AWS Systems Manager is an AWS service that provides visibility and control of infrastructure on AWS.
AWS Systems Manager provides a unified interface through which you can view operational data from multiple AWS services.
AWS Systems Manager allows you to automate operational tasks across your AWS resources.
With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources.
You can create logical groups of resources such as applications, different layers of an application stack, or production versus development environments.
With Systems Manager, you can select a resource group and view its recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status.
You can also take action on each resource group depending on your operational needs.
Systems Manager simplifies resource and application management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your infrastructure securely at scale.
Systems Manager Components
Systems Manager Inventory
AWS Systems Manager collects information about your instances and the software installed on them, helping you to understand your system configurations and installed applications.
You can collect data about applications, files, network configurations, Windows services, registries, server roles, updates, and any other system properties.
The gathered data enables you to manage application assets, track licenses, monitor file integrity, discover applications not installed by a traditional installer, and more.
AWS Systems Manager lets you scan your managed instances for patch compliance and configuration inconsistencies.
You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant.
By default, AWS Systems Manager displays data about patching and associations. You can also customize the service and create your own compliance types based on your requirements.
AWS Systems Manager allows you to safely automate common and repetitive IT operations and management tasks across AWS resources.
With Systems Manager, you can create JSON/YAML documents that specify a specific list of tasks or use community published documents.
These documents can be executed directly through the AWS Management Console, CLIs, and SDKs, scheduled in a maintenance window, or triggered based on changes to AWS resources through Amazon CloudWatch Events.
You can track the execution of each step in the documents as well as require approvals for each step.
You can also incrementally roll out changes and automatically halt when errors occur.
Use Systems Manager Run Command to remotely and securely manage the configuration of your managed instances at scale. Use Run Command to perform on-demand changes like updating applications or running Linux shell scripts and Windows PowerShell commands on a target set of dozens or hundreds of instances.
Run command requires the SSM agent to be installed on all managed instances.
Example tasks include: stopping, restarting, terminating, and resizing instances. Attaching and detaching EBS volumes, creating snapshots etc.
Often used to apply patches and updates.
Commands can be applied to a group of systems based on AWS instance tags or manual selection.
The commands and parameters are defined in a Systems Manager document.
Commands can be issued using the AWS Console, AWS CLI, AWS Tools for Windows PowerShell, the Systems Manager API, or Amazon SDKs.
AWS Systems Manager provides you safe, secure remote management of your instances at scale without logging into your servers, replacing the need for bastion hosts, SSH, or remote PowerShell.
It provides a simple way of automating common administrative tasks across groups of instances such as registry edits, user management, and software and patch installations.
Provides a command terminal for Linux instances and Windows PowerShell terminal for Windows instances.
Through integration with AWS Identity and Access Management (IAM), you can apply granular permissions to control the actions users can perform on instances.
All actions taken with Systems Manager are recorded by AWS CloudTrail, allowing you to audit changes throughout your environment.
Requires IAM permissions for EC2 instance to access SSM, S3, and CloudWatch Logs.
CloudTrail can intercept StartSession events using Session Manager.
Compared to SSH:
- Do not need to open port 22.
- Do not need bastion hosts for management.
- All commands are logged to S3 / CloudWatch.
- Secure shell access is authenticated using IAM user accounts, not key pairs.
AWS Systems Manager helps you select and deploy operating system and software patches automatically across large groups of Amazon EC2 or on-premises instances.
Through patch baselines, you can set rules to auto-approve select categories of patches to be installed, such as operating system or high severity patches, and you can specify a list of patches that override these rules and are automatically approved or rejected.
You can also schedule maintenance windows for your patches so that they are only applied during preset times.
Systems Manager helps ensure that your software is up-to-date and meets your compliance policies.
AWS Systems Manager lets you schedule windows of time to run administrative and maintenance tasks across your instances.
This ensures that you can select a convenient and safe time to install patches and updates or make other configuration changes, improving the availability and reliability of your services and applications.
