Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ananth Vaidyanathan, Sr. Product Manager
August 14, 2017
Deep Dive with
Amazon EC2 Systems Manager
Fleet Management Automation

2. Customer challenges
Traditional IT toolset
not built for cloud
scale infrastructure
Maintaining
enterprise-wide
visibility is challenging
Deploying multiple
products is a
significant overhead
Licensing costs &
complexity
Managing cloud and hybrid environments using
a traditional toolset is complex and costly
Customers IT infrastructure is increasingly spread across on-premises and in
the private and public cloud

3. Introducing Amazon EC2 Systems Manager
A set of capabilities that...
... provide insights and compliance
...safe and secure operations
...enable automated configuration with granular control...
...across all of your Windows and Linux workloads...
...running on Amazon EC2 or on-premises…
...at no additional charge

4. Why should I care?
Manage hybrid
Architecture
Cross-platform
(Windows/Linux)
Scalable and
auditable
Improve security
and compliance
Easily automate
repetitive tasks
Reduce TCO

5. Systems Manager Customers and Partners

6. Amazon EC2 Systems Manager – components
Run Command State Manager Inventory Maintenance Window
Patch Manager Automation Parameter StoreParameter Store Documents

7. Amazon EC2 Systems Manager Services
Service Description
Run Command Safely automate common administrative tasks on your instances at scale without
SSH or RDP access
Inventory Collect and query software inventory
Patch Manager Select and deploy OS patches automatically
State Manager Define and maintain consistent OS configurations such as firewall settings and anti-
malware definitions to comply with policies
Maintenance
Windows
Create recurring time windows to run administrative or any disruptive tasks
Automation Create streamlined workflows to update Amazon Machine Images (AMI) for
example
Parameter Store Centralized location to store, control access, and easily reference configuration
data and secrets
Documents Easily author configurations use across Systems Manager services

8. What is a Document?
{
"schemaVersion":"2.2",
"description":"Cross-platform demo document",
"mainSteps": [
{
"action":"aws:runPowerShellScript",
"precondition": {
"StringEquals": ["platformType", "Windows"]
},
"name":"WindowsOpenPorts",
"inputs": {
"runCommand": ["netstat -a"]
}
},
{
"action":"aws:runShellScript",
"precondition": {
"StringEquals": ["platformType", "Linux"]
},
"name":"LinuxOpenPorts",
"inputs": {
"runCommand": ["netstat -lntu"]
}
}
]
}
• Written in JSON and consist of
steps executed in sequence
• Documents can be versioned
(also support $DEFAULT and
$LATEST)
• Cross-platform
• Share documents across
accounts or share publicly to the
community

9. Safe and secure ops at scale without SSH/RDP
• Remotely manage thousands of
Windows and Linux instances running on
Amazon EC2 or on-premises
• Control user actions and scope with
secure, granular access control
• Safely execute changes with rate control
to reduce blast radius
• Audit every user action with change
tracking
AWS cloud
corporate data
center
IT Admin, DevOps
Engineer
Role-based Access
Control

10. Maintain Software Compliance, Reduce Risk
• Bootstrap instances on launch with image
builds that are compliant
• Roll out Windows and Linux patches
based on corporate policies and org-wide
maintenance windows
• Get notified on malwares (e.g. Petya
ransomware), vulnerabilities, blacklisted
apps with recommended actions
Create compliant
software images
Deploy instances
Automate online patch
management

11. Automate using extensible framework
• Generic framework to express your
workflow as automation steps
• Automate golden image creation
• Fix unreachable EC2 instances
• Reset forgotten passwords
• Create custom workflows
Automation
Document
Run the automation
Role and permissioninput

12. Maintain updated view of software inventory
• Discover inventory across accounts
• EC2 instances and OS details
• Installed software and patches
• List of files, network configuration
• Custom inventory types
• Audit software, maintain historical
record of changes using AWS Config
• Identify zero-day vulnerabilities
• Create data lake in Amazon S3
bucket for analytics
AWS cloud
Corporate data
center
Amazon
Athena queries
Amazon
QuickSight
Amazon S3
data lake
Custom
Analytic Tool
Multi-account,
across regions

13. Manage configuration drift
• Control configuration details such as
anti-virus settings, iptables, etc.
• Compare actual deployments against
specified configuration policy
• Automatically re-apply policies if state
drift is detected
• OS changes
• Local users and permissions
State
Manager
instances
Document

14. Store and retrieve configuration secrets
• Store any configuration data or
parameter in hierarchies with RBAC
• Option to encrypt secret data like
passwords using KMS
• Enforce password policies using
parameter lifetime and change
notifications
• Use across AWS services such as
Lambda, AWS CodeDeploy, and ECS
parameter
store
instances
secrets
Change
Notification
No more storing secrets in plain text!

15. Cross-account view of Inventory
• S3 as a data lake: Sync Inventory data across regions and accounts
to a single S3 bucket
• Use Athena and/or QuickSight to query software inventory
information

16. Other use cases for Systems Manager
• Run PowerShell DSC, Ansible Playbooks or Salt States on SSM
• Eliminate need for bastion hosts; simplify your architecture
• Instance health monitoring, system checks
• Joining instances securely to a domain
• Take scheduled VSS snapshots of your instances
• Collect logs from terminating instances in an Auto Scaling Group

17. Demo!

18. Partner and open source ecosystem
• Enables partners to build monetizable value-added solutions like
HIPAA and PCI compliance, custom compliance reporting
• All services available through API/CLI/SDKs to support custom
workflows
• Systems Manager agent is open sourced and allows community to
build custom data collectors
• Configuration platform: support for Ansible Playbooks/Salt
States/PowerShell DSC with improved security

19. FAQs
• Does Systems Manager require an agent?
• How often do I update the agent?
• What kind of IAM policy is needed to get started?
• How do I use SSM to set up on-premises servers or VMs?
• What OS platforms are supported?
• Supported Linux operating systems:
• Amazon Linux 2014.03 and later
• Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS
• RHEL 6.5+, CentOS 6.3+, SUSE 12+
• Supported Windows operating systems:
• Windows Server 2003+, including R2 versions
• Do instances need network access?

20. Links
• Learn more at https://aws.amazon.com/ec2/systems-
manager/
• AWS Blog –
https://aws.amazon.com/blogs/aws/category/amazon-
ec2-systems-manager/
• AWS Management Tools Blog –
https://aws.amazon.com/blogs/mt/

21. Ananth Vaidyanathan
Sr. Product Manager
E: ananva@amazon.com
https://aws.amazon.com/ec2/systems-manager/