Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

GPSTEC307_Too Many Tools

Amazon Web Services
Amazon Web Services

Come see first-hand how Amazon EC2 Systems Manager can help you manage your servers at scale with the agility and security you need in today's dynamic cloud-enabled world. To be truly agile, you need a way to define and track system configurations, prevent drift, and maintain software compliance. At the same time, you need to collect software inventory, apply OS patches, automate your system image maintenance, and configure anything in the OSs of your EC2 instances and on-premises servers. Amazon EC2 Systems Manager does all of that and more for both Linux and Windows systems. In this session, learn about the seven services that make up Amazon EC2 Systems Manager and see them in action. No matter if you are managing 10 or 10,000 instances, see how you can manage your systems, increasing your agility and security with EC2 Systems Manager.

1 of 29
Download to read offline
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT GPS: Too Many Tools? A m a z o n E C 2 S y s t e m s M a n a g e r B r i d g e s O p e r a t i o n a l M o d e l s B r i a n L e w i s – S o l u t i o n s A r c h i t e c t N o v e m b e r 2 7 , 2 0 1 7 G P S T E C 3 0 7
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Many enterprises often bring their traditional on-premises toolset to manage their cloud and hybrid environments
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What customers have told us: • Traditional IT toolsets are not designed and built for cloud scale • Maintaining broader enterprise-wide visibility is challenging • Management tools licensing costs are too high • Support for both Linux and Windows is critical Managing cloud and hybrid environments using a traditional toolset is complex and costly
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Systems Manager Hybrid cloud management at scale AWS cloud Corporate data center IT Admin, DevOps Engineer Role-based Access Control A set of capabilities that: • Manages thousands of Windows and Linux instances running on Amazon EC2 or on- premises • Enables automated configuration • Audits every user action with change tracking • Carries no additional charge to use
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Systems Manager Hybrid Cross-platform Scalable Secure Easy-to-write automation Reduced TCO Customer benefits
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Systems Manager capabilities Run Command Maintenance Window Inventory State Manager Parameter Store Patch Manager Automation Deploy, Configure, and Administer Track and Update Shared Capabilities
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Command • Runs Linux shell scripts and PowerShell scripts with root privilege • Easily define new tasks using simple JSON-based documents • Delegate access, perform audit, receive notifications • Helps improve security posture • Eliminates the need to remote in via SSH or RDP • Uses role-based access control • Logs activity Perform administrative tasks remotely at scale
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Command Perform administrative tasks remotely at scale Run Bash or PowerShell scripts that:  Manage local users and permissions  Enable or disable remote access SSH or RDP  Configure firewall rules  Install or update applications  Perform directory services domain join operations  Execute third party configuration management such as DSC, Ansible, and Salt
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Command A lightweight agent runs on each managed server How it works AWS SSMAgent You can manage your servers running anywhere (AWS, on-premises, or in another provider’s cloud)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Systems Manager SSM Agent • AWS-supplied AMIs already have agent installed • On-premises servers and servers hosted by other cloud providers: the agent needs to be installed and you need to create a managed- instance activation • The source code for the SSM Agent is available on GitHub and is licensed under the Apache 2.0 License AWS SSMAgent
Amazon EC2 Systems Manager—components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
EC2 Systems Manager Documents { "schemaVersion": "2.0", "description": "Installs a Windows Feature", "parameters": { "feature": { "type”: "String", "description": "Specify a package to install" } }, "mainSteps": [ { "action": "aws:runPowerShellScript", "name": "run", "inputs": { "commands": "Install-WindowsFeature {{feature}}" } } ] }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traditional remote management architecture Availability Zone Private subnetPublic subnet Availability Zone Private subnetPublic subnet Remote users IIS App IIS Web IIS App IIS Web Internet gateway RDGW VPC NAT gateway RDGW VPC NAT gateway AWS Directory Service AWS Directory Service MS SQL MS SQL Always On Availability Group Auto Scaling Blog link
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Using R u n C ommand to tu rn off SSH and R DP
