Friday, 18 October 2019

Introducing AWS Systems Manager

System Manager is an AWS service introduced for viewing and controlling your AWS Infrastructure. System Manager console leads you to view operational data from multiple AWS services. You can also perform the operational tasks on the desired AWS resources.

Basic Terms :
  • Managed Instances : A system or a machine or an instance which is configured under AWS System Manager is Managed Instance.
  • Session Manager : Is a managed service which gives single click access to your AWS resource without any open port, key or bastion hosts.
  • Command Document : It is simply type of operation you will be performing or command you want to run. Ex. AWS-RunShellScript, AWS-ApplyPatchBaseline etc.
  • Maintenance Window : Is a schedule in which specified operation will be performed so called Maintenance Window.

Pre-requisites :
  • SSM Agent must be installed on desired EC2 instance or VM or on-premise server.
  • SSM Agents is installed already on AMIs like Amazon Linux, Amazon Linux2, Ubuntu Server 16.04, Ubuntu Server 18.04
  • The source code for SSM Agent is available on GitHub so that you can adapt the agent to meet your needs.

Basic Use Cases of Systems Manager :
  • Run Command
  • Patch Manager

Run Command
Run Command lets you perform common admin tasks on the managed instances.

Configuration of Run Command for a managed instance :
Steps :
  1. Create an IAM Role with type of trusted entity as “EC2”.
  2. Attach policy “AmazonEC2RoleforSSM” to the user.
  3. Launch an EC2 instance and select the created role at the time of configuring instance.
  4. Go to “Managed Instances” on System Manager and select the desired instance.
  5. Click on actions and select “Run Command” option.
  6. You will be redirected to page showing “Command document” where you can select desired type of commands that you wish to execute.
  7. Ex. AWS-RunShellScript
  8. Under “Command Parameter” put the script or commands to be executed on the server.
  9. Ex. df -h
  10. Optional: You can store the output to desired S3 bucket.
  11. Optional: You can trigger SNS for the status of command execution.
  12. Click on “Run Command” to execute the command parameter.
New page will be triggered, where you can see the status of job you configured.
In the command history you can see the execution history as well.



Above procedure will help you to configure Run Command on AWS instances.

Patch Manager
Patch Manager is responsible for automating the process of patching in terms of not only updates but also security of managed instances.

Patch manager able to patch for both operating systems and applications. It supports versions of windows servers, Ubuntu, RHEL, CentOS, SUSE Linux Enterprise server, Amazon Linux and Amazon Linux 2.

Working Phases :
  1. You can scan instances and generate the report about patches required for servers.
  2. You can schedule or automatically install the required patches for servers.
  3. Patch manager integrates with IAM, Cloud Trail and Amazon Cloud Watch Events to provide secure patching.
Basic Terms :
  • Patch Baselines : It defines the rules for configuring the patches on server.
  • Default Patch Baseline : Patch baseline set to default it means created rules will be applied to all the running instances in you fleet.
  • Approval Rules : These are rules set for operating system you selected earlier. Where Severity, Classification, Schedule days.
  • Compliance Reporting : To declare the severity for reports to be generated for new patches matching the defined rules.
  • Manage Tags : Same tags are attached to desired managed instances.

Configuration of Patch Manager :
Steps:
  1. On Systems Manager dashboard, select “Patch Manager”.
  2. Create Patch Baseline defining types of Operating system for manages instances.



  3. Set the Patch Baseline as default. (Optional)
  4. Set the rules for parameters as below:
    1. Product : Select options from list of version/products for selected type of Operating System.
    2. Severity : Can select from ‘Low’ to ‘Critical’ or set to ‘All’.
    3. Auto-approval Delay : Is the time specified to wait for patch manager to apply the new patches available.
    4. Classification : to select the patches by classification of ‘Security’ or ‘BugFix’ or ‘Enhancement’ or ‘Recommended’ or ‘Newpackage’ or you can select multiple.
    5. Compliance Reporting : to specify the severity level for which reports to be generated.



  5. Under “Manage tags”, mention the “Key” and “Value” for the tags. These same tags needs to be configured on desired EC2 instances as well.



  6. After successful configuration, under same dashboard go to “Compliance”. Where you can see the Compliance resources summary and listed resources.

Summary
  • We have seen how to configure “Run Command” and its use case.
  • We have followed steps to configure “Patch Manager” and Compliance report generation.
  • AWS Systems Manager have feature to get server console access without key pair or white-listing of IP. We will see this use case in the coming blog.

No comments:

Post a Comment

AWS CodeGuru Elevating Code Security

  Security and code quality are paramount in today’s fast-paced software development landscape. As the cornerstone of DevSecOps, Static Appl...