AWS Systems Manager Cheat Sheet

• Allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources.

Features

• Create logical groups of resources such as applications, different layers of an application stack, or production versus development environments.
• You can select a resource group and view its recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status.
• Collects information about your instances and the software installed on them.
• Allows you to safely automate common and repetitive IT operations and management tasks across AWS resources.
• Provides a browser-based interactive shell and CLI for managing Windows and Linux EC2 instances, without the need to open inbound ports, manage SSH keys, or use bastion hosts. Administrators can grant and revoke access to instances through a central location by using IAM policies.
• Helps ensure that your software is up-to-date and meets your compliance policies.
• Lets you schedule windows of time to run administrative and maintenance tasks across your instances.

SSM Agent is the tool that processes Systems Manager requests and configures your machine as specified in the request. SSM Agent must be installed on each instance you want to use with Systems Manager. On newer AMIs and instance types, SSM Agent is installed by default. On older versions, you must install it manually.

Capabilities

• Automation
  • Allows you to safely automate common and repetitive IT operations and management tasks across AWS resources
  • A step is defined as an initiated action performed in the Automation execution on a per-target basis. You can execute the entire Systems Manager automation document in one action or choose to execute one step at a time.
  • Concepts
    • • Automation document – defines the Automation workflow.
      • Automation action – the Automation workflow includes one or more steps. Each step is associated with a particular action or plugin. The action determines the inputs, behavior, and outputs of the step.
      • Automation queue – if you attempt to run more than 25 Automations simultaneously, Systems Manager adds the additional executions to a queue and displays a status of Pending. When an Automation reaches a terminal state, the first execution in the queue starts.
  • You can schedule Systems Manager automation document execution.
• Resource Groups
  • A collection of AWS resources that are all in the same AWS region, and that match criteria provided in a query.
  • Use Systems Manager tools such as Automation to simplify management tasks on your groups of resources. You can also use groups as the basis for viewing monitoring and configuration insights in Systems Manager.
• Built-in Insights
  • Show detailed information about a single, selected resource group.
  • Includes recent API calls through CloudTrail, recent configuration changes through Config, Instance software inventory listings, instance patch compliance views, and instance configuration compliance views.
• Systems Manager Activation
  • Enable hybrid and cross-cloud management. You can register any server, whether physical or virtual to be managed by Systems Manager.
• Inventory Manager
  • Automates the process of collecting software inventory from managed instances.
  • You specify the type of metadata to collect, the instances from where the metadata should be collected, and a schedule for metadata collection.
• Configuration Compliance
  • Scans your fleet of managed instances for patch compliance and configuration inconsistencies.
  • View compliance history and change tracking for Patch Manager patching data and State Manager associations by using AWS Config.
  • Customize Systems Manager Compliance to create your own compliance types.
• Run Command
  • Remotely and securely manage the configuration of your managed instances at scale.
  • Managed Instances – any EC2 instance or on-premises server or virtual machine in your hybrid environment that is configured for Systems Manager.
• Session Manager
  • Manage your EC2 instances through an interactive one-click browser-based shell or through the AWS CLI.
  • Makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your Amazon EC2 instances.
  • You can use AWS Systems Manager Session Manager to tunnel SSH (Secure Shell) and SCP (Secure Copy) traffic between a client and a server.
• Distributor
  • Lets you package your own software or find AWS-provided agent software packages to install on Systems Manager managed instances.
  • After you create a package in Distributor, which creates an Systems Manager document, you can install the package in one of the following ways.
    • • One time by using Systems Manager Run Command.
      • On a schedule by using Systems Manager State Manager.
• Patch Manager
  • Automate the process of patching your managed instances.
  • Enables you to scan instances for missing patches and apply missing patches individually or to large groups of instances by using EC2 instance tags.
  • For security patches, Patch Manager uses patch baselines that include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches.
  • You can use AWS Systems Manager Patch Manager to select and apply Microsoft application patches automatically across your Amazon EC2 or on-premises instances.
  • AWS Systems Manager Patch Manager includes common vulnerability identifiers (CVE ID). CVE IDs can help you identify security vulnerabilities within your fleet and recommend patches.
  • You can configure actions to be performed on a managed instance before and after installing patches.
• Maintenance Window
  • Set up recurring schedules for managed instances to execute administrative tasks like installing patches and updates without interrupting business-critical operations.
  • Supports running four types of tasks:
    • • Systems Manager Run Command commands
      • Systems Manager Automation workflows
      • AWS Lambda functions
      • AWS Step Functions tasks
  • Each maintenance window contains a schedule, maximum duration, set of targets and tasks.
• Systems Manager Document (SSM)
  • Defines the actions that Systems Manager performs.
  • Types of SSM Documents