Distributor is an AWS Systems Manager feature that enables you to securely store and distribute software packages in your organization.
You can use Distributor with existing Systems Manager features like Run Command and State Manager to control the lifecycle of the packages running on your instances.
AWS Systems Manager provides configuration management, which helps you maintain consistent configuration of your Amazon EC2 or on-premises instances.
With Systems Manager, you can control configuration details such as server configurations, anti-virus definitions, firewall settings, and more.
You can define configuration policies for your servers through the AWS Management Console or use existing scripts, PowerShell modules, or Ansible playbooks directly from GitHub or Amazon S3 buckets.
Systems Manager automatically applies your configurations across your instances at a time and frequency that you define.
You can query Systems Manager at any time to view the status of your instance configurations, giving you on-demand visibility into your compliance status.
AWS Systems Manager provides a centralized store to manage your configuration data, whether plain-text data such as database strings or secrets such as passwords.
This allows you to separate your secrets and configuration data from your code. Parameters can be tagged and organized into hierarchies, helping you manage parameters more easily.
For example, you can use the same parameter name, “db-string”, with a different hierarchical path, “dev/db-string” or “prod/db-string”, to store different values.
Systems Manager is integrated with AWS Key Management Service (KMS), allowing you to automatically encrypt the data you store.
You can also control user and resource access to parameters using AWS Identity and Access Management (IAM). Parameters can be referenced through other AWS services, such as Amazon Elastic Container Service, AWS Lambda, and AWS CloudFormation.
Deployment and Provisioning
You can use resource groups to organize your AWS resources. Resource groups make it easier to manage, monitor, and automate tasks on large numbers of resources at one time.
AWS Resource Groups provides two general methods for defining a resource group. Both methods involve using a query to identify the members for a group.
The first method relies on tags applied to AWS resources to add resources to a group. Using this method, you apply the same key/value pair tags to resources of various types in your account and then use the AWS Resource Groups service to create a group based on that tag pair.
The second method is based on resources available in an individual AWS CloudFormation stack. Using this method, you choose an AWS CloudFormation stack, and then choose resource types in the stack that you want to be in the group.
Allows the creation of logical groups of resources that you can perform actions on (such as patching).
Resource groups are regional in scope.
Systems Manager Document
An AWS Systems Manager document (SSM document) defines the actions that Systems Manager performs on your managed instances.
Systems Manager includes more than a dozen pre-configured documents that you can use by specifying parameters at runtime.
Monitoring and Reporting
AWS Systems Manager automatically aggregates and displays operational data for each resource group through a dashboard.
Systems Manager eliminates the need for you to navigate across multiple AWS consoles to view your operational data.
You can also easily integrate your AWS CloudWatch Dashboards, AWS Trusted Advisor notifications, and AWS Personal Health Dashboard performance and availability alerts into your Systems Manager dashboard.
Systems Manager centralizes all relevant operational data, so you can have a clear view of your infrastructure compliance and performance.
You can configure and use the Amazon CloudWatch agent to collect metrics and logs from your instances instead of using SSM Agent for these tasks. The CloudWatch agent enables you to gather more metrics on EC2 instances than are available using SSM Agent. In addition, you can gather metrics from on-premises servers using the CloudWatch agent.
Logging and Auditing
Systems Manager is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Systems Manager. CloudTrail captures all API calls for Systems Manager as events, including calls from the Systems Manager console and from code calls to the Systems Manager APIs.
SSM Agent writes information about executions, commands, scheduled actions, errors, and health statuses to log files on each instance. You can view log files by manually connecting to an instance, or you can automatically send logs to Amazon CloudWatch Logs.
Authorization and Access Control
AWS Systems Manager supports identity-based policies.
AWS Systems Manager does not support resource-based policies.
You can attach tags to Systems Manager resources or pass tags in a request to Systems Manager.
To control access based on tags, you provide tag information in the condition element of a policy using the ssm:resourceTag/key-name, aws:ResourceTag/key-name, aws:RequestTag/key-name, or aws:TagKeys condition keys.