Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Amazon EC2 Systems Manager for Hybrid Cloud Management at Scale

Amazon Web Services
Amazon Web Services

Amazon EC2 Systems Manager provides capabilities for automated management of systems at scale across AWS and on-premises environments. It includes components such as Run Command, State Manager, Inventory, Maintenance Windows, Patch Manager, and Automation. These capabilities enable organizations to remotely and securely manage servers, address configuration drift, simplify patching processes, and define automation workflows. Amazon EC2 Systems Manager helps reduce costs and complexity compared to traditional management approaches.

1 of 51
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shashi Prabhakar, Solutions Architect July 12 2017 Amazon EC2 Systems Manager Hybrid-Cloud Management at Scale
What to expect from the session  Overview of Amazon EC2 Systems Manager capabilities  Use cases of each component  Walkthroughs:  Run Command, Associations, Inventory  Bringing it all together
Amazon EC2 Systems Manager for Hybrid Cloud Management at Scale
Customer challenges Traditional IT toolset not built for cloud scale infrastructure Maintaining enterprise-wide visibility is challenging Deploying multiple products is a significant overhead Licensing costs & complexity Managing cloud and hybrid environments using a traditional toolset is complex and costly IT infrastructure is increasingly becoming spread across on-premises, private and public cloud
Introducing Amazon EC2 Systems Manager A set of capabilities that: • enable automated configuration • support ongoing management of systems at scale • work across all of your Windows and Linux workloads • run in Amazon EC2 or on-premises • carry no additional charge to use
Why should I care? Support for hybrid Architecture Cross-platform Scalable Secure Easy-to-write automation Expected Reduction in Total Cost of Ownership (TCO)
Amazon Systems Manager Components Overview and Use cases
Amazon Systems Manager Agent Overview Processes Systems Manager requests and configures instances Supported Linux operating systems: • Amazon Linux 2014.03 and later • Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS • RHEL 6.5+, CentOS 6.3+, SUSE 12+ Supported Windows operating systems: • Windows Server 2003+, including R2 versions Source code available on GitHub: • https://github.com/aws/amazon-ssm-agent NEW!
Amazon EC2 Systems Manager capabilities state manager maintenance window inventory automation parameter store run command patch manager
Amazon EC2 Systems Manager – Components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store documents
Wait, what’s a Document? { "schemaVersion": "2.0", "description": "Installs a Windows Feature", "parameters": { "feature": { "type”: "String", "description": "Specify a package to install" } }, "mainSteps": [ { "action": "aws:runPowerShellScript", "name": "run", "inputs": { "commands": "Install-WindowsFeature {{feature}}" } } ] }
Remotely and securely manage servers or virtual machines at scale running in your data center or in AWS  Use Document to execute a script or just run a command  Execute commands across multiple instances simultaneously  Support for AWS and on-premises infrastructure  Rate Control and Error Control  AWS native Run Command
No SSH or RDP access  Close Inbound access  Remote Administration  More control through IAM Run Command: Use Cases Run Bash and PowerShell scripts  Manage local users & permissions  Support for PowerShell and Linux commands
 Perform operating system changes  Wipe out Elastic search data directories  Application management such as configuration changes, application updates at scale  Execute third party configuration management scripts such as PowerShell, DSC, Ansible and Salt  Perform AWS directory services domain join operations Run Command: Use Cases
Blog: Replacing a Bastion Host - Before Blog Link
Blog: Replacing a Bastion Host - Now Blog Link
Walkthrough: Run Command
Define and maintain consistent configuration of operating systems and applications running in your data center or in AWS State Manager & Inventory Provides visibility into the software catalogue and configuration for your Amazon EC2 instances and on-premises servers
Maintain a Consistent Configuration State Manager: Use Cases Reduce Configuration Drift in Autoscaling service
Discover and Audit your Software  Collect detailed information on the software in your instances  Measure usage of licensed software across your fleet Inventory: Use Cases Security & Incident Analysis  Historical record of inventory changes over time  proactive notification if your configurations become non-compliant
Amazon EC2 Systems Manager for Hybrid Cloud Management at Scale
Walkthrough: State Manager and Inventory
Define one or more recurring windows of time during which it is acceptable for any disruptive operation to occur Maintenance Window & Patch Manager Automated tool that helps you simplify your Windows operating system patching process
Automatically perform tasks in defined windows of time  Define a maintenance window using cron or rate expressions  Ensure maintenance doesn’t overlap key business periods Maintenance Window: Use Cases Prioritise tasks and define roll- back and timeout criteria  Ensure key tasks are completed first during maintenance windows  Execute tasks with specific IAM roles for granular security control
Manage Patch Baselines  Define patch baselines by products, categories & severities  Define approval and distribution schedule for specific baselines Patch Manager: Use Cases Manage Patch Compliance  Scan existing fleet to determine patch levels of the software  Identify patches currently installed, missing, recently applied, etc.