• • Can be in JSON or YAML.
  • You can create and save different versions of documents. You can then specify a default version for each document.
  • If you want to customize the steps and actions in a document, you can create your own.
  • You can tag your documents to help you quickly identify one or more documents based on the tags you’ve assigned to them.
• State Manager
  • A service that automates the process of keeping your EC2 and hybrid infrastructure in a state that you define.
  • A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. The association also specifies actions to take when applying the configuration.
• Parameter Store
  • Provides secure, hierarchical storage for configuration data and secrets management.
  • You can store values as plain text or encrypted data with SecureString.
  • Parameters work with Systems Manager capabilities such as Run Command, State Manager, and Automation.
• OpsCenter
  • OpsCenter helps you view, investigate, and resolve operational issues related to your environment from a central location.
  • OpsCenter complements existing case management systems by enabling integrations via Amazon Simple Notification Service (SNS) and public AWS SDKs. By aggregating information from AWS Config, AWS CloudTrail logs, resource descriptions, and Amazon CloudWatch Events, OpsCenter helps you reduce the mean time to resolution (MTTR) of incidents, alarms, and operational tasks.
• Change Manager
  • An enterprise change management framework for requesting, approving, implementing, and reporting on operational changes to your application configuration and infrastructure.
  • From a single delegated administrator account, if you use AWS Organizations, you can manage changes across multiple AWS accounts and across AWS Regions. Alternatively, using a local account, you can manage changes for a single AWS account.
  • Can be used for both AWS and on-premises resources.
  • For each change template, you can add up to five levels of approvers. When it’s time to implement an approved change, Change Manager runs the Automation runbook that is specified in the associated change request.
• Incident Manager
  • Mitigate and recover from incidents affecting your AWS-hosted applications
  • Incident lifecycle phases:
    • Alerting and engagement
    • Triage
    • Investigation and mitigation
    • Post-incident analysis
• Explorer
  • A customizable operations dashboard to display the following information:
    • Operations data (OpsData)
    • Operational work items (OpsItems)
  • Supports the display of multiple-account or regions.
  • Reports can be exported to Amazon S3 bucket.
• AppConfig
  • Create, manage, and deploy application configurations rapidly.
  • Supports controlled deployments to applications, including built-in validation checks and monitoring.
• Application Manager
  • Helps investigate and remediate issues with AWS resources.
  • Displays many types of operations information in the context of an application.
• Fleet Manager
  • Remotely manage nodes running on AWS or on-premises.
    • Node fleet
    • Amazon ECS clusters
  • Monitor the health and performance of your entire server fleet.
• Compliance
  • Scan a fleet of managed nodes for patch compliance and inconsistencies in configuration.
  • Provides current compliance data regarding patching in Patch Manager and associations in State Manager.
  • Generate fleet-wide reports by porting data to Amazon Athena and QuickSight.

