© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ananth Vaidyanathan, Sr. Product Manager

August 14, 2017

Deep Dive with

Amazon EC2 Systems Manager

Fleet Management Automation

Customer challenges

Traditional IT toolset

not built for cloud

scale infrastructure

Maintaining

enterprise-wide

visibility is challenging

Deploying multiple

products is a

significant overhead

Licensing costs &

complexity

Managing cloud and hybrid environments using

a traditional toolset is complex and costly

Customers IT infrastructure is increasingly spread across on-premises and in

the private and public cloud

Introducing Amazon EC2 Systems Manager

A set of capabilities that...

... provide insights and compliance

...safe and secure operations

...enable automated configuration with granular control...

...across all of your Windows and Linux workloads...

...running on Amazon EC2 or on-premises…

...at no additional charge

Why should I care?

Manage hybrid

Architecture

Cross-platform

(Windows/Linux)

Scalable and

auditable

Improve security

and compliance

Easily automate

repetitive tasks

Reduce TCO

Systems Manager Customers and Partners

Amazon EC2 Systems Manager – components

Run Command State Manager Inventory Maintenance Window

Patch Manager Automation Parameter StoreParameter Store Documents

Amazon EC2 Systems Manager ServicesService Description

Run Command Safely automate common administrative tasks on your instances at scale without

SSH or RDP access

Inventory Collect and query software inventory

Patch Manager Select and deploy OS patches automatically

State Manager Define and maintain consistent OS configurations such as firewall settings and anti-

malware definitions to comply with policies

Maintenance

Windows

Create recurring time windows to run administrative or any disruptive tasks

Automation Create streamlined workflows to update Amazon Machine Images (AMI) for

example

Parameter Store Centralized location to store, control access, and easily reference configuration

data and secrets

Documents Easily author configurations use across Systems Manager services

What is a Document?{"schemaVersion":"2.2","description":"Cross-platform demo document","mainSteps": [{"action":"aws:runPowerShellScript","precondition": {

"StringEquals": ["platformType", "Windows"]},"name":"WindowsOpenPorts","inputs": {

"runCommand": ["netstat -a"]}

},{

"action":"aws:runShellScript","precondition": {

"StringEquals": ["platformType", "Linux"]},"name":"LinuxOpenPorts","inputs": {

"runCommand": ["netstat -lntu"]}

}]

}

• Written in JSON and consist of

steps executed in sequence

• Documents can be versioned

(also support $DEFAULT and

$LATEST)

• Cross-platform

• Share documents across

accounts or share publicly to the

community

Safe and secure ops at scale without SSH/RDP

• Remotely manage thousands of

Windows and Linux instances running on

Amazon EC2 or on-premises

• Control user actions and scope with

secure, granular access control

• Safely execute changes with rate control

to reduce blast radius

• Audit every user action with change

tracking

AWS cloudcorporate data

center

IT Admin, DevOps

Engineer

Role-based Access

Control

Maintain Software Compliance, Reduce Risk

• Bootstrap instances on launch with image

builds that are compliant

• Roll out Windows and Linux patches

based on corporate policies and org-wide

maintenance windows

• Get notified on malwares (e.g. Petya

ransomware), vulnerabilities, blacklisted

apps with recommended actions

Create compliant

software images

Deploy instances

Automate online patch

management

Automate using extensible framework

• Generic framework to express your

workflow as automation steps

• Automate golden image creation

• Fix unreachable EC2 instances

• Reset forgotten passwords

• Create custom workflows

Automation

Document

Run the automation

Role and permissioninput

Maintain updated view of software inventory

• Discover inventory across accounts

• EC2 instances and OS details

• Installed software and patches

• List of files, network configuration

• Custom inventory types

• Audit software, maintain historical

record of changes using AWS Config

• Identify zero-day vulnerabilities

• Create data lake in Amazon S3

bucket for analytics

AWS cloudCorporate data

center

Amazon

Athena queries

Amazon

QuickSight

Amazon S3

data lake

Custom

Analytic Tool

Multi-account,

across regions

Manage configuration drift

• Control configuration details such as

anti-virus settings, iptables, etc.

• Compare actual deployments against

specified configuration policy

• Automatically re-apply policies if state

drift is detected

• OS changes

• Local users and permissions

State

Manager

instances

Document

Store and retrieve configuration secrets

• Store any configuration data or

parameter in hierarchies with RBAC

• Option to encrypt secret data like

passwords using KMS

• Enforce password policies using

parameter lifetime and change

notifications

• Use across AWS services such as

Lambda, AWS CodeDeploy, and ECS

parameter

store

instances

secrets

Change

Notification

No more storing secrets in plain text!

Cross-account view of Inventory

• S3 as a data lake: Sync Inventory data across regions and accounts

to a single S3 bucket

• Use Athena and/or QuickSight to query software inventory

information

Other use cases for Systems Manager

• Run PowerShell DSC, Ansible Playbooks or Salt States on SSM

• Eliminate need for bastion hosts; simplify your architecture

• Instance health monitoring, system checks

• Joining instances securely to a domain

• Take scheduled VSS snapshots of your instances

• Collect logs from terminating instances in an Auto Scaling Group

Demo!

Partner and open source ecosystem

• Enables partners to build monetizable value-added solutions like

HIPAA and PCI compliance, custom compliance reporting

• All services available through API/CLI/SDKs to support custom

workflows

• Systems Manager agent is open sourced and allows community to

build custom data collectors

• Configuration platform: support for Ansible Playbooks/Salt

States/PowerShell DSC with improved security

FAQs

• Does Systems Manager require an agent?

• How often do I update the agent?

• What kind of IAM policy is needed to get started?

• How do I use SSM to set up on-premises servers or VMs?

• What OS platforms are supported?• Supported Linux operating systems:

• Amazon Linux 2014.03 and later

• Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS

• RHEL 6.5+, CentOS 6.3+, SUSE 12+

• Supported Windows operating systems:

• Windows Server 2003+, including R2 versions

• Do instances need network access?

Links

• Learn more at https://aws.amazon.com/ec2/systems-

manager/

• AWS Blog –

https://aws.amazon.com/blogs/aws/category/amazon-

ec2-systems-manager/

• AWS Management Tools Blog –

https://aws.amazon.com/blogs/mt/

Ananth VaidyanathanSr. Product Manager

E: ananva@amazon.com

https://aws.amazon.com/ec2/systems-manager/