SSM

Introduction

  • Can view operational data from multiple AWS services and automate operational tasks across your AWS EC2 / on-premises servers / VMs.

  • Can scan instances (EC2 / on-premises servers / VMs) for detecting policy violations.

  • Need to install SSM Agent to instances you want to control. (No need for SSH)

  • EC2 instances need porper IAM role to allow SSM actions

Feature

  • Resource Groups

  • Insights:

    • Insight Dashboard

    • Inventory: discover and audit the software installed

    • Compliance

  • Parameter Store

    • Secure storage for configuration and secrets

      • Can store password in SSM with secure string parameters

      • PS. AWS Secrets Manager does not have the concept of standard or secure parameter.

    • Optional seamless encryption with KMS

    • Serverless, scalable, durable, eash SDK, free

    • Version tracking of configurations / secrets

    • Configuration management using path & IAM

    • Notifications with CloudWatch Events

    • Integration with CloudFormation

    • Can retrieve secrets from Secrets Manager using the SSM Parameter Store API

  • Action:

    • Automation

      • Simplifies common maintenance and deployment tasks of EC2 instances and other AWS resources (ex. shutdown EC2, create AMIs)

      • Can run the EC2Rescue tool on unreachable instances with the AWSSupport-ExecuteEC2Rescue document

    • Run Command

      • Execute a document (script) or a command across instances (with Resource Group).

      • Rate Control / Error Control

      • Integrated with IAM & CloudTrail

    • Session Manager

      • Connect to instance through an interactive one-click browser-based shell or through the AWS CLI.

    • Patch Manager

      • Work with pre-defined Patch Baselines

        • Defines which patches should (not) be installed on your instances.

        • Linux:

          • AWS-AmazonLinux2DefaultPatchBaseline

          • AWS-CentOSDefaultPatchBaseline

          • AWS-RedHatDefaultPatchBaseline

          • AWS-SuseDefaultPatchBaseline

          • AWS-UbuntuDefaultPatchBaseline

        • Windows (patches are auto-approved 7 days after the release)

          • AWS-DefaultPatchBaseline: install OS patch CriticalUpdates & SecurityUpdates

          • AWS-WindowsPredefinedPatchBaseline-OS: same as AWS-DefaultPatchBaseline

          • AWS-WindowsPredefinedPatchBaseline-OS-Applications: also updates Microsoft applications.

        • Can define your own custom patch baselines as well (OS, classification, severity, etc.)

      • Steps:

        • Define a patch baseline to use (or multiple if you have multiple environments)

        • Define patch groups: define based on tags, example different environments (dev, test, prod) with tag: Patch Group. (Notice missing tagging criteria for the scenarios)

        • Define Maintenance Windows (schedule, duration, registered targets / patch groups and registered tasks)

        • Add the AWS-RunPatchBaseline Run Command as part of the registered tasks of the Maintenance Window (works cross platform Linux & Windows)

        • Define Rate Control (concurrency & error threshold) for the task

        • Monitor Patch Compliance with SSM Inventory

    • State Manager

      • define and maintain configuration of OS and applications

PreviousSAMNextElasticSearch

Last updated