Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Secure Management of Fleet at Scale

Amazon EC2 Systems Manager is a management service that helps you securely and safely manage instances at scale, automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems. These capabilities help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. By providing a management approach that is designed for the scale and agility of the cloud but extends into your on-premises data center, EC2 Systems Manager makes it easier for you to seamlessly bridge your existing infrastructure with AWS.

1 of 51
Download to read offline
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon EC2 Systems Manager Secure Management at Scale Leo Zhadanovsky Principal Solutions Architect AWS
What to expect from the session  Overview of Amazon EC2 Systems Manager capabilities  Use cases of each component  Walkthroughs:  Run Command, Associations, Inventory, Patch Manager  Bringing it all together
Secure Management of Fleet at Scale
Customer challenges Traditional IT toolset not built for cloud scale infrastructure Maintaining enterprise-wide visibility is challenging Deploying multiple products is a significant overhead Licensing costs & complexity Managing cloud and hybrid environments using a traditional toolset is complex and costly IT infrastructure is increasingly becoming spread across on-premises, private and public cloud
Introducing Amazon EC2 Systems Manager A set of capabilities that: • enable automated configuration • support ongoing management of systems at scale • work across all of your Windows and Linux workloads • run in Amazon EC2 or on-premises • carry no additional charge to use
Why should I care? Support for hybrid Architecture Cross-platform Scalable Secure Easy-to-write automation Expected Reduction in Total Cost of Ownership (TCO)
Amazon Systems Manager Components Overview and Use cases
Amazon Systems Manager Agent Overview Processes Systems Manager requests and configures instances Supported Linux operating systems: • Amazon Linux 2014.03 and later • Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS • RHEL 6.5+, CentOS 6.3+, SUSE 12+ Supported Windows operating systems: • Windows Server 2003+, including R2 versions Source code available on GitHub: • https://github.com/aws/amazon-ssm-agent NEW!
Amazon EC2 Systems Manager capabilities state manager maintenance window inventory automation parameter store run command patch manager
Amazon EC2 Systems Manager – Components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
Wait, what’s a Document? { "schemaVersion": "2.0", "description": "Installs a Windows Feature", "parameters": { "feature": { "type”: "String", "description": "Specify a package to install" } }, "mainSteps": [ { "action": "aws:runPowerShellScript", "name": "run", "inputs": { "commands": "Install-WindowsFeature {{feature}}" } } ] }
Remotely and securely manage servers or virtual machines at scale running in your data center or in AWS  Use Document to execute a script or just run a command  Execute commands across multiple instances simultaneously  Support for AWS and on-premises infrastructure  Rate Control and Error Control  AWS native Run Command
No SSH or RDP access  Close Inbound access  Remote Administration  More control through IAM Run Command: Use Cases Run Bash and PowerShell scripts  Manage local users & permissions  Support for PowerShell and Linux commands
 Perform operating system changes  Wipe out Elastic search data directories  Application management such as configuration changes, application updates at scale  Execute third party configuration management scripts such as PowerShell, DSC, Ansible and Salt  Perform AWS directory services domain join operations Run Command: Use Cases
Blog: Replacing a Bastion Host - Now Blog Link
Walkthrough: Run Command
Define and maintain consistent configuration of operating systems and applications running in your data center or in AWS State Manager & Inventory Provides visibility into the software catalogue and configuration for your Amazon EC2 instances and on-premises servers
Maintain a Consistent Configuration State Manager: Use Cases Reduce Configuration Drift in Autoscaling service
Discover and Audit your Software  Collect detailed information on the software in your instances  Measure usage of licensed software across your fleet Inventory: Use Cases Security & Incident Analysis  Historical record of inventory changes over time  proactive notification if your configurations become non-compliant
Secure Management of Fleet at Scale
Walkthrough: State Manager and Inventory
Define one or more recurring windows of time during which it is acceptable for any disruptive operation to occur Maintenance Window & Patch Manager Automated tool that helps you simplify your Windows operating system patching process
Automatically perform tasks in defined windows of time  Define a maintenance window using cron or rate expressions  Ensure maintenance doesn’t overlap key business periods Maintenance Window: Use Cases Prioritise tasks and define roll- back and timeout criteria  Ensure key tasks are completed first during maintenance windows  Execute tasks with specific IAM roles for granular security control
Manage Patch Baselines  Define patch baselines by products, categories & severities  Define approval and distribution schedule for specific baselines Patch Manager: Use Cases Manage Patch Compliance  Scan existing fleet to determine patch levels of the software  Identify patches currently installed, missing, recently applied, etc.