AWS Systems Manager Monitoring

• SSM Agent writes information about executions, scheduled actions, errors, and health statuses to log files on each instance. For more efficient instance monitoring, you can configure either SSM Agent itself or the CloudWatch Agent to send this log data to CloudWatch Logs.
• Using CloudWatch Logs, you can monitor log data in real-time, search and filter log data by creating one or more metric filters, and archive and retrieve historical data when you need it.
• Log System Manager API calls with CloudTrail.
• You can use Amazon EventBridge to perform a target event when any changes or other conditions occur.
• You can use Amazon SNS to provide notifications about the status of commands sent via Run Command or Maintenance Windows.

AWS Systems Manager Security

• Systems Managers is linked directly to IAM for access controls.

AWS Systems Manager Pricing

• For your own packages, you pay only for what you use. Upon transferring a package into Distributor, you will be charged based on the size and duration of storage for that package, the number of Get and Describe API calls made, and the amount of out-of-Region and on-premises data transfer out of Distributor for those packages.
• You are charged based on the following:
  • Number and type of Automation steps. 
  • Number of OpsItems, change requests, and API requests.
  • OpsItems created and runbook steps executed.
  • Number of configuration requests and received.
  • Number of advanced parameters stored and instances activated.

Controlling User Session Access to Instances in AWS System Manager Session Manager:

Validate Your Knowledge

Question 1

A company has production, development, and test environments in its software development department, and each environment contains tens to hundreds of EC2 instances, along with other AWS services. Recently, Ubuntu released a series of security patches for a critical flaw that was detected in their OS. Although this is an urgent matter, there is no guarantee yet that these patches will be bug-free and production-ready hence, the company must immediately patch all of its affected Amazon EC2 instances in all the environments, except for the production environment. The EC2 instances in the production environment will only be patched after it has been verified that the patches work effectively. Each environment also has different baseline patch requirements that needed to be satisfied.

Using the AWS Systems Manager service, how should you perform this task with the least amount of effort?

1. Tag each instance based on its environment and OS. Create various shell scripts for each environment that specifies which patch will serve as its baseline. Using AWS Systems Manager Run Command, place the EC2 instances into Target Groups and execute the script corresponding to each Target Group.
2. Tag each instance based on its OS. Create a patch baseline in AWS Systems Manager Patch Manager for each environment. Categorize EC2 instances based on their tags using Patch Groups and then apply the patches specified in the corresponding patch baseline to each Patch Group. Afterward, verify that the patches have been installed correctly using Patch Compliance. Record the changes to patch and association compliance statuses using AWS Config.
3. Tag each instance based on its environment and OS. Create a patch baseline in AWS Systems Manager Patch Manager for each environment. Categorize EC2 instances based on their tags using Patch Groups and apply the patches specified in the corresponding patch baseline to each Patch Group.
4. Schedule a maintenance period in AWS Systems Manager Maintenance Windows for each environment, where the period is after business hours so as not to affect daily operations. During the maintenance period, Systems Manager will execute a cron job that will install the required patches for each EC2 instance in each environment. After that, verify in Systems Manager Managed Instances that your environments are fully patched and compliant.

Show me the answer!

Correct Answer: 3

AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, you can also install patches for non-security updates. You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type.

Patch Manager uses patch baselines, which include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches. You can install patches on a regular basis by scheduling patching to run as a Systems Manager Maintenance Window task. You can also install patches individually or to large groups of instances by using Amazon EC2 tags. For each auto-approval rule that you create, you can specify an auto-approval delay. This delay is the number of days of wait after the patch was released, before the patch is automatically approved for patching.

A patch group is an optional means of organizing instances for patching. For example, you can create patch groups for different operating systems (Linux or Windows), different environments (Development, Test, and Production), or different server functions (web servers, file servers, databases). Patch groups can help you avoid deploying patches to the wrong set of instances. They can also help you avoid deploying patches before they have been adequately tested. You create a patch group by using Amazon EC2 tags. Unlike other tagging scenarios across Systems Manager, a patch group must be defined with the tag key: Patch Group. After you create a patch group and tag instances, you can register the patch group with a patch baseline. By registering the patch group with a patch baseline, you ensure that the correct patches are installed during the patching execution.