Simplifies common maintenance and deployment tasks, such as updating Amazon Machine Images (AMIs)  Patch, update agents, or bake applications into your AMIs  Build workflows to accomplish complex tasks  Use pre-defined workflows or build your own  Invoke Lambda Functions Automation
Maintain and Update your AMIs  Integrates with CloudWatch for proactive notifications  Use in conjunction with Maintenance Windows Automation: Use Cases Include Applications in your AMIs  Bake applications into an image  Incorporate Automation as part of your change management process
 Create AMI after Deployment completion  Example: Using Automation with Jenkins Automation with CI/CD Pipeline Automation: Use Cases Simplify AMI Patching  Integrating Lambda and Parameter Store  Update Autoscaling Group
Centralized store to manage your configuration data, including plain-text data or secrets, encrypted through AWS KMS  Critical information stored securely within your environment • Integrates with AWS IAM, AWS KMS, AWS CloudTrail  Re-use across your AWS configuration and automation workflows  Reference parameters from: • Other Amazon EC2 Systems Manager capabilities (Run Command, Automation, State Manager, etc.) • other AWS services (Amazon ECS, AWS Lambda, etc.) Parameter Store
Store Secret  Can be used with AWS services like ECS/CFN/OpsWork and On Prem  CI/CD Pipeline Parameter Store: Use Cases Secure domain join  Create secure string parameter with domain join password  Control access to specific users and refer using simple syntax
Blog: Access Secrets and Config data in CodeDeploy Blog Link
Example: Integration with other AWS Services
Integration with CloudWatch Events  Event Sources  Event Types  Statuses  Resources  Event Targets  Run Command Documents  Target Key / Values  Parameters  IAM role
Integration with Lambda Query the Output status of each Invocation Print the Output status into CloudWatch Logs Retrieve information from the CloudWatch Event
Select the Lambda function as the target of the rule Specify the status(es) that trigger the rule Select EC2 Systems Manager as the Event Source
Viewing the output in CloudWatch Logs View the CloudWatch Log Streams
Example: Remediate Amazon Inspector Findings  Amazon Inspector sends SNS notifications of identified CVEs  SNS triggers Lambda to call the Amazon EC2 Systems Manager to update the instance  Broad application to multiple cases such as software and application patching, kernel version updates, security permissions, etc. https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/
Patching with latest updates • Inventory • State Manager • Maintenance Window • Patch Manager • Automation Bringing it All Together
Maintain Application Configuration • Inventory • State Manager • Automation Bringing it All Together
CI/CD pipeline • Run Command • State Manager • Parameter Store • Automation Bringing it All Together
Recent Launches • Systems Manager support for SUSE Linux • Parameter Store - Tagging, CWE and Hierarchy support • EC2 Systems Manager | Inventory: S3 Sync • Patch Manager: Linux Patching
Systems Manager referenceable logos
Add a screenshot of where is SSM
In summary... Hybrid Cross-platform Scalable Secure Easy-to-write automation Reduced TCO https://aws.amazon.com/blogs/mt/
Thank you!