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patch Manager • Express custom patch policies as patch baselines (for example, apply critical patches on day one, but wait seven days for non-critical patches) • Perform patching during scheduled maintenance windows • Eliminates manual intervention and reduces time-to-deploy for critical updates and zero-day vulnerabilities • Built-in patch compliance reporting Roll out Windows OS patches using custom-defined rules and pre-scheduled maintenance windows
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patch Manager—getting started 1. Create a Patch Baseline to define approved patches 3. Maintenance Window executes patching 4. Audit results with Patch Compliance 2. Create a Maintenance Window to schedule patching for a set of instances
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Inventory With Inventory, you can gather: • Instance and OS details • Network configuration • Installed software and patches • Collect anything you want—it’s customizable! Common customer use scenarios: • Tracking application licensing usage • Auditing how many 2016 MS SQL servers do we run • Identifying unpatched servers and applications • Are we running any old BIND 8 DNS servers? • Watching for changes over time A scalable way of collecting, querying, and auditing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Inventory—system diagram SSMAgent EC2 Windows Instance SSMAgent EC2 Linux Instance SSMAgent On- Premises Instance AWS SSM Service State Manager EC2 Inventory SSM document Inventory Store EC2 Console, SSM CLI/APIs AWS Config AWS Config Console + CLI/APIs
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Maintenance window • Define one or more recurring windows of time during which it is acceptable for disruptive actions to occur • Built-in integration with Run Command and Patch Manager • Helps improve availability and reliability of your workloads by automatically performing tasks in a well-defined window of time Schedule disruptive tasks in a well-defined timeframe
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Inventory: • Define a policy—for inventory • Set your maintenance window for inventory to run
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automation Service • Workflows are automation steps in a JSON-based document • Support for Run Command, Lambda functions • Eliminate the busy work in managing golden enterprise images The Automation Service is optimized for building and maintaining Amazon Machine Images (AMIs) • Start with an AMI  perform automation steps like OS patching and drive updates  produce a new AMI • Reproduce your image exactly the same way every time! Automate common tasks using simplified workflows
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. State Manager • Define new policies using simple JSON-based documents • Control how and when a configuration is applied and maintained • Enforces enterprise-wide compliance of configuration policies For example: • Configuring firewall rules • Updating anti-malware definitions • Avoid compliance drift—keep settings constant Maintain a consistent configuration of OS and applications
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. State Manager Manage configu ration drift State Manager instances • Control configuration details such as antivirus settings, iptables, and so on • Compare actual deployments against specified configuration policy • Automatically reapply policies if state drift is detected
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Parameter Store • Encrypt sensitive information using your own KMS keys • Eliminates ongoing maintenance challenges: • Securing credentials needed in scripts • Updating scripts multiple scripts with new values • Parameters are referenceable via: • Run Command • State Manager • Automation Service • AWS CLI Centralized management of passwords and connection strings
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Parameter Store Parameter Store instances secrets Change Notification • Raise your security profile by managing secrets and configuration data separately from code • Store parameters in hierarchies, track versions, and dynamically reference to them from APIs • Granularly control and audit access at parameter, tag, and path levels • Setup change notifications and trigger automated actions Centralized management of passwords and connection strings
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Pa ra m e te r sto re L ice n se ke y— or p assword
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Systems Manager-supported OSs 64-Bit and 32-Bit Systems • Amazon Linux 2014.09, 2014.03, or later • Ubuntu Server 16.0.4 LTS, 14.04 LTS, or 12.04 LTS • Red Hat Enterprise Linux (RHEL) 6.5 or later • CentOS 6.3 or later • Windows Server 2003 - 2016, including all R2 versions 64-Bit Systems Only • Amazon Linux 2015.09, 2015.03, or later • Red Hat Enterprise Linux (RHEL) 7.x or later • CentOS 7.1 or later Linux and Windows
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary: EC2 Systems Manager Run Command Maintenance Window Inventory State Manager Parameter Store Patch Manager Automation Deploy, Configure, and Administer Track and Update Shared Capabilities Available at no cost to manage both your EC2 and on-premises resources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU! E C 2 S y s t e m s M a n a g e r G P S T E C 3 0 7