Walkthrough: Patch Manager
Simplifies common maintenance and deployment tasks, such as updating Amazon Machine Images (AMIs)  Patch, update agents, or bake applications into your AMIs  Build workflows to accomplish complex tasks  Use pre-defined workflows or build your own  Invoke Lambda Functions Automation
Maintain and Update your AMIs  Integrates with CloudWatch for proactive notifications  Use in conjunction with Maintenance Windows Automation: Use Cases Include Applications in your AMIs  Bake applications into an image  Incorporate Automation as part of your change management process
 Create AMI after Deployment completion  Example: Using Automation with Jenkins Automation with CI/CD Pipeline Automation: Use Cases Simplify AMI Patching  Integrating Lambda and Parameter Store  Update Autoscaling Group
Centralized store to manage your configuration data, including plain-text data or secrets, encrypted through AWS KMS  Critical information stored securely within your environment • Integrates with AWS IAM, AWS KMS, AWS CloudTrail  Re-use across your AWS configuration and automation workflows  Reference parameters from: • Other Amazon EC2 Systems Manager capabilities (Run Command, Automation, State Manager, etc.) • other AWS services (Amazon ECS, AWS Lambda, etc.) Parameter Store
Store Secret  Can be used with AWS services like ECS/CFN/OpsWork and On Prem  CI/CD Pipeline Parameter Store: Use Cases Secure domain join  Create secure string parameter with domain join password  Control access to specific users and refer using simple syntax
Blog: Access Secrets and Config data in CodeDeploy Blog Link
Example: Integration with other AWS Services
Integration with CloudWatch Events  Event Sources  Event Types  Statuses  Resources  Event Targets  Run Command Documents  Target Key / Values  Parameters  IAM role
Integration with Lambda Query the Output status of each Invocation Print the Output status into CloudWatch Logs Retrieve information from the CloudWatch Event
Select the Lambda function as the target of the rule Specify the status(es) that trigger the rule Select EC2 Systems Manager as the Event Source
Viewing the output in CloudWatch Logs View the CloudWatch Log Streams
Example: Remediate Amazon Inspector Findings  Amazon Inspector sends SNS notifications of identified CVEs  SNS triggers Lambda to call the Amazon EC2 Systems Manager to update the instance  Broad application to multiple cases such as software and application patching, kernel version updates, security permissions, etc. https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/
Patching with latest updates • Inventory • State Manager • Maintenance Window • Patch Manager • Automation Bringing it All Together
Maintain Application Configuration • Inventory • State Manager • Automation Bringing it All Together
CI/CD pipeline • Run Command • State Manager • Parameter Store • Automation Bringing it All Together
Recent Launches • Systems Manager support for SUSE Linux • Parameter Store - Tagging, CWE and Hierarchy support • EC2 Systems Manager | Inventory: S3 Sync • Patch Manager: Linux Patching
Systems Manager referenceable logos
Where is SSM
In summary... Hybrid Cross-platform Scalable Secure Easy-to-write automation Reduced TCO https://aws.amazon.com/blogs/mt/
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS
Amazon Systems Manager Agent Installation – Linux Amazon EC2 instances (Amazon Linux, RedHat 6.x, etc.) On-premises servers: mkdir /tmp/ssm REGION=`curl -s http://169.254.169.254/latest/dynamic/instance-identity/document/ | grep "region" | awk -F" ' { print $4 }’` curl https://amazon-ssm-$REGION.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/ssm/amazon-ssm- agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm mkdir /tmp/ssm REGION=‘eu-west-2” # Specifies the region in which to register the on-premises instances curl https://amazon-ssm-$REGION.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/ssm/amazon-ssm- agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm sudo stop amazon-ssm-agent sudo amazon-ssm-agent -register -code "code" -id "id" -region "$REGION" sudo start amazon-ssm-agent