Amazon Systems Manager Agent Installation – Linux Amazon EC2 instances (Amazon Linux, RedHat 6.x, etc.) On-premises servers: mkdir /tmp/ssm REGION=`curl -s http://169.254.169.254/latest/dynamic/instance-identity/document/ | grep "region" | awk -F" ' { print $4 }’` curl https://amazon-ssm-$REGION.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/ssm/amazon-ssm- agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm mkdir /tmp/ssm REGION=‘eu-west-2” # Specifies the region in which to register the on-premises instances curl https://amazon-ssm-$REGION.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/ssm/amazon-ssm- agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm sudo stop amazon-ssm-agent sudo amazon-ssm-agent -register -code "code" -id "id" -region "$REGION" sudo start amazon-ssm-agent
Amazon Systems Manager Agent Installation – Windows Amazon EC2 instances On-premises servers: $ Download: https://amazon-ssm-region.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe $ Restart-Service AmazonSSMAgent $dir = $env:TEMP + "ssm” New-Item -ItemType directory -Path $dir cd $dir (New-Object System.Net.WebClient).DownloadFile("https://amazon-ssm- region.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe", $dir + "AmazonSSMAgentSetup.exe") Start-Process .AmazonSSMAgentSetup.exe -ArgumentList @("/q", "/log", "install.log", "CODE=code", "ID=id", "REGION=region") –Wait Get-Content ($env:ProgramData + "AmazonSSMInstanceDataregistration") Get-Service -Name "AmazonSSMAgent"
Installation instructions IAM Role Attachment Boot-strapping installation – EC2 User Data
Boot-strapping installation – CloudFormation Server: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Init: configSets: AWSTools: - "ssmInstall” ssmInstall: packages: rpm: amazon-ssm-agent: https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm commands: 01-stopssm: command: "stop amazon-ssm-agent” 02-startssm: command: "start amazon-ssm-agent” Properties: IamInstanceProfile: !Ref EC2SSMProfile UserData: "Fn::Base64": !Sub | #!/bin/bash –xe yum -y update /opt/aws/bin/cfn-init -v --stack "${AWS::StackName}" --resource Server--configsets AWSTools --region ${AWS::Region} echo Startup completed. ...
Pre-requisites
Prerequisites  User IAM access to Amazon EC2 Systems Manager  For managed EC2 instances:  Amazon EC2 Instance Role  For managed on-premises instances:  AWS IAM Service Role  EC2 Systems Manager Activation code  Systems Manager Agent installed on managed instances  Outbound Internet (https) access for the instance  The agent is pre-installed in AWS published AMIs

More Related Content

Amazon EC2 Systems Manager for Hybrid Cloud Management at Scale

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shashi Prabhakar, Solutions Architect July 12 2017 Amazon EC2 Systems Manager Hybrid-Cloud Management at Scale
  • 2. What to expect from the session  Overview of Amazon EC2 Systems Manager capabilities  Use cases of each component  Walkthroughs:  Run Command, Associations, Inventory  Bringing it all together
  • 4. Customer challenges Traditional IT toolset not built for cloud scale infrastructure Maintaining enterprise-wide visibility is challenging Deploying multiple products is a significant overhead Licensing costs & complexity Managing cloud and hybrid environments using a traditional toolset is complex and costly IT infrastructure is increasingly becoming spread across on-premises, private and public cloud
  • 5. Introducing Amazon EC2 Systems Manager A set of capabilities that: • enable automated configuration • support ongoing management of systems at scale • work across all of your Windows and Linux workloads • run in Amazon EC2 or on-premises • carry no additional charge to use
  • 6. Why should I care? Support for hybrid Architecture Cross-platform Scalable Secure Easy-to-write automation Expected Reduction in Total Cost of Ownership (TCO)
  • 7. Amazon Systems Manager Components Overview and Use cases
  • 8. Amazon Systems Manager Agent Overview Processes Systems Manager requests and configures instances Supported Linux operating systems: • Amazon Linux 2014.03 and later • Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS • RHEL 6.5+, CentOS 6.3+, SUSE 12+ Supported Windows operating systems: • Windows Server 2003+, including R2 versions Source code available on GitHub: • https://github.com/aws/amazon-ssm-agent NEW!