More Related Content

GPSTEC307_Too Many Tools

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT GPS: Too Many Tools? A m a z o n E C 2 S y s t e m s M a n a g e r B r i d g e s O p e r a t i o n a l M o d e l s B r i a n L e w i s – S o l u t i o n s A r c h i t e c t N o v e m b e r 2 7 , 2 0 1 7 G P S T E C 3 0 7
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Many enterprises often bring their traditional on-premises toolset to manage their cloud and hybrid environments
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What customers have told us: • Traditional IT toolsets are not designed and built for cloud scale • Maintaining broader enterprise-wide visibility is challenging • Management tools licensing costs are too high • Support for both Linux and Windows is critical Managing cloud and hybrid environments using a traditional toolset is complex and costly
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Systems Manager Hybrid cloud management at scale AWS cloud Corporate data center IT Admin, DevOps Engineer Role-based Access Control A set of capabilities that: • Manages thousands of Windows and Linux instances running on Amazon EC2 or on- premises • Enables automated configuration • Audits every user action with change tracking • Carries no additional charge to use
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Systems Manager Hybrid Cross-platform Scalable Secure Easy-to-write automation Reduced TCO Customer benefits
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Systems Manager capabilities Run Command Maintenance Window Inventory State Manager Parameter Store Patch Manager Automation Deploy, Configure, and Administer Track and Update Shared Capabilities
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Command • Runs Linux shell scripts and PowerShell scripts with root privilege • Easily define new tasks using simple JSON-based documents • Delegate access, perform audit, receive notifications • Helps improve security posture • Eliminates the need to remote in via SSH or RDP • Uses role-based access control • Logs activity Perform administrative tasks remotely at scale
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Command Perform administrative tasks remotely at scale Run Bash or PowerShell scripts that:  Manage local users and permissions  Enable or disable remote access SSH or RDP  Configure firewall rules  Install or update applications  Perform directory services domain join operations  Execute third party configuration management such as DSC, Ansible, and Salt
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Run Command A lightweight agent runs on each managed server How it works AWS SSMAgent You can manage your servers running anywhere (AWS, on-premises, or in another provider’s cloud)
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Systems Manager SSM Agent • AWS-supplied AMIs already have agent installed • On-premises servers and servers hosted by other cloud providers: the agent needs to be installed and you need to create a managed- instance activation • The source code for the SSM Agent is available on GitHub and is licensed under the Apache 2.0 License AWS SSMAgent
  • 11. Amazon EC2 Systems Manager—components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
  • 12. EC2 Systems Manager Documents { "schemaVersion": "2.0", "description": "Installs a Windows Feature", "parameters": { "feature": { "type”: "String", "description": "Specify a package to install" } }, "mainSteps": [ { "action": "aws:runPowerShellScript", "name": "run", "inputs": { "commands": "Install-WindowsFeature {{feature}}" } } ] }
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traditional remote management architecture Availability Zone Private subnetPublic subnet Availability Zone Private subnetPublic subnet Remote users IIS App IIS Web IIS App IIS Web Internet gateway RDGW VPC NAT gateway RDGW VPC NAT gateway AWS Directory Service AWS Directory Service MS SQL MS SQL Always On Availability Group Auto Scaling Blog link
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Using R u n C ommand to tu rn off SSH and R DP
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patch Manager • Express custom patch policies as patch baselines (for example, apply critical patches on day one, but wait seven days for non-critical patches) • Perform patching during scheduled maintenance windows • Eliminates manual intervention and reduces time-to-deploy for critical updates and zero-day vulnerabilities • Built-in patch compliance reporting Roll out Windows OS patches using custom-defined rules and pre-scheduled maintenance windows