Amazon Systems Manager Agent Installation – Windows Amazon EC2 instances On-premises servers: $ Download: https://amazon-ssm-region.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe $ Restart-Service AmazonSSMAgent $dir = $env:TEMP + "ssm” New-Item -ItemType directory -Path $dir cd $dir (New-Object System.Net.WebClient).DownloadFile("https://amazon-ssm- region.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe", $dir + "AmazonSSMAgentSetup.exe") Start-Process .AmazonSSMAgentSetup.exe -ArgumentList @("/q", "/log", "install.log", "CODE=code", "ID=id", "REGION=region") –Wait Get-Content ($env:ProgramData + "AmazonSSMInstanceDataregistration") Get-Service -Name "AmazonSSMAgent"
Installation instructions IAM Role Attachment Boot-strapping installation – EC2 User Data
Boot-strapping installation – CloudFormation Server: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Init: configSets: AWSTools: - "ssmInstall” ssmInstall: packages: rpm: amazon-ssm-agent: https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm commands: 01-stopssm: command: "stop amazon-ssm-agent” 02-startssm: command: "start amazon-ssm-agent” Properties: IamInstanceProfile: !Ref EC2SSMProfile UserData: "Fn::Base64": !Sub | #!/bin/bash –xe yum -y update /opt/aws/bin/cfn-init -v --stack "${AWS::StackName}" --resource Server--configsets AWSTools --region ${AWS::Region} echo Startup completed. ...
Pre-requisites
Prerequisites  User IAM access to Amazon EC2 Systems Manager  For managed EC2 instances:  Amazon EC2 Instance Role  For managed on-premises instances:  AWS IAM Service Role  EC2 Systems Manager Activation code  Systems Manager Agent installed on managed instances  Outbound Internet (https) access for the instance  The agent is pre-installed in AWS published AMIs

More Related Content

Secure Management of Fleet at Scale

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon EC2 Systems Manager Secure Management at Scale Leo Zhadanovsky Principal Solutions Architect AWS
  • 2. What to expect from the session  Overview of Amazon EC2 Systems Manager capabilities  Use cases of each component  Walkthroughs:  Run Command, Associations, Inventory, Patch Manager  Bringing it all together
  • 4. Customer challenges Traditional IT toolset not built for cloud scale infrastructure Maintaining enterprise-wide visibility is challenging Deploying multiple products is a significant overhead Licensing costs & complexity Managing cloud and hybrid environments using a traditional toolset is complex and costly IT infrastructure is increasingly becoming spread across on-premises, private and public cloud
  • 5. Introducing Amazon EC2 Systems Manager A set of capabilities that: • enable automated configuration • support ongoing management of systems at scale • work across all of your Windows and Linux workloads • run in Amazon EC2 or on-premises • carry no additional charge to use
  • 6. Why should I care? Support for hybrid Architecture Cross-platform Scalable Secure Easy-to-write automation Expected Reduction in Total Cost of Ownership (TCO)
  • 7. Amazon Systems Manager Components Overview and Use cases
  • 8. Amazon Systems Manager Agent Overview Processes Systems Manager requests and configures instances Supported Linux operating systems: • Amazon Linux 2014.03 and later • Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS • RHEL 6.5+, CentOS 6.3+, SUSE 12+ Supported Windows operating systems: • Windows Server 2003+, including R2 versions Source code available on GitHub: • https://github.com/aws/amazon-ssm-agent NEW!