  • 9. Amazon EC2 Systems Manager capabilities state manager maintenance window inventory automation parameter store run command patch manager
  • 10. Amazon EC2 Systems Manager – Components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store documents
  • 11. Wait, what’s a Document? { "schemaVersion": "2.0", "description": "Installs a Windows Feature", "parameters": { "feature": { "type”: "String", "description": "Specify a package to install" } }, "mainSteps": [ { "action": "aws:runPowerShellScript", "name": "run", "inputs": { "commands": "Install-WindowsFeature {{feature}}" } } ] }
  • 12. Remotely and securely manage servers or virtual machines at scale running in your data center or in AWS  Use Document to execute a script or just run a command  Execute commands across multiple instances simultaneously  Support for AWS and on-premises infrastructure  Rate Control and Error Control  AWS native Run Command
  • 13. No SSH or RDP access  Close Inbound access  Remote Administration  More control through IAM Run Command: Use Cases Run Bash and PowerShell scripts  Manage local users & permissions  Support for PowerShell and Linux commands
  • 14.  Perform operating system changes  Wipe out Elastic search data directories  Application management such as configuration changes, application updates at scale  Execute third party configuration management scripts such as PowerShell, DSC, Ansible and Salt  Perform AWS directory services domain join operations Run Command: Use Cases
  • 15. Blog: Replacing a Bastion Host - Before Blog Link
  • 16. Blog: Replacing a Bastion Host - Now Blog Link
  • 18. Define and maintain consistent configuration of operating systems and applications running in your data center or in AWS State Manager & Inventory Provides visibility into the software catalogue and configuration for your Amazon EC2 instances and on-premises servers
  • 19. Maintain a Consistent Configuration State Manager: Use Cases Reduce Configuration Drift in Autoscaling service
  • 20. Discover and Audit your Software  Collect detailed information on the software in your instances  Measure usage of licensed software across your fleet Inventory: Use Cases Security & Incident Analysis  Historical record of inventory changes over time  proactive notification if your configurations become non-compliant
  • 22. Walkthrough: State Manager and Inventory
  • 23. Define one or more recurring windows of time during which it is acceptable for any disruptive operation to occur Maintenance Window & Patch Manager Automated tool that helps you simplify your Windows operating system patching process
  • 24. Automatically perform tasks in defined windows of time  Define a maintenance window using cron or rate expressions  Ensure maintenance doesn’t overlap key business periods Maintenance Window: Use Cases Prioritise tasks and define roll- back and timeout criteria  Ensure key tasks are completed first during maintenance windows  Execute tasks with specific IAM roles for granular security control
  • 25. Manage Patch Baselines  Define patch baselines by products, categories & severities  Define approval and distribution schedule for specific baselines Patch Manager: Use Cases Manage Patch Compliance  Scan existing fleet to determine patch levels of the software  Identify patches currently installed, missing, recently applied, etc.
  • 26. Simplifies common maintenance and deployment tasks, such as updating Amazon Machine Images (AMIs)  Patch, update agents, or bake applications into your AMIs  Build workflows to accomplish complex tasks  Use pre-defined workflows or build your own  Invoke Lambda Functions Automation
  • 27. Maintain and Update your AMIs  Integrates with CloudWatch for proactive notifications  Use in conjunction with Maintenance Windows Automation: Use Cases Include Applications in your AMIs  Bake applications into an image  Incorporate Automation as part of your change management process
  • 28.  Create AMI after Deployment completion  Example: Using Automation with Jenkins Automation with CI/CD Pipeline Automation: Use Cases Simplify AMI Patching  Integrating Lambda and Parameter Store  Update Autoscaling Group
  • 29. Centralized store to manage your configuration data, including plain-text data or secrets, encrypted through AWS KMS  Critical information stored securely within your environment • Integrates with AWS IAM, AWS KMS, AWS CloudTrail  Re-use across your AWS configuration and automation workflows  Reference parameters from: • Other Amazon EC2 Systems Manager capabilities (Run Command, Automation, State Manager, etc.) • other AWS services (Amazon ECS, AWS Lambda, etc.) Parameter Store
  • 30. Store Secret  Can be used with AWS services like ECS/CFN/OpsWork and On Prem  CI/CD Pipeline Parameter Store: Use Cases Secure domain join  Create secure string parameter with domain join password  Control access to specific users and refer using simple syntax
  • 31. Blog: Access Secrets and Config data in CodeDeploy Blog Link
  • 32. Example: Integration with other AWS Services
  • 33. Integration with CloudWatch Events  Event Sources  Event Types  Statuses  Resources  Event Targets  Run Command Documents  Target Key / Values  Parameters  IAM role
  • 34. Integration with Lambda Query the Output status of each Invocation Print the Output status into CloudWatch Logs Retrieve information from the CloudWatch Event
