AWS Systems Manager

Transcript

1. AWS Systems Manager

2. AWS Systems Manager • Explorer • OpsCenter • Incident Manager

   • Application Manager • AppConfig • Parameter Store • Change Manager • Automation • Maintenance Windows • Fleet Manager • Compliance • Inventory • Session Manager • Run Command • State Manager • Patch Manager • Distributor

3. AWS Systems Manager • Operations Management • Explorer • OpsCenter

   • Incident Manager • Application Management • Application Manager • AppConfig • Parameter Store • Change Management • Change Manager • Automation • Maintenance Windows • Node Management • Fleet Manager • Compliance • Inventory • Session Manager • Run Command • State Manager • Patch Manager • Distributor

4. AWS Systems Manager • Operations Management • Explorer • OpsCenter

   • Incident Manager • Application Management • Application Manager • AppConfig • Parameter Store • Change Management • Change Manager • Automation • Maintenance Windows • Node Management • Fleet Manager • Compliance • Inventory • Session Manager • Run Command • State Manager • Patch Manager • Distributor

5. Session Manager Node management

6. Any workload that has some form of network connectivity, […]

   requires multiple layers of defense to help protect from […] network-based threats AWS Well-Architected Framework

7. Session Manager VPC Private subnet Public subnet Target Instance Bastion

   Security group Security group allow ssh from 0.0.0.0/0 allow ssh from Bastion User

8. Session Manager VPC Private subnet Public subnet Target Instance Security

   group no open ssh port User

9. What do I need? • SSM Agent • Installed by

   default on Amazon Linux, macOS, Ubuntu, Windows • Supports Linux, Windows, macOS • EC2 or Hybrid (“advanced instances”) • IAM Role with AmazonSSMManagedInstanceCore policy • Or custom policy

10. How does it work?

11. How does it work?

12. Advanced Features • Use IAM permissions to control access

13. Advanced Features • Use IAM permissions to control access •

    Port forwarding

14. Advanced Features • Use IAM permissions to control access •

    Port forwarding + SSH (and SCP)

15. Advanced Features • Use IAM permissions to control access •

    Port forwarding + SSH (and SCP) • Logging and auditing • CloudTrail • S3 • CloudWatch Logs • EventBridge (based on CloudTrail)

16. Automation Change Management

17. [Using automated runbooks] ensures consistency, speeds responses, and reduces errors

    caused by manual processes. AWS Well-Architected Framework

18. Runbooks (aka Automation Documents) Automation Runbook Automation Action Automation Action

    Automation Action Actions: • Flow control • Call AWS APIs and wait for properties • Interact with Instances, AMIs and CloudFormation Stacks • Run Automations or Commands • Execute Lambda Functions or Step Functions • Execute scripts (python or powershell)

19. How does it work?

20. None
21. None
22. None

23. Advanced usages • Trigger based on events • EventBridge •

    State Manager • Maintenance Window • Target groups of instances • Use rate controls • Run across regions and accounts

24. OpsCenter Operations Management

25. Have processes to address observed events, [incidents], [problems]. AWS Well-Architected

    Framework

26. OpsCenter Amazon EventBridge OpsCenter AWS Security Hub Amazon EC2 Auto

    Scaling AWS Personal Health Dashboard AWS CloudTrail Amazon CloudWatch Incident Manager Amazon Devops Guru Automation Related Resources User AWS Management Console Amazon Simple Notification Service (Amazon SNS)
27. None
28. None
29. None
30. None
31. None

32. Advanced Features • Dedeplucation • Operational Data • IAM Access

    Control

33. Parameter Store Application Management

34. Use environment variables for infrequent changes […]. Use AWS System

    Manager Parameter Store for dynamic configuration […] Store sensitive data using AWS Secrets Manager. AWS Well-Architected Framework Serverless Lens

35. Parameter Store Private Parameters AWS Management Console AWS Command Line

    Interface (AWS CLI) AWS Tools and SDKs References Public Parameters Global Infrastructure AMI Container Image AWS Secrets Manager Amazon EC2 Consumers Amazon ECS AWS Tools and SDKs AWS CloudFormation AWS CodeBuild AWS Management Console
36. None
37. None

38. Advanced Features • Change notifications (EventBridge) • Standard and Advanced

    Tier • Parameter Policies (expiration, no-change notification)

39. AWS Systems Manager Overview

40. AWS Systems Manager • Operations Management • Explorer • OpsCenter

    • Incident Manager • Application Management • Application Manager • AppConfig • Parameter Store • Change Management • Change Manager • Automation • Maintenance Windows • Node Management • Fleet Manager • Compliance • Inventory • Session Manager • Run Command • State Manager • Patch Manager • Distributor

41. Thank you! Ben Bridts [email protected] @BenBridts | @WeAreCloudar www.cloudar.be