub for AWS. It provides the automation, compliance, and management capabilities that SREs need to maintain reliable infrastructure.
Systems Manager in DevOps/SRE+------------------------------------------------------------------+| || SRE Operational Excellence: || || 1. Incident Response || +----------------------------------------------------------+ || | - Run Command for emergency patches | || | - Automation documents for failover procedures | || | - Session Manager for secure debugging during incidents| || +----------------------------------------------------------+ || || 2. Compliance & Auditing || +----------------------------------------------------------+ || | - Patch Manager ensures security compliance | || | - State Manager enforces configuration baselines | || | - Inventory tracks software across fleet | || +----------------------------------------------------------+ || || 3. Reduced Operational Overhead || +----------------------------------------------------------+ || | - No bastion hosts needed (Session Manager) | || | - Parameter Store replaces config files | || | - Automation replaces manual procedures | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+35.11 Linux Systems Perspective
Section titled “35.11 Linux Systems Perspective”Systems Manager Automation from Arch Linux
Section titled “Systems Manager Automation from Arch Linux”# Install SSM Agent on Arch Linux (if not pre-installed)sudo pacman -S aws-cli-v2 jq
# Session Manager setup (no SSH needed!)aws ssm start-session --target i-1234567890abcdef0
# Run command across all instances#!/bin/bash# ~/bin/ssm-run-command.shset -euo pipefail
INSTANCE_IDS=$(aws ec2 describe-instances \ --filters "Name=tag:Environment,Values=production" \ --query 'Reservations[].Instances[].InstanceId' \ --output text)
aws ssm send-command \ --instance-ids $INSTANCE_IDS \ --document-name "AWS-RunShellScript" \ --parameters 'commands=["uptime", "df -h", "free -m"]' \ --output json
# Parameter Store for secretsaws ssm get-parameters-by-path \ --path "/myapp/production" \ --with-decryption \ --query 'Parameters[].{Name:Name,Value:Value}'35.12 Common Mistakes & Anti-Patterns
Section titled “35.12 Common Mistakes & Anti-Patterns” Systems Manager Anti-Patterns+------------------------------------------------------------------+| || ❌ Mistake 1: Using SSH Instead of Session Manager || +----------------------------------------------------------+ || | Problem: Maintaining bastion hosts, exposing SSH | || | Impact: Security vulnerabilities, operational overhead | || | Fix: Use Session Manager with IAM policies | || +----------------------------------------------------------+ || || ❌ Mistake 2: Storing Secrets in Plain Text Parameters || +----------------------------------------------------------+ || | Problem: Sensitive data not encrypted | || | Impact: Data breach, compliance violations | || | Fix: Use SecureString parameter type (KMS encrypted) | || +----------------------------------------------------------+ || || ❌ Mistake 3: Not Enabling SSM Agent Auto-Update || +----------------------------------------------------------+ || | Problem: Missing features, security issues | || | Impact: Agents stop reporting, automation failures | || | Fix: Use SSM Agent auto-update or State Manager | || +----------------------------------------------------------+ || || ❌ Mistake 4: No Patch Baseline for Production || +----------------------------------------------------------+ || | Problem: Unpatched instances in production | || | Impact: Security vulnerabilities, compliance failures | || | Fix: Configure patch baselines with approval rules | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+35.13 Interview Questions
Section titled “35.13 Interview Questions”Conceptual Questions
Section titled “Conceptual Questions”-
Q: Explain the difference between Parameter Store and Secrets Manager.
- A: Parameter Store is for configuration data (strings, string lists, secure strings) with no additional cost. Secrets Manager is for secrets with automatic rotation, cross-account access, and integration with RDS/Redshift. Parameter Store uses KMS for encryption, Secrets Manager has built-in secret rotation.
-
Q: How does Session Manager provide secure access without SSH?
- A: Session Manager uses SSM Agent on instances, establishing outbound-only connections to AWS Systems Manager service. No inbound ports needed. Access is controlled by IAM policies. All sessions are logged to CloudWatch/S3 for audit.
Scenario-Based Questions
Section titled “Scenario-Based Questions”- Q: Design a patch management strategy for 100+ instances.
- A: Use Patch Manager with patch baselines: define approve/reject rules by OS/severity. Use Maintenance Windows for scheduling. Create patch groups using tags. Use Scan then Patch operation mode. Monitor compliance with Patch Dashboard. Automate with State Manager for consistent baseline.
35.14 Exam Tips
Section titled “35.14 Exam Tips”
Key Exam Points+------------------------------------------------------------------+| || 1. Session Manager provides secure shell access without SSH || || 2. Run Command executes commands on managed instances || || 3. Automation automates operational tasks || || 4. Patch Manager manages OS patching || || 5. Parameter Store stores configuration and secrets || || 6. Managed instances require SSM Agent and IAM role || || 7. Hybrid activation enables on-premises management || || 8. Inventory collects system metadata || || 9. Documents define actions (AWS-owned or custom) || || 10. State Manager maintains configuration state || |+------------------------------------------------------------------+35.15 Summary
Section titled “35.15 Summary” Chapter 35 Summary+------------------------------------------------------------------+| || Systems Manager Core Capabilities || +------------------------------------------------------------+ || | - Insights: Dashboard, Inventory, Compliance | || | - Actions: Run Command, Automation, Patch Manager | || | - Applications: Parameter Store, Application Manager | || | - Change Management: Change Calendar, Templates | || +------------------------------------------------------------+ || || Key Components || +------------------------------------------------------------+ || | - Session Manager: Secure shell access | || | - Run Command: Execute commands on instances | || | - Automation: Automate operational tasks | || | - Patch Manager: OS patching | || | - Parameter Store: Configuration management | || +------------------------------------------------------------+ || || Requirements for Managed Instances || +------------------------------------------------------------+ || | - SSM Agent installed | || | - IAM role with SSM permissions | || | - Network connectivity to SSM endpoints | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Previous Chapter: Chapter 34: AWS CDK - Cloud Development Kit Next Part: Part 8: Monitoring & Logging