  • 35. Select the Lambda function as the target of the rule Specify the status(es) that trigger the rule Select EC2 Systems Manager as the Event Source
  • 36. Viewing the output in CloudWatch Logs View the CloudWatch Log Streams
  • 37. Example: Remediate Amazon Inspector Findings  Amazon Inspector sends SNS notifications of identified CVEs  SNS triggers Lambda to call the Amazon EC2 Systems Manager to update the instance  Broad application to multiple cases such as software and application patching, kernel version updates, security permissions, etc. https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/
  • 38. Patching with latest updates • Inventory • State Manager • Maintenance Window • Patch Manager • Automation Bringing it All Together
  • 39. Maintain Application Configuration • Inventory • State Manager • Automation Bringing it All Together
  • 40. CI/CD pipeline • Run Command • State Manager • Parameter Store • Automation Bringing it All Together
  • 41. Recent Launches • Systems Manager support for SUSE Linux • Parameter Store - Tagging, CWE and Hierarchy support • EC2 Systems Manager | Inventory: S3 Sync • Patch Manager: Linux Patching
  • 43. Add a screenshot of where is SSM
  • 44. In summary... Hybrid Cross-platform Scalable Secure Easy-to-write automation Reduced TCO https://aws.amazon.com/blogs/mt/
  • 46. Amazon Systems Manager Agent Installation – Linux Amazon EC2 instances (Amazon Linux, RedHat 6.x, etc.) On-premises servers: mkdir /tmp/ssm REGION=`curl -s http://169.254.169.254/latest/dynamic/instance-identity/document/ | grep "region" | awk -F" ' { print $4 }’` curl https://amazon-ssm-$REGION.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/ssm/amazon-ssm- agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm mkdir /tmp/ssm REGION=‘eu-west-2” # Specifies the region in which to register the on-premises instances curl https://amazon-ssm-$REGION.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/ssm/amazon-ssm- agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm sudo stop amazon-ssm-agent sudo amazon-ssm-agent -register -code "code" -id "id" -region "$REGION" sudo start amazon-ssm-agent
  • 47. Amazon Systems Manager Agent Installation – Windows Amazon EC2 instances On-premises servers: $ Download: https://amazon-ssm-region.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe $ Restart-Service AmazonSSMAgent $dir = $env:TEMP + "ssm” New-Item -ItemType directory -Path $dir cd $dir (New-Object System.Net.WebClient).DownloadFile("https://amazon-ssm- region.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe", $dir + "AmazonSSMAgentSetup.exe") Start-Process .AmazonSSMAgentSetup.exe -ArgumentList @("/q", "/log", "install.log", "CODE=code", "ID=id", "REGION=region") –Wait Get-Content ($env:ProgramData + "AmazonSSMInstanceDataregistration") Get-Service -Name "AmazonSSMAgent"
  • 49. Boot-strapping installation – CloudFormation Server: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Init: configSets: AWSTools: - "ssmInstall” ssmInstall: packages: rpm: amazon-ssm-agent: https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm commands: 01-stopssm: command: "stop amazon-ssm-agent” 02-startssm: command: "start amazon-ssm-agent” Properties: IamInstanceProfile: !Ref EC2SSMProfile UserData: "Fn::Base64": !Sub | #!/bin/bash –xe yum -y update /opt/aws/bin/cfn-init -v --stack "${AWS::StackName}" --resource Server--configsets AWSTools --region ${AWS::Region} echo Startup completed. ...
  • 51. Prerequisites  User IAM access to Amazon EC2 Systems Manager  For managed EC2 instances:  Amazon EC2 Instance Role  For managed on-premises instances:  AWS IAM Service Role  EC2 Systems Manager Activation code  Systems Manager Agent installed on managed instances  Outbound Internet (https) access for the instance  The agent is pre-installed in AWS published AMIs

Editor's Notes

  1. Read Slide – add anecdotes as appropriate
  2. Not built for Cloud Scale Hybrid Enterprise Solutions - Cost Open Source - Management overhead 07/11 Note Security Compliance and Auditing Add a slide – Why do I care
  3. help gain insights, enable granular control, automated configuration, compliance and ongoing management of your workloads at scale
  4. Automated configuration... and Best Practices Managed Service Linux and Windows On prem AWS-optimized - Native integration with AWS services such as IAM, CloudWatch Events etc. It is available in All regions including Gov Cloud Free - It's a complimentary service
  5. Systems Manager is Agent based service, and polls the service. Unlike client-server setup. Also this means no inbound ports need to be opened, improving security posture for customers. It’s open source available on GitHub. AWS Optimized. Works with On-prem. It’s written in Go Language. You can install the Agent on: Running Linux, Windows EC2 instances and OnPrem hardware You can also bootstrap the installation while launching the instance through User Data You can bootstrap even with Cloudformation Template 07/11 Note: Technical slide for Systems Manager Agent
  6. We’ve thought through the areas that are important for managing instances at scale, from patch management to remote command configuration and management. 7 capabilities Customers come to Systems Manager b/c one of these capabilities addresses a pain point
  7. Document takes center stage Document is executable code. Representing set of actions. SSM agent interprets this document.