  • 9. Amazon EC2 Systems Manager capabilities state manager maintenance window inventory automation parameter store run command patch manager
  • 10. Amazon EC2 Systems Manager – Components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
  • 11. Wait, what’s a Document? { "schemaVersion": "2.0", "description": "Installs a Windows Feature", "parameters": { "feature": { "type”: "String", "description": "Specify a package to install" } }, "mainSteps": [ { "action": "aws:runPowerShellScript", "name": "run", "inputs": { "commands": "Install-WindowsFeature {{feature}}" } } ] }
  • 12. Remotely and securely manage servers or virtual machines at scale running in your data center or in AWS  Use Document to execute a script or just run a command  Execute commands across multiple instances simultaneously  Support for AWS and on-premises infrastructure  Rate Control and Error Control  AWS native Run Command
  • 13. No SSH or RDP access  Close Inbound access  Remote Administration  More control through IAM Run Command: Use Cases Run Bash and PowerShell scripts  Manage local users & permissions  Support for PowerShell and Linux commands
  • 14.  Perform operating system changes  Wipe out Elastic search data directories  Application management such as configuration changes, application updates at scale  Execute third party configuration management scripts such as PowerShell, DSC, Ansible and Salt  Perform AWS directory services domain join operations Run Command: Use Cases
  • 15. Blog: Replacing a Bastion Host - Now Blog Link
  • 17. Define and maintain consistent configuration of operating systems and applications running in your data center or in AWS State Manager & Inventory Provides visibility into the software catalogue and configuration for your Amazon EC2 instances and on-premises servers
  • 18. Maintain a Consistent Configuration State Manager: Use Cases Reduce Configuration Drift in Autoscaling service
  • 19. Discover and Audit your Software  Collect detailed information on the software in your instances  Measure usage of licensed software across your fleet Inventory: Use Cases Security & Incident Analysis  Historical record of inventory changes over time  proactive notification if your configurations become non-compliant
  • 21. Walkthrough: State Manager and Inventory
  • 22. Define one or more recurring windows of time during which it is acceptable for any disruptive operation to occur Maintenance Window & Patch Manager Automated tool that helps you simplify your Windows operating system patching process
  • 23. Automatically perform tasks in defined windows of time  Define a maintenance window using cron or rate expressions  Ensure maintenance doesn’t overlap key business periods Maintenance Window: Use Cases Prioritise tasks and define roll- back and timeout criteria  Ensure key tasks are completed first during maintenance windows  Execute tasks with specific IAM roles for granular security control
  • 24. Manage Patch Baselines  Define patch baselines by products, categories & severities  Define approval and distribution schedule for specific baselines Patch Manager: Use Cases Manage Patch Compliance  Scan existing fleet to determine patch levels of the software  Identify patches currently installed, missing, recently applied, etc.
  • 26. Simplifies common maintenance and deployment tasks, such as updating Amazon Machine Images (AMIs)  Patch, update agents, or bake applications into your AMIs  Build workflows to accomplish complex tasks  Use pre-defined workflows or build your own  Invoke Lambda Functions Automation
  • 27. Maintain and Update your AMIs  Integrates with CloudWatch for proactive notifications  Use in conjunction with Maintenance Windows Automation: Use Cases Include Applications in your AMIs  Bake applications into an image  Incorporate Automation as part of your change management process
  • 28.  Create AMI after Deployment completion  Example: Using Automation with Jenkins Automation with CI/CD Pipeline Automation: Use Cases Simplify AMI Patching  Integrating Lambda and Parameter Store  Update Autoscaling Group
  • 29. Centralized store to manage your configuration data, including plain-text data or secrets, encrypted through AWS KMS  Critical information stored securely within your environment • Integrates with AWS IAM, AWS KMS, AWS CloudTrail  Re-use across your AWS configuration and automation workflows  Reference parameters from: • Other Amazon EC2 Systems Manager capabilities (Run Command, Automation, State Manager, etc.) • other AWS services (Amazon ECS, AWS Lambda, etc.) Parameter Store
