Overview
- Manage OS and applications above
- Hybrid
- AWS
- On-premise - requires Activation
- Cross-platform: Windows + Linux
- Agent-based
- Integrates with CloudWatch Events
- As Event Source
- e.g. RunCommand output -> Lambda
- As Event Target
- EC2 event happened -> RunCommand
- As Event Source
Resource Group
- Organizes resources
- They can be queried/act-upon together
- RunCommand, Automation, Patch Manager
Managed Instance
- EC2 or on-premise
- On-premise requires activation
- Has agent running
- Processes requests from SSM
- Open source
Document
- JSON/YAML file
- List of commands/action to perform
- Can take input parameter
- e.g. feature to be installed via Powershell
- Versioned
- Types
- Command Document (Run Command / State Manager)
- Policy Document (State Manager)
- Automation Document (Automation)
Run Command
- Executes document on fleet of servers
- Cannot deviate from document actions (security)
- Output is stored (e.g. S3)
- Replaces the need to run SSH/RDP (jump hosts)
- AWS native (CloudTrail, IAM, etc.)
- Rate control (e.g. "2 at a time")
- Use cases
- Automated Windows Domain join
- Configuration changes
State manager
- Association
- instance(s)
- document (command)
- schedule
- Periodically runs action
- e.g. update SSM agent every 30 minutes
- Use cases
- Keep consistent configuration
- Avoid configuration drift
- Join instances to Windows domain
Patch manager
- Focused on security related OS patches
- Patch baseline
- Set of rules: what patches are approved automatically
- e.g. Severity = Critical wait 7 days before applying to PROD
- List of approved/rejected patches
- Set of rules: what patches are approved automatically
- Patch compliance
- How are my servers doing vs. rules
- What patches are missing
- How are my servers doing vs. rules
- Patch exceptions
- whitelist/blacklist
Automation
- Create workflow (document)
- Launch instance AMI
- Make changes
- Create AMI
- Invoke lambda
- Use case
- Maintain and update AMI (baking AMI)
- Bake applications into AMI
- Integrate with CI/CD (e.g. Jenkins)
- Nightly database backups
Parameter Store
- Stores configuration parameters
- AWS native: CloudTrail/AMI
- Supports encryption (via KMS)
- Secure String
- Can be referenced in scripts, commands, code, automation workflows
- Hierarchical ("/" to separate) - tree based group
- e.g. PROD/TEST
- Use cases
- Securely storing password
- Deploy with CodeDeploy
- Secure domain join
Inventory
- Collect software inventory on servers
- Can be queried and visualized (e.g. using Quicksight)
- History
- Integrates with AWS Config
- Setup
- Document
- Schedule
- Type
- Instance detailed information
- Windows Updates
- Network Config
- Services
- Use case
- Asset management
- What do we have installed
- How many software licenses do we need
- Do we have vulnerable software versions
- Do we have machines with .NET framework < 3.5.1
- Asset management
Maintenance Window
- Define period of time when it is OK to disrupt your service
- Prioritization
- Run A before B
- Register Task
- Associate action with maintenance window
- Use case
- Schedule patching
References
No comments:
Post a Comment