  8. It's an orchestration. Document is where you write stuff like you do in Lambda Format is Json Executes in sequence, in the order that steps are specified. You can literally write Bash and Powershell scripts directly in a Document support editing and versioning (using schema v2.0+) AWS-managed, user created, or shared from other accounts 3 Types of Document Command Policy Automation
  9. You have rate control using Systems Manager, for example, 100 instances update at a time out of 10000 instances. Run Command comes with parameters like max-concurrency and max-errors Systems Manager is directly integrated with other AWS services giving you advantages of ecosystem like logging with Cloudtrail You can have more control using IAM You can notify yourself using SNS or S3
  10. Remote Administration - Being agent based solution gives you advantage of closing SSH completely and managing infrastructure directly through Systems Manager Frequently, engineers want to perform operational tasks across a group of instances. However, many of these tasks need to be performed at a controlled speed, and return feedback when there is a problem. Furthermore, Administrators want know to when any error occurred.
  11. 07/11 Note: Keywords on the slide
  12. Show them output of disk space by running command on 2 instances
  13. State Manager Define your own schedules for deployment reviews Compare actual deployments against specified configuration policy State Manager reapplies policies if state drift is detected Query State Manager to view status of deployments Gather detail on a variety of attributes, such as: Installed applications & OS details AWS components and agents Network configuration Inventory attributes are stored in AWS Config for auditing Assess compliance of configurations using AWS Config Rules
  14. State Manager Control configuration details such as anti-virus settings, iptables, etc. Simplify bootstrapping of varied software / agents Manage local users & permissions Perform operating system changes Use custom images in our environment. How to check the existing version of PV drivers running in my environment (Inventory) and create notifications informing me when the PV drivers are outdated on my machines (New PV Drivers released by AWS).  Reduce Configuration Drift with Autoscaling Service You can use State Manager with Autoscaling Launch Configuration to avoid any change in instances You can also bootstrap Autoscaling Group Instances on launch
  15. Gather detail on a variety of attributes, such as: Installed applications & OS details AWS components and agents Network configuration Inventory attributes are stored in AWS Config for auditing Assess compliance of configurations using AWS Config Rules
  16. Inventory can look pretty Now you can store all your output to S3. Use S3 as Data Lake to query through Athena and push to Quicksight
  17. Show them how to update Systems Manager Agent software and gather inventory of all applications and AWS Config timeline
  18. Associate your instances with defined maintenance windows Create different maintenance windows for different groups of servers based on Tags Works with both Amazon EC2 and on-premises infrastructure
  19. Maintenance Window Associate your instances with defined maintenance windows Create different maintenance windows for different groups of servers Works with both Amazon EC2 and on-premises infrastructure
  20. Lot of Customization Available Select the patches you want to deploy Control timing for patch roll-outs and instance reboots Define auto-approval rules for patches Ability to black-list or white-list specific patches Schedule the automatic roll out through maintenance windows All MS patches are available same day(within 4 hours) speak to the recent ransomware attacks on Windows and how Patch Manager can help speak about pairing with Maintenance Window to do continuous Patch Compliance
  21. Due to Lambda, now you can work up to Infrastructure level instead of just OS
  22. CI/CD pipeline - Add Automation as a post-build step to pre-install application releases into AMIs. Use Jenkins scheduling feature to call Automation and create your own operating system (OS) patching cadence Using Lambda and Parameter Store, you can simplify your AMI Patching workflow and keep the Latest Version for further use Patch an AMI and Update an Auto Scaling Group Works with Cloudformation Template as well so you can say leverage CloudFormation and Lambda functions, which is created by Systems Manager Automation, to automate the steps like: An impaired instance is found launch a new instance, detach and attach EBS volumes Configure the new instance same as impaired and terminate impaired one
  23. Competing Clustered hostsHashi Corp Vault Lyft Confidant Square Keywhiz Built on/Utilizing AWS services Credstash Biscuit Sneaker Create env-specific parameters and reference in workflow Perform config-management at scale without plain-text passwords
  24. Deploying and configuring applications often requires accessing secrets and configuration data such as API keys or database passwords in source code. https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/ Parameter store is pretty powerful as it gives you a place to store secret data for each instance. It can be used very well in CI/CD pipeline like Code Deploy or even with other services like ECS/CFN/OpsWorks.
  25. Patching with Latest Updates AMI Autoscaling Service
  26. Application Configuration - Unauthorized/Missing triggers an SNS alert and Automated Action removes from whole infrastructure
  27. CI/CD State Manager: Configuration Policy