  • 30. Store Secret  Can be used with AWS services like ECS/CFN/OpsWork and On Prem  CI/CD Pipeline Parameter Store: Use Cases Secure domain join  Create secure string parameter with domain join password  Control access to specific users and refer using simple syntax
  • 31. Blog: Access Secrets and Config data in CodeDeploy Blog Link
  • 32. Example: Integration with other AWS Services
  • 33. Integration with CloudWatch Events  Event Sources  Event Types  Statuses  Resources  Event Targets  Run Command Documents  Target Key / Values  Parameters  IAM role
  • 34. Integration with Lambda Query the Output status of each Invocation Print the Output status into CloudWatch Logs Retrieve information from the CloudWatch Event
  • 35. Select the Lambda function as the target of the rule Specify the status(es) that trigger the rule Select EC2 Systems Manager as the Event Source
  • 36. Viewing the output in CloudWatch Logs View the CloudWatch Log Streams
  • 37. Example: Remediate Amazon Inspector Findings  Amazon Inspector sends SNS notifications of identified CVEs  SNS triggers Lambda to call the Amazon EC2 Systems Manager to update the instance  Broad application to multiple cases such as software and application patching, kernel version updates, security permissions, etc. https://aws.amazon.com/blogs/security/how-to-remediate-amazon-inspector-security-findings-automatically/
  • 38. Patching with latest updates • Inventory • State Manager • Maintenance Window • Patch Manager • Automation Bringing it All Together
  • 39. Maintain Application Configuration • Inventory • State Manager • Automation Bringing it All Together
  • 40. CI/CD pipeline • Run Command • State Manager • Parameter Store • Automation Bringing it All Together
  • 41. Recent Launches • Systems Manager support for SUSE Linux • Parameter Store - Tagging, CWE and Hierarchy support • EC2 Systems Manager | Inventory: S3 Sync • Patch Manager: Linux Patching
  • 44. In summary... Hybrid Cross-platform Scalable Secure Easy-to-write automation Reduced TCO https://aws.amazon.com/blogs/mt/
  • 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS
  • 46. Amazon Systems Manager Agent Installation – Linux Amazon EC2 instances (Amazon Linux, RedHat 6.x, etc.) On-premises servers: mkdir /tmp/ssm REGION=`curl -s http://169.254.169.254/latest/dynamic/instance-identity/document/ | grep "region" | awk -F" ' { print $4 }’` curl https://amazon-ssm-$REGION.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/ssm/amazon-ssm- agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm mkdir /tmp/ssm REGION=‘eu-west-2” # Specifies the region in which to register the on-premises instances curl https://amazon-ssm-$REGION.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/ssm/amazon-ssm- agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm sudo stop amazon-ssm-agent sudo amazon-ssm-agent -register -code "code" -id "id" -region "$REGION" sudo start amazon-ssm-agent
  • 47. Amazon Systems Manager Agent Installation – Windows Amazon EC2 instances On-premises servers: $ Download: https://amazon-ssm-region.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe $ Restart-Service AmazonSSMAgent $dir = $env:TEMP + "ssm” New-Item -ItemType directory -Path $dir cd $dir (New-Object System.Net.WebClient).DownloadFile("https://amazon-ssm- region.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe", $dir + "AmazonSSMAgentSetup.exe") Start-Process .AmazonSSMAgentSetup.exe -ArgumentList @("/q", "/log", "install.log", "CODE=code", "ID=id", "REGION=region") –Wait Get-Content ($env:ProgramData + "AmazonSSMInstanceDataregistration") Get-Service -Name "AmazonSSMAgent"
  • 49. Boot-strapping installation – CloudFormation Server: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Init: configSets: AWSTools: - "ssmInstall” ssmInstall: packages: rpm: amazon-ssm-agent: https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm commands: 01-stopssm: command: "stop amazon-ssm-agent” 02-startssm: command: "start amazon-ssm-agent” Properties: IamInstanceProfile: !Ref EC2SSMProfile UserData: "Fn::Base64": !Sub | #!/bin/bash –xe yum -y update /opt/aws/bin/cfn-init -v --stack "${AWS::StackName}" --resource Server--configsets AWSTools --region ${AWS::Region} echo Startup completed. ...
  • 51. Prerequisites  User IAM access to Amazon EC2 Systems Manager  For managed EC2 instances:  Amazon EC2 Instance Role  For managed on-premises instances:  AWS IAM Service Role  EC2 Systems Manager Activation code  Systems Manager Agent installed on managed instances  Outbound Internet (https) access for the instance  The agent is pre-installed in AWS published AMIs