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patch Manager—getting started 1. Create a Patch Baseline to define approved patches 3. Maintenance Window executes patching 4. Audit results with Patch Compliance 2. Create a Maintenance Window to schedule patching for a set of instances
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Inventory With Inventory, you can gather: • Instance and OS details • Network configuration • Installed software and patches • Collect anything you want—it’s customizable! Common customer use scenarios: • Tracking application licensing usage • Auditing how many 2016 MS SQL servers do we run • Identifying unpatched servers and applications • Are we running any old BIND 8 DNS servers? • Watching for changes over time A scalable way of collecting, querying, and auditing
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Inventory—system diagram SSMAgent EC2 Windows Instance SSMAgent EC2 Linux Instance SSMAgent On- Premises Instance AWS SSM Service State Manager EC2 Inventory SSM document Inventory Store EC2 Console, SSM CLI/APIs AWS Config AWS Config Console + CLI/APIs
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Maintenance window • Define one or more recurring windows of time during which it is acceptable for disruptive actions to occur • Built-in integration with Run Command and Patch Manager • Helps improve availability and reliability of your workloads by automatically performing tasks in a well-defined window of time Schedule disruptive tasks in a well-defined timeframe
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Inventory: • Define a policy—for inventory • Set your maintenance window for inventory to run
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automation Service • Workflows are automation steps in a JSON-based document • Support for Run Command, Lambda functions • Eliminate the busy work in managing golden enterprise images The Automation Service is optimized for building and maintaining Amazon Machine Images (AMIs) • Start with an AMI  perform automation steps like OS patching and drive updates  produce a new AMI • Reproduce your image exactly the same way every time! Automate common tasks using simplified workflows
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. State Manager • Define new policies using simple JSON-based documents • Control how and when a configuration is applied and maintained • Enforces enterprise-wide compliance of configuration policies For example: • Configuring firewall rules • Updating anti-malware definitions • Avoid compliance drift—keep settings constant Maintain a consistent configuration of OS and applications
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. State Manager Manage configu ration drift State Manager instances • Control configuration details such as antivirus settings, iptables, and so on • Compare actual deployments against specified configuration policy • Automatically reapply policies if state drift is detected
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Parameter Store • Encrypt sensitive information using your own KMS keys • Eliminates ongoing maintenance challenges: • Securing credentials needed in scripts • Updating scripts multiple scripts with new values • Parameters are referenceable via: • Run Command • State Manager • Automation Service • AWS CLI Centralized management of passwords and connection strings
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Parameter Store Parameter Store instances secrets Change Notification • Raise your security profile by managing secrets and configuration data separately from code • Store parameters in hierarchies, track versions, and dynamically reference to them from APIs • Granularly control and audit access at parameter, tag, and path levels • Setup change notifications and trigger automated actions Centralized management of passwords and connection strings
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Pa ra m e te r sto re L ice n se ke y— or p assword
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Systems Manager-supported OSs 64-Bit and 32-Bit Systems • Amazon Linux 2014.09, 2014.03, or later • Ubuntu Server 16.0.4 LTS, 14.04 LTS, or 12.04 LTS • Red Hat Enterprise Linux (RHEL) 6.5 or later • CentOS 6.3 or later • Windows Server 2003 - 2016, including all R2 versions 64-Bit Systems Only • Amazon Linux 2015.09, 2015.03, or later • Red Hat Enterprise Linux (RHEL) 7.x or later • CentOS 7.1 or later Linux and Windows
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary: EC2 Systems Manager Run Command Maintenance Window Inventory State Manager Parameter Store Patch Manager Automation Deploy, Configure, and Administer Track and Update Shared Capabilities Available at no cost to manage both your EC2 and on-premises resources
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU! E C 2 S y s t e m s M a n a g e r G P S T E C 3 0 7