Hence, the correct answer is: Tag each instance based on its environment and OS. Create a patch baseline in AWS Systems Manager Patch Manager for each environment. Categorize EC2 instances based on their tags using Patch Groups and apply the patches specified in the corresponding patch baseline to each Patch Group. 

The option that says: Tag each instance based on its environment and OS. Create various shell scripts for each environment that specifies which patch will serve as its baseline. Using AWS Systems Manager Run Command, place the EC2 instances into Target Groups and execute the script corresponding to each Target Group is incorrect as this option takes more effort to perform because you are using Systems Manager Run Command instead of Patch Manager. The Run Command service enables you to automate common administrative tasks and perform ad hoc configuration changes at scale, however, it takes a lot of effort to implement this solution. You can use Patch Manager instead to perform the task required by the scenario since you need to perform this task with the least amount of effort.

The option that says: Tag each instance based on its OS. Create a patch baseline in AWS Systems Manager Patch Manager for each environment. Categorize EC2 instances based on their tags using Patch Groups and then apply the patches specified in the corresponding patch baseline to each Patch Group. Afterward, verify that the patches have been installed correctly using Patch Compliance. Record the changes to patch and association compliance statuses using AWS Config is incorrect. You should be tagging instances based on the environment and its OS type in which they belong and not just its OS type. This is because the type of patches that will be applied varies between the different environments. With this option, the Ubuntu EC2 instances in all of your environments, including in production, will automatically be patched.

The option that says: Schedule a maintenance period in AWS Systems Manager Maintenance Windows for each environment, where the period is after business hours so as not to affect daily operations. During the maintenance period, Systems Manager will execute a cron job that will install the required patches for each EC2 instance in each environment. After that, verify in Systems Manager Managed Instances that your environments are fully patched and compliant is incorrect because this is not the simplest way to address the issue using AWS Systems Manager. The AWS Systems Manager Maintenance Windows feature lets you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system, updating drivers, or installing software or patches. Each Maintenance Window has a schedule, a maximum duration, a set of registered targets (the instances that are acted upon), and a set of registered tasks. Although this solution may work, it entails a lot of configuration and effort to implement.

References:

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html
https://aws.amazon.com/blogs/mt/patching-your-windows-ec2-instances-using-aws-systems-manager-patch-manager/

Note: This question was extracted from our AWS Certified Solutions Architect Professional Practice Exams.

Question 2

A privately funded aerospace and sub-orbital spaceflight services company hosts its rapidly evolving applications in AWS. For its deployment process, the company is using CloudFormation templates which are regularly updated to map the latest AMI IDs for its Amazon EC2 instances clusters. It takes a lot of time to execute this on a regular basis which is why the solutions architect has been instructed to automate this process.

Which of the following options is the most suitable solution that can satisfy the above requirements?

1. Configure your Systems Manager State Manager to store the latest AMI IDs and integrate them with your CloudFormation template. Call the update-stack API in CloudFormation whenever you decide to update the EC2 instances in your CloudFormation template.
2. Use a combination of AWS Service Catalog with AWS Config to automatically fetch the latest AMI and use it for succeeding deployments.
3. Use CloudFormation with AWS Service Catalog to fetch the latest AMI IDs and automatically use them for succeeding deployments.
4. Use CloudFormation with Systems Manager Parameter Store to retrieve the latest AMI IDs for your template. Whenever you decide to update the EC2 instances, call the update-stack API in CloudFormation in your CloudFormation template.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

AWS Systems Manager Cheat Sheet References:

https://docs.aws.amazon.com/systems-manager/latest/userguide
https://aws.amazon.com/systems-manager/features/
https://aws.amazon.com/systems-manager/pricing/
https://aws.amazon.com/systems-manager/faq/